cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4941
Views
7
Helpful
32
Replies

AP fails to join updated WLC

JoelDarbro50834
Level 1
Level 1

I am attempting to migrate my 1572 APs to an updated WLC 2504 running 8.5.151.0. This is for my home lab network.

1572s were working on 8.0.152.0 now they continually disassociate while trying to download the new image. I found Community posts that corrected the issue by disabling NTP and setting date to 2 Dec 2022. That doesn't seem to help. I've tried a fresh configuration wizard and hard reset of the AP.

Are there other corrections I could try?

Thank you

Joel

Screen Shot 2025-03-09 at 11.14.45 AM.png

 

2 Accepted Solutions

Accepted Solutions

Rich R
VIP
VIP

You need to read all the Field Notices in my signature below.

And you need to use 8.5.182.12 code.

If you have the CAPWAP image you should be able to install it directly to the AP via TFTP - the AP doesn't do the same certificate check for TFTP install that it does for CAPWAP download.

If you need to get 8.5.182.12 from Cisco ...
Find a recent security advisory that affects 8.5 code and find the section which says "Customers without Service Contracts" then contact TAC quoting the URL of the advisory, the paragraph just mentioned and the version and URL https://software.cisco.com/download/specialrelease/9a6a7cf84f9fdf04b95c76e2ac7820e7 for the software you want to download and serial number of your WLC.  You'll have to mention which platform you need the image for (2504) because they have all of them there at that URL.  Then TAC should publish it to you directly.

This advisory should be suitable: Cisco Wireless LAN Controller AireOS Software FIPS Mode Denial of Service Vulnerability because CSCwa40778 : Bug Search Tool (cisco.com) is fixed in 8.5.182.12. (even though the advisory itself says upgrade to 8.10)

"Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade."

View solution in original post

I found my mistake. Caught on the AP console log that certificates on two of the 1572s had first valid dates of 7 Dec 2022. When I was setting the date manually to 2 Dec 2022 per the boot loop bulletin I was causing 2 of my APs to fail to download. The really confusing thing was that my 1572 I was using as the Mesh RAP had an early enough certificate to successfully join.

Glad I caught it. I was about ready to give up.

 

View solution in original post

32 Replies 32

Mark Elsen
Hall of Fame
Hall of Fame

 

 -If the problem is due to APs with expired certificates then setting time back to 2022 is not far enough in the past:
  Try this first  on the controller  :  ap cert-expiry-ignore ssc enable 
                                                   ap cert-expiry-ignore mic enable 

  M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

M.

Thank you for the reply. I had ran the ignore command for MIC. After your post also ran the command for SSC. Tried a couple date ranges. The AP pops right up on the GUI so I have to think it's not an expired certificate issue?? Maybe my thinking is wrong. AP goes right back to the disassociation cycle with 181 being the cause.

 

 - @JoelDarbro50834  - The problem , as seen from the logs is likely not related to expired MIC or SSC indeed ,so then you need to look at my other reply : https://community.cisco.com/t5/wireless/ap-fails-to-join-updated-wlc/m-p/5269210/highlight/true#M281441

    Now this could be a showstopper : if you look at the bug report being mentioned then the versions mentioned for the
    problem is 8.8.x and 8.7.x which are already beyond what the 2504 can run and so would be any bugfixes.
    But it's unclear why you get the issue now and not before.

    In general I see it as a 'native' problem when using an older controller(s) ; I can only recommend to go back to the (a)
    version that works, (or a controller which you had with the working version)

  M.
  

    



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

Mark Elsen
Hall of Fame
Hall of Fame

 

   - Following this bug report https://bst.cisco.com/bugsearch/bug/CSCvq46204?rfs=qvred
     and according to https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html
     I would suggest that you use the last supported and available release for this controller model : 
                       8.5.182.12 (8.5.182.13 for 3504s)

    The reason being that aireos is being phased out , support is diminishing , and using last release becomes recommended

  M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

Being just a home lab setup, I don't have any way to download new firmware.

I hate to think you are likely correct. One last thing I wanted to try was to console into the AP and see if I could reset it to factory defaults. One the GUI wireless tab it is still showing 8.0.152.0 as the current software. It has never managed to load 8.5.151.0.

I had found in a post one time that Cisco had a subscription for home labs $199 where you could download older software for personal use??

