Solved: Re: AP fails to join updated WLC - Page 2

JoelDarbro50834 · ‎03-09-2025

I am attempting to migrate my 1572 APs to an updated WLC 2504 running 8.5.151.0. This is for my home lab network.

1572s were working on 8.0.152.0 now they continually disassociate while trying to download the new image. I found Community posts that corrected the issue by disabling NTP and setting date to 2 Dec 2022. That doesn't seem to help. I've tried a fresh configuration wizard and hard reset of the AP.

Are there other corrections I could try?

Thank you

Joel

JoelDarbro50834 · ‎03-10-2025

I have an older WLC that’s running 8.0.152.0 that will be my backup but it’s severely limited on compatible APs. Upgrading to 8.5.182.12 will be the earliest version that is recommended that will be compatible with the APs I want to try. Downgrading would accomplish anything for me.

I bought a newer version 2504 WLC that I’m have trouble getting APs to join.

Rich R · ‎03-10-2025

The controller will have all the AP images installed after upgrade.

APs should download the new image automatically but that is quite a jump in version from 8.0 to 8.5 so they might have trouble. The release notes say you can upgrade directly but also say:

Note

If you are using Release 8.2.15x or earlier, we recommend that you upgrade to Release 8.2.16x or 8.3.x and then upgrade to Release 8.5.182.0

If they can't download automatically then you might have to manually upgrade them to 8.5.182.0 and then they will definitely be able to download 8.5.182.12 from the WLC. There is no AP software download for 8.5.182.12 to upgrade them directly to that manually.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

JoelDarbro50834 · ‎03-10-2025

Thank you for the info Rich.

This 2504 WLC that I’m having issues with has 8.5.151.0 installed so hopefully not too many issues upgrading.

The 8.0.151.0 was on an older 2504 that will be a backup. Sorry to confuse things.

Will be using 1570 series APs so hopefully will work well.

Rich R · ‎03-10-2025

Understood but it's the APs which are most likely to have trouble upgrading from 8.0 to 8.5 not the WLC.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

JoelDarbro50834 · ‎03-10-2025

Thanks, I didn't understand that the AP software jump would be the issue. I will try and find 8.3

If I read the release notes correctly, You first follow the upgrade steps with the base software then repeat with the Bundle software?

Rich R · ‎03-11-2025

For normal releases like 8.3.150.0 yes, you would install AIR-CT2500-K9-8-3-150-0.aes and then AIR-CT2500-AP_BUNDLE-K9-8-3-150-0.aes to get the AP802, AP1530, AP1550 and AP1570 software installed.
The 8.5.182.12 download page doesn't list any 2504 AP bundle so I presume it has them all in the single image but I can't say for sure? Once it is installed you can check what's installed with:
test system dir /mnt/images/ap.pri
That will list all the files in the image directory (like linux ls -la)

I would try the direct upgrade. If it works - great. If not then either:
- upgrade APs manually or
- revert to old version and do the 2 stage upgrade.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

JoelDarbro50834 · ‎03-11-2025

Upgraded the new WLC 2504 to 8.5.182.12. Went right back into the same disassociate boot loop. Felt like I needed to rule out any problems with the new WLC, so I decided to downgrade it to 8.0.152.0. Same as the older original WLC. After reboot, immediately came up, AP joined it no issues. Not sure what to try next. I was thinking I must have an error in my configuration somewhere, but I think this rules that out.

marce1000 · ‎03-11-2025

- @JoelDarbro50834 - As I explained earlier; I don't think you have a configuration problem; you came into the unfortunate
situation with that controller version and that specific AP model
being a bug. Due to the older controller not being able to run
the recent aireos versions , it probably can't be resolved ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

JoelDarbro50834 · ‎03-11-2025

I think that was somewhat the issue. After trying several different upgrade paths. The WLC came up and joined the 1572 RAP after downgrading to 8.0.152.0 then upgrading to 8.5.182.11. All other paths I tried kept ending up in the boot loop error.

JoelDarbro50834 · ‎03-11-2025

The WLC seemed to be stable with 8.0.152.0 so I decided to try upgrading it with the 8.5.182.11 that had the Bundle file also. After upgrading with both files, the WLC came up and joined with the 1572 RAP! Seemed like it needed the Bundle File. The RAP is up and running and has clients. I powered up a second 1572 MAP. So far it hasn't found it. I hope it's just taking some time. I haven't seen any traps on the MAP yet.

Appreciate all of your help. I learned a lot.

JoelDarbro50834 · ‎03-11-2025

While upgrading the Cisco 2504 WLC from 8.0.152.0 I had a single 1572AP powered and connected to ethernet to be the Mesh RAP. It immediately joined the WLC when it rebooted. With the WLC stable running 8.5.182.11 with the 1572 joined as the Mesh RAP, I powered up two additional 1572 APs to be MAPs. The last IOS version they were joined to was 8.0.152.0. The will not join the WLC. They keep having a failure to extract tar file. I've added the AP log file below. I suspect if I downgrade the WLC back to 8.0.152.0 and join all the APs, then upgrade again back to 8.5.182.11 everything will work. This doesn't seem practicle every time I want to add a new AP.

