Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
635
Views
5
Helpful
3
Replies

Unified AP802 in 886 sticks in a time loop

Go to solution
dglaser
Level 1
Level 1

‎02-23-2018 02:10 AM - edited ‎07-05-2021 08:17 AM

Hi,

I've a problem with only one of many AP802 connecting to a wlc (wism2 mit 8.3.130).

It looks like AP802 lives temporary after 2022:

 

after booting image 8.2.141.0 ap sticks someware at the future (Apr 20), connects to WLC and gets the right time (Feb 23). Then its downloading the new image 8.3.130.0 and extracts it. After extracting timestamp jumps back to Apr 20. While checking certificate chain it says the certificate has expired on Dec 4 2022.

What should I do?

Thanks

 

----------------


Apr 20 18:40:39.096: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
Apr 20 18:40:39.528: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
Apr 20 18:40:40.100: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
Apr 20 18:40:40.128: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
Apr 20 18:40:40.136: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
Apr 20 18:40:41.160: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
Apr 20 18:40:42.160: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
Feb 23 09:48:17.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.30.3.200 peer_port: 5246
Feb 23 09:48:17.443: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.30.3.200 peer_port: 5246
Feb 23 09:48:17.443: %CAPWAP-5-SENDJOIN: sending Join Request to 172.30.3.200
Feb 23 09:48:22.443: %CAPWAP-5-SENDJOIN: sending Join Request to 172.30.3.200perform archive download capwap:/ap802 tar file
examining image...
extracting info (287 bytes)
Feb 23 09:48:23.835: %CAPWAP-6-AP_IMG_DWNLD: Required image not found on AP. Downloading image from Controller.
Image info:
Version Suffix: k9w8-.153-3.JD7
Image Name: ap802-k9w8-mx.153-3.JD7
Version Directory: ap802-k9w8-mx.153-3.JD7
Ios Image Size: 8806912
Total Image Size: 10086912
Image Feature: WIRELESS LAN|LWAPP
Image Family: AP802
Wireless Switch Management Version: 8.3.130.0
MwarVersion:08038200.First AP Supported Version:07006D00.

Image version check passed

Extracting files...
ap802-k9w8-mx.153-3.JD7/ (directory) 0 (bytes)
extracting ap802-k9w8-mx.153-3.JD7/8001.img (152748 bytes)
extracting ap802-k9w8-mx.153-3.JD7/file_hashes (1542 bytes)
extracting ap802-k9w8-mx.153-3.JD7/8003.img (1070064 bytes)
extracting ap802-k9w8-mx.153-3.JD7/img_sign_rel_sha2.cert (1371 bytes)
extracting ap802-k9w8-mx.153-3.JD7/final_hash.sig (512 bytes)
extracting ap802-k9w8-mx.153-3.JD7/info (287 bytes)
extracting ap802-k9w8-mx.153-3.JD7/N5.bin (18180 bytes)
extracting ap802-k9w8-mx.153-3.JD7/M5.bin (18584 bytes)
extracting ap802-k9w8-mx.153-3.JD7/final_hash (141 bytes)
ap802-k9w8-mx.153-3.JD7/html/ (directory) 0 (bytes)
ap802-k9w8-mx.153-3.JD7/html/level/ (directory) 0 (bytes)
extracting ap802-k9w8-mx.153-3.JD7/N2.bin (6868 bytes)
extracting ap802-k9w8-mx.153-3.JD7/ap802-k9w8-mx.153-3.JD7 (8802573 bytes)
extracting ap802-k9w8-mx.153-3.JD7/M2.bin (5252 bytes)
extracting ap802-k9w8-mx.153-3.JD7/img_sign_rel.cert (1375 bytes)
extracting ap802-k9w8-mx.153-3.JD7/A2.bin (1616 bytes)
extracting info.ver (287 bytes)
Apr 20 18:36:42.987: Currently running a Release Image
validate_sha2_block: Failed to get certificate chain
Apr 20 18:36:45.531: Using SHA-1 signed certificate for image signing validation.
Apr 20 18:36:53.895: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 73FF196A000000170868) has expired. Vperiod ended on 21:37:36 UTC Dec 4 2022
Apr 20 18:36:53.895: Image signing certificate validation failed (1A).

Apr 20 18:36:53.895: Failed to validate signature
Apr 20 18:36:53.911: Digital Signature Failed Validation (flash:/update/ap802-k9w8-mx.153-3.JD7/final_hash)
Apr 20 18:36:53.911: AP image integrity check FAILED
Aborting Image Download


Download image failed, notify controller!!! From:8.2.141.0 to 8.3.130.0, FailureCode:3

archive download: takes 367 seconds

Apr 20 18:37:00.943: capwap_image_proc: problem extracting tar file
Apr 20 18:37:15.387: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.30.3.200:5246
ipv6 enable
^
% Invalid input detected at '^' marker.

ipv6 address autoconfig
^
% Invalid input detected at '^' marker.

ipv6 address dhcp
^
% Invalid input detected at '^' marker.

