Re: AP 1131AG cannot upgrade from version3.0.51.0 to 7.3.101.0 ( - Page 2

vrz rrr · ‎02-15-2013

Hello,

I have succeded in turning the AP from autonomous into LWAPP mode with the Ugrade tool. The AP has been loaded with

c1130-rcvk9w8-tar.124-10b.jda thanks to the upgrade tool version 3.4

After reboot, the AP appears on the vwlc (YES!) however as you can see in APvwlc.jpg

the AP now have version 3.0.51.0.

I need the AP to be loaded with version 7.3.101.0 with FlexConnect mode.

How can I do that ?

Best regards.

V.

vrz rrr · ‎02-18-2013

I think now that it is definitely a certificate issue and I hate x509 certs...

Is one can tell me how to retreive the ssc certificate hash on the AP ?

I plan to switch back the AP to autonomous mode and to convert it again to LAP mode.

A certificate issue might have appened during the conversion process.

Any other ideas guys ?

V.

Stephen Rodriguez · ‎02-18-2013

when you do the deb mac addr < ap mac> also do debug pm pki enable...watch for the AP mac address and you will see the SSC hash, if there is one.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

vrz rrr · ‎02-19-2013

Hello Stephen,

there is no certificate hash for me in "debug pm pki enable".

It's a very bad idea to put certificate in there !!!

V.

Scott Fella · ‎02-19-2013

Make sure the time is correct and then look at disabling the hash: configure certificate ssc hash validation disable

http://www.cisco.com/en/US/products/ps12723/products_tech_note09186a0080bd2d04.shtml#hash

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎02-19-2013

Here is a linke that David W posted on another thread regarding these older AP's connecting to the vWLC. You need the latest software downloaded to the AP.

The virtual wireless LAN controller does not have a Manufacturer Installed Certificate (MIC). Therefore, APs cannot validate the virtual controller unless they are using a 7.3-based image such as the follows:

–12.4(25e)JAL for 1130/1240 series APs

–15.2(2)JA for 1250/1260/1140/2600/3500/3600 series APs

http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn73.html#wp784178

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

vrz rrr · ‎02-19-2013

Hello,

to summarize :

- Both clocks are ok.

- IOS version is :c1130-k9w8-mx.124-25e.JAL and LWAPP image version 7.3.101.0.

- the AP says (on and on) :

-----------------------------------

%CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.6.30 peer_port: 5246% Be sure to ask the CA administrator to revoke your certificates

Feb 19 14:55:59.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.6.30 peer_port: 5246

Feb 19 14:56:00.332: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.6.30 peer_port: 5246

Feb 19 14:56:00.333: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.6.30

Feb 19 14:56:00.491: %DTLS-5-ALERT: Received WARNING : Close notify alert from 192.168.6.30

Feb 19 14:56:00.491: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.6.30:5246

Feb 19 14:56:00.554: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255

Feb 19 14:56:00.689: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down

Feb 19 14:56:00.689: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down

--------------------------------------------------

AND

the vwlc says : (no hash in there...)

*spamApTask1: Feb 19 16:08:04.327: Invalid channel 1 spacified for the AP AP0021.d837.1eea, slotId = 0

*spamApTask1: Feb 19 16:08:04.327: Invalid channel 44 spacified for the AP AP0021.d837.1eea, slotId = 1

along with :

---------------------------------------

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: called to evaluate

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCertFromCID: called to get cert for CID 1e6401b5

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultIdCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCertFromCID: comparing to row 2, certname >cscoDefaultIdCert<