Is there something I'm missing??

AP log:

p: 10.0.0.20 peer_port: 5246

*Mar 11 21:49:11.399: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.0.0.20 peer_port: 5246

*Mar 11 21:49:11.399: %CAPWAP-5-SENDJOIN: sending Join Request to 10.0.0.20perform archive download capwap:/c1570 tar file

extracting c1570-k9w8-mx.ap_umr8_esc.202307130257/img_sign_rel_sha2.cert (1545 bytes)

extracting c1570-k9w8-mx.ap_umr8_esc.202307130257/8006.img (605841 bytes)

*Mar 11 21:49:11.467: %CAPWAP-6-AP_IMG_DWNLD: Required image not found on AP. Downloading image from Controller.

extracting c1570-k9w8-mx.ap_umr8_esc.202307130257/c1570_avr.img (15376 bytes)

extracting c1570-k9w8-mx.ap_umr8_esc.202307130257/info (334 bytes)

extracting c1570-k9w8-mx.ap_umr8_esc.202307130257/L2.bin (11680 bytes)

extracting c1570-k9w8-mx.ap_umr8_esc.202307130257/P2.bin (44384 bytes)

extracting c1570-k9w8-mx.ap_umr8_esc.202307130257/L5.bin (3811 bytes)

c1570-k9w8-mx.ap_umr8_esc.202307130257/html/ (directory) 0 (bytes)

c1570-k9w8-mx.ap_umr8_esc.202307130257/html/level/ (directory) 0 (bytes)

extracting c1570-k9w8-mx.ap_umr8_esc.202307130257/8004.img (576281 bytes)

*Mar 11 21:51:41.403: %MESH-3-TIMER_EXPIRED: Mesh Lwapp join timer expired

extracting c1570-k9w8-mx.ap_umr8_esc.202307130257/file_hashes (1564 bytes)

extracting c1570-k9w8-mx.ap_umr8_esc.202307130257/final_hash (141 bytes)

extracting c1570-k9w8-mx.ap_umr8_esc.202307130257/final_hash.sig (512 bytes)

extracting info.ver (334 bytes)

*Mar 11 21:52:07.527: Currently running a Release Image

*Mar 11 21:52:07.547: Using SHA-2 signed certificate for image signing validation.

*Mar 11 21:52:07.619: %PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed. The certificate (SN: 02A79669ACDDF395D2103895880438649829) is not yet valid Validity period starts on 16:53:06 UTC Dec 7 2022

*Mar 11 21:52:07.619: Image signing certificate validation failed (1A).

*Mar 11 21:52:07.619: Failed to validate signature

*Mar 11 21:52:07.619: Digital Signature Failed Validation (flash:/update/c1570-k9w8-mx.ap_umr8_esc.202307130257/final_hash)

*Mar 11 21:52:07.619: AP image integrity check FAILED

Aborting Image Download

Download image failed, notify controller!!! From:8.0.152.0 to 8.5.182.11, FailureCode:3

archive download: takes 182 seconds

*Mar 11 21:52:14.303: capwap_image_proc: problem extracting tar file

Leo Laohoo · ‎03-11-2025

@JoelDarbro50834 wrote:

*Mar 11 21:52:07.619: %PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed.  The certificate (SN: 02A79669ACDDF395D2103895880438649829) is not yet valid   Validity period starts on 16:53:06 UTC Dec 7 2022
*Mar 11 21:52:07.619: Image signing certificate validation failed (1A).

1. Put the TAR file in a TFTP server.

2. Make sure the AP can reach the server.

3. Console into the AP.

4. Enter the command: debug capwap console cli

5. Enter the command: archive download-sw /over tftp://<TFTP SERVER IP ADDRESS>/filename.tar

6. When finish, reboot the AP.

JoelDarbro50834 · ‎03-11-2025

Leo, I'm pretty much a novice. How do I find the correct tar file for the AP? Can I upload it from the WLC or is it a file I would have to get from Cisco support? I used a tftp server to upgrade the WLC and have consoled into the APs, but I'm not sure where I would get the current valid AP image tar file?

Joel

Leo Laohoo · ‎03-11-2025

Download c1570-rcvk9w8-tar.153-3.JPT1.tar and put the file in a TFTP server.

JoelDarbro50834 · ‎03-11-2025

While upgrading a Cisco 2504 WLC from 8.0.152.0 to 8.5.182.11I had a single 1572AP powered and connected to ethernet to be the Mesh RAP. It immediately joined the WLC when it rebooted with the updated 8.5.182.11 IOS With the WLC stable running 8.5.182.11 with the 1572 joined as the Mesh RAP, I powered up two additional 1572 APs to be MAPs. The last IOS version they were joined to was 8.0.152.0. They will not join the WLC. They keep having a failure to extract tar file. I've added the AP log file below. I suspect if I downgrade the WLC back to 8.0.152.0 and join all the APs, then upgrade again back to 8.5.182.11 everything will work. This doesn't seem practical every time I want to add a new AP.