 

  - You could indeed try to install the needed CAPWAP image (version) manually ; I think these are free for download.
     Procedure can be found here : https://community.cisco.com/t5/wireless-mobility-knowledge-base/access-point-rommon-recovery-ap-prompt-recovery-example/ta-p/3119495
                                           Of course you will use other images ,

  M.
     



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

I consoled into the AP. Log below. It looks like it doesn't have the new CAPWAP image then suffers a fatal error after downloading CAPWAP image. 

When the new WLC is up the wireless tab has 0.0.0.0 in the IP address field. Is it not getting assigned a valid IP address? On the router, I can ping it and it's always at 10.0.0.65. I can ping the WLC from the AP.

Couldn't find a Cisco site where I could download a new CAPWAP file to manually load.

Main goal with moving to newer WLC and firmware was to have more compatible APs to use.

*Mar 1 00:01:34.295: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Apr 1 16:13:17.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.0.0.20 peer_port: 5246
examining image...
*Apr 1 16:13:18.399: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.0.0.20 peer_port: 5246
*Apr 1 16:13:18.399: %CAPWAP-5-SENDJOIN: sending Join Request to 10.0.0.20perform archive download capwap:/c1570 tar file
*Apr 1 16:13:18.467: %CAPWAP-6-AP_IMG_DWNLD: Required image not found on AP. Downloading image from Controller.
ERROR: Image is not a valid IOS image archive.
Download image failed, notify controller!!! From:8.0.152.0 to 0.0.0.0, FailureCode:3

archive download: takes 80 seconds

*Apr 1 16:14:38.471: capwap_image_proc: problem extracting tar file
*Apr 1 16:14:38.471: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.0.0.20:5246
*Apr 1 16:14:39.575: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Apr 1 16:14:39.583: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Apr 1 16:14:40.575: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state

 

 

 - @JoelDarbro50834  Looks like a wrong image was installed ; try https://software.cisco.com/download/home/286283431/type/280775090/release/15.3.3-JF10

   M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

I have the Cisco 8.5.182.12 aes and associated bundle files. From reading the release notes, it says I can upgrade directly from the current IOS version. I’m not clear from the release notes if upgrading the IOS will automatically generate a new/valid AP capwap image to download?? There was a note about the AP downloading the image twice, but that referenced an older model AP.

It does install the AP images with the new controller code.
Double download only applies to 1700/2700/3700 APs because of the change of name of the 3700 image. (ap3g2/c3700)

Rich R
VIP
VIP

You need to read all the Field Notices in my signature below.

And you need to use 8.5.182.12 code.

If you have the CAPWAP image you should be able to install it directly to the AP via TFTP - the AP doesn't do the same certificate check for TFTP install that it does for CAPWAP download.

If you need to get 8.5.182.12 from Cisco ...
Find a recent security advisory that affects 8.5 code and find the section which says "Customers without Service Contracts" then contact TAC quoting the URL of the advisory, the paragraph just mentioned and the version and URL https://software.cisco.com/download/specialrelease/9a6a7cf84f9fdf04b95c76e2ac7820e7 for the software you want to download and serial number of your WLC.  You'll have to mention which platform you need the image for (2504) because they have all of them there at that URL.  Then TAC should publish it to you directly.

This advisory should be suitable: Cisco Wireless LAN Controller AireOS Software FIPS Mode Denial of Service Vulnerability because CSCwa40778 : Bug Search Tool (cisco.com) is fixed in 8.5.182.12. (even though the advisory itself says upgrade to 8.10)

"Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade."

Thank you Rich

i had actually found your earlier post when researching this problem on the forum. I read the attached field notes. I now have 8.5.182.12 aes and bundle files. I’ve read the release notes and double checked the compatibility matrix.

It isn’t 100% clear to me if the iOS upgrade will create a new AP image and correct the problem or if I need to try and get the C3700 AP tar file and do a manual AP image install first.

its been a long time since I’ve upgraded WLC software. I’ll have to do more studying first.

This is a home lab, so why not just downgrade back to what you had working?  Then you can figure out what code version you need? You can also then upgrade slowly with to see what versions work and don't.  That way you have some practice upgrading and downgrading, not just upgrading. What you don't want to do is read too many post and not being clear about what it say's.  You can brick your device and then you will be out of luck.

-Scott
*** Please rate helpful posts ***
Review Cisco Networking for a $25 gift card