Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1041
Views
3
Helpful
10
Replies

No way to update a AP3702 remotely?

Go to solution
dal
Level 3
Level 3

‎01-25-2024 03:44 AM

Hi.

I'm having problems connecting a AP3702 to our WLC9800.
It says the certificate has expired.

So I'm thinking that downloading a newer firmware to the AP will do the trick since we have several other AP3702 onto the network without problems

But I cannot see any archive or copy commands when I ssh into the AP.

Does this mean there is no way to remotely copy a new firmware into the AP3702?

This is the model number: AIR-CAP3702I-E-K9

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
marce1000
VIP
VIP
In response to dal

‎01-25-2024 06:43 AM

 

 - Checkout this solution and give it a try , the first part concerning dhcp is not  relevant , (go to the clear capwap commands)
                              https://community.cisco.com/t5/wireless/ap1700-trying-to-associate-to-wlc-9800/m-p/4775185#M251689

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

Go to solution
dal
Level 3
Level 3
In response to marce1000

‎01-25-2024 11:10 PM

This command did the trick:

debug capwap console cli

After i entered that, I could use the copy command as usual.

Thanks!

View solution in original post

10 Replies 10

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎01-25-2024 04:32 AM

It can be done.

Is the AP remotely accessible (console, telnet, SSH)?

0 Helpful

Go to solution
dal
Level 3
Level 3

‎01-25-2024 04:36 AM

It is accessible via SSH

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to dal

‎01-25-2024 04:45 PM - edited ‎01-25-2024 04:48 PM

@dal wrote:
It is accessible via SSH

Perfect!  I've got a solution and it will be nasty.   


1.  First, go to the Cisco Download portal and download the RCV image for the 2600/3600/2700/3700 (Filename:  ap3g2-rcvk9w8-tar.153-3.JPQ1.tar).  Put the file into a TFTP server.  Do not forget FW rules!

2.  Next, SSH into the AP in question and do the following command: 

 

debug capwap console cli
delete /f /r flash:ap3g2*
archive TAR /X tftp://<TFTP_IP_ADDRESS>/ap3g2-rcvk9w8-tar.153-3.JPQ1.tar flash:

 

3.  Once this is completed, reboot the AP.  

NOTE:  Do not worry that the RCV file is meant for IOS-XE version 17.12.2 because it is better to use this version.  

When the AP reboots, it will load a Recovery Image (aka RCV) meant for version 17.12.2.  Because this is the "latest", the AP should have all the latest certificate installed.  The AP will join the controller and download the correct firmware.  

Just to set everyone's heart at ease:  I have been doing this trick ("tar /x" option) to several hundreds of APs (classic IOS) and for several years so this is not something I have never tried and done before.  Every AP we get back (example site decommissioning), I would erase all the firmware and load the latest RCV into the AP.   

0 Helpful

Go to solution
klnnnnng
Level 1
Level 1

‎01-25-2024 05:38 AM

Some C9800 Software versions do not support 3700 Series AP.

You can try to configure the mentioned policy in the section:

Solution for Expired AP Certificates and/or for Scenario of Encrypted Mobility Tunnels That Fail to Form

C9800 Command to Accept Expired Certificates

https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html

I think alternatively you can play with the time, but this might cause other problems or prevent newer APs from joining.

 

Regards

Go to solution
dal
Level 3
Level 3
In response to klnnnnng

‎01-25-2024 06:38 AM

I tried to play with the time, but just ended up disconnecting all the other APs

I tried the Certificate map now as well, but no.

It would have been so much easier if the AP accepted common commands like copy or archive

Surely there must be a way to upload a new image remotely?

0 Helpful

Go to solution
Rich R
VIP
VIP
In response to dal

‎01-25-2024 08:12 AM

3702 IOS definitely supports the archive and copy commands!
What version is currently on the AP?

The cert map should workaround the expired cert - double check that you implemented it correctly.

What version is the WLC running? (hint - refer to the TAC Recommended link below).

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Go to solution
marce1000
VIP
VIP

‎01-25-2024 06:01 AM

 

             >...It says the certificate has expired.
  - Could you show (post) the exact message as you are observing it ?

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
dal
Level 3
Level 3
In response to marce1000

‎01-25-2024 06:23 AM

*Jan 25 14:18:38.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.xx.xx.254 peer_port: 5246Peer certificate verification failed FFFFFFFF

*Jan 25 14:18:38.003: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Jan 25 14:18:38.003: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:467 Certificate verified failed!
*Jan 25 14:18:38.003: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 172.xx.xx.254:5246
*Jan 25 14:18:38.003: %CAPWAP-3-ERRORLOG: Dropping dtls packet since session is not established. 172.30.244.254, 147E, 172.30.244.10, DAB6, 0

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to dal

‎01-25-2024 06:43 AM

 

 - Checkout this solution and give it a try , the first part concerning dhcp is not  relevant , (go to the clear capwap commands)
                              https://community.cisco.com/t5/wireless/ap1700-trying-to-associate-to-wlc-9800/m-p/4775185#M251689

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
dal
Level 3
Level 3
In response to marce1000

‎01-25-2024 11:10 PM

This command did the trick:

debug capwap console cli

After i entered that, I could use the copy command as usual.

Thanks!

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card