Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2128
Views
5
Helpful
8
Replies

Resolving CSCwh68219 - 91xx AP not processing EAP-TLS server Hello

eglinsky2012
Spotlight
Spotlight

‎12-22-2023 08:12 AM

I have a maintenance window next week for patching our 9800 WLCs. They are on 17.9.4 with no SMU or APSP. My plan was to install the 17.9.4 SMU for the HTTP vulnerability and then APSP8. However, version 17.9.4a specifically has an SMU available for CSCwh68219.

We don't use EAP-TLS currently, but are going to implement it sometime in January, so that bug is concerning. I was wondering if anyone knows anything else about this and if those of you who are using EAP-TLS have experienced it. Does it only affect local mode and not FlexConect or vice versa? Is PEAP also affected?

I ask because I'm on 17.9.4 and have a planned maintenance window for the HTTPS SMU and APSP, but the SMU for this bug is not available yet for 17.9.4 (TAC says there will be one), and upgrading to 17.9.4a first would require more time for maintenance.

0 Helpful
8 Replies 8

Mark Elsen
Hall of Fame
Hall of Fame

‎12-22-2023 11:18 AM

 

                  >... 17.9.4a first would require more time for maintenance.
  - I would go for 17.9.4a anyway because of the HTTP bugfix and the EAP-TLS bugfix included ,

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

eglinsky2012
Spotlight
Spotlight

‎12-22-2023 11:35 AM

Yeah, I've thought about it more and that's what I'll do. I've received approval to extend the maintenance window.

I performed the upgrade on our lab controllers, and oddly, only two of six APs actually predownloaded software. I couldn't figure out how to verify for sure, but I suspect it was the 1815W and the 9105W. I know there was an early APSP specifically for 9105W, so maybe that update was included in 17.9.4a, whereas the other models (2700, 2800, 1562, 9166) had no updates built in?

Of note is that the version the APs were running after the upgrade was still 17.9.4.27, same as on 17.9.4 (non-a), even on the 1815W and 9105W. After the APSP, all are on 17.9.4.208 except the 2700 (the APSP only applies to COS APs, not IOS).

0 Helpful

Mark Elsen
Hall of Fame
Hall of Fame
In response to eglinsky2012

‎12-22-2023 12:10 PM

 

   - I don't have much details on those AP(SP) versioning issues , but what I can advice is to run WirelessAnalyzer (again after and or always upon an upgrade too) : Procedure CLI : show tech wireless and feed the output into Wireless Config Analyzer  

        Also follow up on the performance  of all  APs using :  https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#anc4

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎12-22-2023 03:51 PM - edited ‎12-23-2023 03:59 PM

IMPORTANT

Since the controller is on 17.9.4, do not use "Hitless AP Upgrade".  Wireless TAC in Sydney (Australia), has confirmed and was able to successfully replicate the unexpected behaviour (five times out of five attempts) when we performed a disastrous "Hitless AP Upgrade" from 17.9.4. 

Instead of "hitless", 17.9.4 will violently move the APs to the secondary unit by rebooting all of them at the same time.

Leo Laohoo
Hall of Fame
Hall of Fame

‎12-22-2023 04:00 PM

@eglinsky2012 wrote:
We don't use EAP-TLS currently, but are going to implement it sometime in January, so that bug is concerning. I was wondering if anyone knows anything else about this and if those of you who are using EAP-TLS have experienced it. Does it only affect local mode and not FlexConect or vice versa? Is PEAP also affected?

17.9.5 scheduled for February 2024.  It is best to reach out to your Cisco Account Manager, Wireless SE or Wireless PSS &/or TAC developer &/or WNBU because the developers have time to put this bug fix into 17.9.5.

eglinsky2012
Spotlight
Spotlight
In response to Leo Laohoo

‎12-22-2023 06:21 PM

Thanks for the heads-up on the hitless upgrade. I had an issue with ISSU as well. Between that and previous comments from you, Rich, and others, I stick with an old fashioned upgrade with predownload. I have 3 WLC pairs in a mobility group and all are configured with secondary and tertiary WLCs, so when the primary goes down, they just move to the next one on the list then back once the primary comes back up. Perfectly acceptable for a maintenance window. ISSU would be great if it were reliable, especially once we move the res halls to the 9800s, but I digress.

I suspect that if it’s fixed in the SMU for 17.9.4a it will be for 17.9.5 also.

0 Helpful

Rich R
VIP
VIP
In response to eglinsky2012

‎12-23-2023 06:54 AM

> I suspect that if it’s fixed in the SMU for 17.9.4a it will be for 17.9.5 also.
Agreed but ask TAC to confirm for you.

Regarding AP image versions - use "show ap image file summary" to see what version each AP image is (base and SP).

Having messed up with the AP image version on 17.9.4a APSP6 (17.9.4.201) they've gone back to normal convention (17.9.4.208) with APSP8.

------------------------------
Please click Helpful if this post helped you and Accept as Solution if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

eglinsky2012
Spotlight
Spotlight

‎02-02-2024 06:33 AM

Forgot to follow up. I ended up doing the 17.9.4a upgrade and APSP8 upgrade in one maintenance window.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card