10-31-2024 11:10 AM - edited 10-31-2024 11:11 AM
Good Day.
I have a Cisco 2500 Series Wireless Controller and i have come across the issue in the Field Notice: FN63942
Following the instructions Situation: The WLC runs fixed software, but some APs cannot join.
i have followed the steps as instructed and i have an Air-CAP3702P-A-K9 that still refuses to join. I get the same error
"%PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 6732C08E0000001FA741) has expired. Validity period ended on 04:53:04 UTC Oct 30 2024Peer certificate verification failed 001A"
I can confirm that the Certificate The certificate (SN: 6732C08E0000001FA741) is on the WLC and not the AP
I an unable to download any software from Cisco due to not having a Service License
Is there a step i missed?
Any help would be appreciated.
Thank you for your time.
PS: if this is not the correct place to put this question. Please let me know and i will remove this post and re-ask the question in the appropriate place.
Solved! Go to Solution.
10-31-2024 12:44 PM - edited 10-31-2024 12:45 PM
8.3.112.0 requires 15.3(3)Jd4. Your problem could not be certificate but version mismatch.
https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html
10-31-2024 11:23 AM - edited 10-31-2024 11:24 AM
which software version is on the WLC and which one is on the Access Point?
10-31-2024 12:28 PM - edited 10-31-2024 12:44 PM
The software Version on WLC is 8.3.112.0
The Software version on AP is C3700 Software (AP3G2-RCVK9W8-M), Version 15.2(4)JB1,
Edit reason: found the acutal Software version.
10-31-2024 12:44 PM - edited 10-31-2024 12:45 PM
8.3.112.0 requires 15.3(3)Jd4. Your problem could not be certificate but version mismatch.
https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html
10-31-2024 12:53 PM
Oh, i think i understand now. When the AP lost connection to the WLC the first time i did a factory restore, would that have caused a downgrade in the version?
Because i have other AIR-CAP3702P-A-K9's currently on the WLC they have a boot version of 15.2.4.0 but a IOS version 15.3(3)JD4$
10-31-2024 12:58 PM
@aaron-rousch probably this is it. What you can do is try to get the firmware from a working AP and transfer.
10-31-2024 01:01 PM
I will try that, Thank you Flavio.
can i download the correct image from the WLC?
10-31-2024 01:06 PM
I dont believe you can download from the WLC. I believe you can try from another AP.
10-31-2024 01:18 PM
Thank you again for the assistance, Flavio.
I will try and download a working image from a working AP.
Are there any guides here that can help me with this process?
We can close this issue now.
10-31-2024 12:45 PM
@aaron-rousch (wrote) >...The software Version on WLC is 8.3.112.0
To overcome that problem you need 8.5.182.12 (8.5.182.13 for 3504s)
To avoid getting confused ; this one is https://www.cisco.com/c/en/us/support/docs/field-notices/725/fn72524.html
is not FN63942 (those countermeasures don't work for the above FN)
@balaji.bandi Also refers to a corresponding bug report ,
M.
10-31-2024 12:54 PM - edited 10-31-2024 12:56 PM
Thank you for the Reply Marce
it looks like the AP itself got downgraded back to the Boot Version after i had to factory reset it.
seeing as i don't have a Cisco service contract i can't download a new version for the AP or WLC from the website.
10-31-2024 01:11 PM
- @aaron-rousch (wrote) : >...seeing as i don't have a Cisco service contract i can't download a new version for the AP or WLC from the website.
- I do understand that ; I hope then that you can overcome the issue with the help of the great @Flavio Miranda
but you risk getting to a dead end (with this or other severe issues)
, because the aireos platforms are getting phased out and it becomes
kind of mandatory these days to be able to run the last/latest release offered.
It's also time to move on and start planning to migrate to the 9800 platform(s)
M.
10-31-2024 12:15 PM
I thinking this could be bug : (as @Flavio Miranda asked informatio, that is important and cross against below bug)
https://quickview.cloudapps.cisco.com/quickview/bug/CSCwd80290
11-10-2024 07:13 AM
FN63942 is not only about WLC certificates - it's AP and WLC certificates. And there are multiple bug fixes which address different parts of the problem so as Marce pointed out you need software with all those fixes.
The bug Balanji mentioned is associated with another field notice FN72524 (link below) which needs much more recent software with the fix.
As Marce said you should be running 8.5.182.12 (link below).
Your AP is running a recovery IOS image (we can tell that from RCVK9W8 in the name). The recovery image is a very basic image which only allows the AP to join and download the correct IOS from the WLC, it does not support any radio functions. 15.2(4)JB1 is an extremely old version for 7.6 WLC code and unlikely to ever be able to join your WLC so you will need to install the correct (or at least more recent) version. Check whether you still have a later version on AP flash and change the boot variable to load that.
15.3(3)JD4 is at https://software.cisco.com/download/home/285029865/type/280775090/release/15.3.3-JD4 but ultimately you want 8.5.182.12
If you don't have a contract find a recent security advisory that affects 8.5 code and find the section which says "Customers without Contracts" then email TAC (don't phone) quoting the URL of the advisory, the paragraph just mentioned and the version and URL https://software.cisco.com/download/specialrelease/9a6a7cf84f9fdf04b95c76e2ac7820e7 for the software you want to download and serial number of your WLC. You'll have to mention which platform you need it for (2504) because they have all of them there at that URL. Then TAC should publish the software to you directly.
This advisory should be suitable: Cisco Wireless LAN Controller AireOS Software FIPS Mode Denial of Service Vulnerability because CSCwa40778 : Bug Search Tool (cisco.com) is fixed in 8.5.182.12. (even though the advisory itself says upgrade to 8.10)
"Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade."
11-11-2024 07:47 AM
Good day, Rich
Thank you for the reply, i have followed the instructions as written and sent an email to TAC.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide