cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
711
Views
11
Helpful
16
Replies

Cisco WLC 2500 Certificate Expiration Workaround

aaron-rousch
Level 1
Level 1

Good Day.

I have a Cisco 2500 Series Wireless Controller and i have come across the issue in the Field Notice: FN63942 

Following the instructions Situation: The WLC runs fixed software, but some APs cannot join.

  1. Enter the config ap cert-expiry-ignore {mic|ssc} enable command.
  2. If any of the APs that cannot join have not downloaded the fixed software
    1. Disable NTP.
    2. Set the clock back to a time before the WLC certificate expired (might keep newer APs from joining).
    3. Have all APs join the WLC, download new software, and rejoin.
    4. Set the clock to the correct time and re-enable NTP.

i have followed the steps as instructed and i have an Air-CAP3702P-A-K9 that still refuses to join. I get the same error

"%PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 6732C08E0000001FA741) has expired. Validity period ended on 04:53:04 UTC Oct 30 2024Peer certificate verification failed 001A"

I can confirm that the Certificate The certificate (SN: 6732C08E0000001FA741) is on the WLC and not the AP

I an unable to download any software from Cisco due to not having a Service License

Is there a step i missed?

Any help would be appreciated. 

Thank you for your time.

PS: if this is not the correct place to put this question. Please let me know and i will remove this post and re-ask the question in the appropriate place.

 

 

1 Accepted Solution

Accepted Solutions

8.3.112.0 requires 15.3(3)Jd4. Your problem could not be certificate but version mismatch.

https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

 

FlavioMiranda_0-1730403780842.png

 

View solution in original post

16 Replies 16

@aaron-rousch 

  which software version  is on the WLC and which one is on the Access Point?

The software Version on WLC is 8.3.112.0

The Software version on AP is C3700 Software (AP3G2-RCVK9W8-M), Version 15.2(4)JB1,

 

Edit reason: found the acutal Software version.

8.3.112.0 requires 15.3(3)Jd4. Your problem could not be certificate but version mismatch.

https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

 

FlavioMiranda_0-1730403780842.png

 

Oh, i think i understand now. When the AP lost connection to the WLC the first time i did a factory restore, would that have caused a downgrade in the version? 

Because i have other AIR-CAP3702P-A-K9's currently on the WLC they have a boot version of 15.2.4.0 but a IOS version 15.3(3)JD4$

@aaron-rousch  probably this is it.  What you can do is try to get the firmware from a working AP and transfer.

 

I will try that, Thank you Flavio. 

can i download the correct image from the WLC?

I dont believe you can download from the WLC.  I believe you can try from another AP.

Thank you again for the assistance, Flavio. 

I will try and download a working image from a working AP. 

Are there any guides here that can help me with this process?

We can close this issue now.

 

  @aaron-rousch (wrote) >...The software Version on WLC is 8.3.112.0
                                           To overcome that problem you need 8.5.182.12 (8.5.182.13 for 3504s)

   To avoid getting confused ; this one is https://www.cisco.com/c/en/us/support/docs/field-notices/725/fn72524.html
    is not FN63942 (those countermeasures don't work for the above FN)

   @balaji.bandi Also refers to  a corresponding bug report , 

 M.

 



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Thank you for the Reply Marce

it looks like the AP itself got downgraded back to the Boot Version after i had to factory reset it. 

seeing as i don't have a Cisco service contract i can't download a new version for the AP or WLC from the website.

 

 - @aaron-rousch (wrote) : >...seeing as i don't have a Cisco service contract<