Hi,

I've seen logs before mentioning the certificate expiry date.

To overcome this issue I already have a plan but this involves returning the not connecting APs to the datacenter.

I wanted to know if there is an easier solution for my problem.

I can reach the AP via ssh and could push some firmware but I don't know which firmware file...

fyi: option 43 is correct, ntp is set and working, management is reachable

But there are certificate expiry issues

---

@maximilian.gessner wrote:

I have some LAPs which do not connect to the controllers as the firmware is not identical.

---

What firmware is the controller running on? 

The WLC manages what firmware the AP runs on.  Even if the AP is running a different version, once the AP joins the controller the AP will be forced to upgrade/downgrade the firmware to be at the same level as the controller.

Below is the bug,

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb93909/

Follow the mitigation steps as found in the above link. 

Hi Arshadsaf,

This is the solution I found earlier.

For productive system this seems not to be applicable.

I thought there might be an easier (remote) solution...

May be you can try with TAC for a RMA citing your policies. This is the only way I can see.

You're all making this too complicated.  CSCvb93909 is for COS APs not IOS APs.

Updating the firmware alone will NOT solve the problem.

Only combination of new firmware *and* the required config change on WLC (which will be pushed to the AP after it has successfully joined) provide a complete fix.

Refer to the field notice at https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html which has all the instructions you need.  And you did not mention what version of code you're running on the controller but anyway ...

Basically:

- Update WLC to the latest software version with all the fixes mentioned in the field notice

- Turn off NTP on the WLC and manually change the date to a year before the AP and/or WLC certs expired.

- Apply the WLC config: config ap cert-expiry-ignore {mic|ssc} enable

- Join the APs, let them update their firmware and also pick up the config from the WLC (which tells them to ignore cert expiry after that)

- Once everything has been updated (firmware and config) you can re-enable NTP on the WLC.