Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3490
Views
5
Helpful
6
Replies

How to Proactively Prevent SSC/MIC Certificate Expiration Problems

JustTakeTheFirstStep
Level 4
Level 4

‎12-18-2020 09:32 PM - edited ‎07-05-2021 12:55 PM

https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html
https://community.cisco.com/t5/wireless-mobility-documents/lightweight-ap-fail-to-create-capwap-lwapp-connection-due-to/tac-p/4261080#M3213


I know the problem arises when the certificate of WLC/AP expires.

So, we want to prevent certificate problems in advance.

 

We using 5520 and 5508 WLC.

AP is using 1100 series and 2700,2800 series.

5520 version : 8.3.150

5508 version : 8.0.152

 

WLC's SHA1 device cert is valid for 22 years and 23 years.

Can certificate problems be prevented in advance by just using the "config ap cert-expiry-ignore {mic | ssc} enable" command??

6 Replies 6

MHM Cisco World
VIP
VIP

‎12-19-2020 04:13 PM

I think Yes it ignore the expire check.

0 Helpful

Rasika Nayanajith
VIP
VIP

‎12-20-2020 10:58 AM

Typically AP licence is valid for 10 years and expiring of that one cause this issue. Once you issue that workaround command listed in below Field Notice, then it will ignore that check. 

https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html 

HTH

Rasika

*** Pls rate all useful responses ***

0 Helpful

daswann
Level 1
Level 1
In response to Rasika Nayanajith

‎02-17-2021 01:18 PM

We have hundreds of 3502i access points at one of our locations and have the same concern. I found this in the documentation-

config ap cert-expiry-ignore {mic|ssc} enable

 

Important note: IOS APs (i.e. 802.11n / 802.11ac Wave 1 APs), which were manufactured with SHA-2 certificates,
cannot ignore WLC certificate expiration prior to 8.5.160.0.
See CSCvs22835

We are currently at 8.5.151.0 sounds like we will need to upgrade the code as well?

Thanks 

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to daswann

‎02-19-2021 04:44 AM

Yes in this case you must upgrade. Please note, 8.5.171.0 was just released, with many important fixes. I'd upgrade to that one (which is probably the last version for 8.5).

Release notes: https://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn85mr7.html

0 Helpful

daswann
Level 1
Level 1
In response to patoberli

‎03-10-2021 07:56 AM

 8.5.171.0 

Thank you Patoberli 

 

In the CSCvs22835 bug it shows 8.5(160.0) in the known fixed releases, does that include 8.5.160.6? I'm trying to understand if these are fixed in subsequent releases in the same 160 release; or are they specific meaning only fixed in 8.5.160.0 in this as an example?

Thank you in advance for you time. 

Dale

 

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to daswann

‎03-10-2021 08:31 AM

Yes, then it should also be fixed in 8.5.160.6 typically. In rare cases this isn't true, but that's only something that TAC can answer. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card