Apr 20 18:37:16.903: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
Apr 20 18:37:17.335: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
Apr 20 18:37:17.907: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
Apr 20 18:37:17.935: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
Apr 20 18:37:17.943: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
Apr 20 18:37:18.966: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
Apr 20 18:37:19.966: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
Feb 23 09:50:15.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.30.3.200 peer_port: 5246
Feb 23 09:50:15.443: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.30.3.200 peer_port: 5246
Feb 23 09:50:15.443: %CAPWAP-5-SENDJOIN: sending Join Request to 172.30.3.200
Feb 23 09:50:20.443: %CAPWAP-5-SENDJOIN: sending Join Request to 172.30.3.200perform archive download capwap:/ap802 tar file
examining image...
extracting info (287 bytes)
Feb 23 09:50:21.859: %CAPWAP-6-AP_IMG_DWNLD: Required image not found on AP. Downloading image from Controller.
Image info:
Version Suffix: k9w8-.153-3.JD7
Image Name: ap802-k9w8-mx.153-3.JD7
Version Directory: ap802-k9w8-mx.153-3.JD7
Ios Image Size: 8806912
Total Image Size: 10086912
Image Feature: WIRELESS LAN|LWAPP
Image Family: AP802
Wireless Switch Management Version: 8.3.130.0
MwarVersion:08038200.First AP Supported Version:07006D00.

Image version check passed

Extracting files...
ap802-k9w8-mx.153-3.JD7/ (directory) 0 (bytes)
extracting ap802-k9w8-mx.153-3.JD7/8001.img (152748 bytes)
extracting ap802-k9w8-mx.153-3.JD7/file_hashes (1542 bytes)
extracting ap802-k9w8-mx.153-3.JD7/8003.img (1070064 bytes)
extracting ap802-k9w8-mx.153-3.JD7/img_sign_rel_sha2.cert (1371 bytes)
extracting ap802-k9w8-mx.153-3.JD7/final_hash.sig (512 bytes)
extracting ap802-k9w8-mx.153-3.JD7/info (287 bytes)
extracting ap802-k9w8-mx.153-3.JD7/N5.bin (18180 bytes)
extracting ap802-k9w8-mx.153-3.JD7/M5.bin (18584 bytes)
extracting ap802-k9w8-mx.153-3.JD7/final_hash (141 bytes)
ap802-k9w8-mx.153-3.JD7/html/ (directory) 0 (bytes)
ap802-k9w8-mx.153-3.JD7/html/level/ (directory) 0 (bytes)
extracting ap802-k9w8-mx.153-3.JD7/N2.bin (6868 bytes)
extracting ap802-k9w8-mx.153-3.JD7/ap802-k9w8-mx.153-3.JD7 (8802573 bytes)
extracting ap802-k9w8-mx.153-3.JD7/M2.bin (5252 bytes)
extracting ap802-k9w8-mx.153-3.JD7/img_sign_rel.cert (1375 bytes)
extracting ap802-k9w8-mx.153-3.JD7/A2.bin (1616 bytes)
extracting info.ver (287 bytes)
Apr 20 18:38:48.278: Currently running a Release Image
validate_sha2_block: Failed to get certificate chain
Apr 20 18:38:50.822: Using SHA-1 signed certificate for image signing validation.
Apr 20 18:38:59.169: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 73FF196A000000170868) has expired. Vperiod ended on 21:37:36 UTC Dec 4 2022
Apr 20 18:38:59.169: Image signing certificate validation failed (1A).

Apr 20 18:38:59.169: Failed to validate signature
Apr 20 18:38:59.185: Digital Signature Failed Validation (flash:/update/ap802-k9w8-mx.153-3.JD7/final_hash)
Apr 20 18:38:59.185: AP image integrity check FAILED
Aborting Image Download


Download image failed, notify controller!!! From:8.2.141.0 to 8.3.130.0, FailureCode:3

archive download: takes 395 seconds

Apr 20 18:39:06.225: capwap_image_proc: problem extracting tar file
Apr 20 18:39:23.253: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.30.3.200:5246
ipv6 enable
^
% Invalid input detected at '^' marker.

ipv6 address autoconfig
^
% Invalid input detected at '^' marker.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sandeep Choudhary
VIP Alumni
VIP Alumni
In response to dglaser

‎02-23-2018 04:00 AM

Hi,

Looks like the image is corrupted.

8.3.130.0 is alredy deferred from cisco so eithetr downgrade to 8.2.166.0 or upgrade to 8.5.120.0

 

Regards

Dont forget to rate helpful posts

View solution in original post

3 Replies 3

Go to solution
dglaser
Level 1
Level 1

‎02-23-2018 03:49 AM

High,

the AP jumps while booting and after extracting the actuel image somewhere into the past:

 

APxxxx.xxxx.xxxx>show clock
18:37:02.907 UTC Thu Apr 20 1905
APxxxx.xxxx.xxxx>

 

Thats looks to far away for checking the certificate. Where does the ap this time get from?

 

Regards.

0 Helpful

Go to solution
Sandeep Choudhary
VIP Alumni
VIP Alumni
In response to dglaser

‎02-23-2018 04:00 AM

Hi,

Looks like the image is corrupted.

8.3.130.0 is alredy deferred from cisco so eithetr downgrade to 8.2.166.0 or upgrade to 8.5.120.0

 

Regards

Dont forget to rate helpful posts

Go to solution
dglaser
Level 1
Level 1
In response to Sandeep Choudhary

‎02-23-2018 04:12 AM

Hi,
thanks, I will upgrade to upgrade as fast as possible.
Meanwhile I found a workaround:
Permanent manually setting the actual time while ap was loading an extracting the new image was successful and ap is now connected to wlc.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card