Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1274
Views
5
Helpful
3
Replies

web-passthrough issue when changing time on WLCs

Go to solution
Fespino1
Level 1
Level 1

‎04-11-2021 07:45 PM - edited ‎07-05-2021 01:07 PM

We have 6 WLCs 3 on two of our major locations running 8.3.150 software version. We will be replacing our wireless gear so we will not be updating these WLCs and we are changing vendors. We will not be upgrading the gear until probably at the end of the year, unfortunately a lot of our APs are pretty old and we are seeing a lot of APs unregistering due to expired certs. Due to budget reason we are pretty much in survival mode right now so we decided to change the time on all of our WLCs after we tested and knew this workaround worked to get the APs registered again, but we are running into an issue with our guest network. Now, i know the other solution is to upgrade the software to 8.5 but we have a lot of APs and also i dont know if they have a service contract with CIsco, i hope they do (sr net eng).  We lose the ability to web into the controllers and some users are unable to connect - they get an error when the web-auth page comes up. we first tried to go back to 2019 keeping the same date just changed the year. this worked and we made the change around 1pm but around 11pm-1am we a lot of people were unable to connect to the guest network and we realized we couldnt web into one of our controller (the main WLC), and everything came back to normal when we updating the time again, this time to 2020. the same thing happened, the issue resolved and then after a few hours we noticed the issue again, and i had to set the current time. this is happening on all of the controllers but not at the same time, some lasted 1 day, another still working with the time set back to 2020 but im pretty sure i will have to change the time again. 

we have spare APs sadly i will have to replace 5 APs on one of our small remote sites when i have to change the time in the WLC to 2021. I know the command to check the APs cert but we have about a 1000 APs so it is not a small number.

Any thoughts? we have cisco router with a DHCP pool that hands out the IP address to the guest network and connects to the internet. 

why it this workaround only works for a few hours? 

 

Thanks for your help in advance

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rich R
VIP
VIP

‎04-13-2021 07:41 AM - edited ‎04-13-2021 07:54 AM

Have you read through https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html very carefully and applied config ap cert-expiry-ignore {mic|ssc} on the wlc's?

Changing the time should only be a temporary workaround - long enough to enable APs to join WLC so that you can deploy the config change to the APs.

Without more specifics on APs and WLCs involved it's hard to make any more detailed recommendation.

The cert is only checked when the AP joins WLC or re-negotiates the DTLS connection so that might explain what you're seeing.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

3 Replies 3

Go to solution
Rich R
VIP
VIP

‎04-13-2021 07:41 AM - edited ‎04-13-2021 07:54 AM

Have you read through https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html very carefully and applied config ap cert-expiry-ignore {mic|ssc} on the wlc's?

Changing the time should only be a temporary workaround - long enough to enable APs to join WLC so that you can deploy the config change to the APs.

Without more specifics on APs and WLCs involved it's hard to make any more detailed recommendation.

The cert is only checked when the AP joins WLC or re-negotiates the DTLS connection so that might explain what you're seeing.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Go to solution
Fespino1
Level 1
Level 1
In response to Rich R

‎04-13-2021 11:53 AM

Thank you very much. Yes after I posted this I read again and did see that changing the time should only be temporary.  I'm about to post another question in the forum but I'm wondering if you know the answer to this. Is the a way to check all the AP MICs using cisco prime infrastructure (ncs)? I now thr command to check the cert on the AP itself when I console into jt but was wondering if there a better way to do it through ncs where I can see all of them and create a report. 

0 Helpful

Go to solution
Rich R
VIP
VIP
In response to Fespino1

‎04-14-2021 01:52 AM - edited ‎04-14-2021 02:02 AM

Don't know about Prime/NCS but the field notice includes a link to https://community.cisco.com/t5/wireless-mobility-documents/access-point-certificate-check-tool-apcertcheck/ta-p/3155582 which is a python script for doing exactly that. 

But if you just make sure all your WLC are running AireOS/IOS-XE with the workaround/fix and have the commands applied then you shouldn't have any more problems.

As I recall there were some very old AP and WISM combinations where it didn't work but if you still have those (all more than 6 years past end of support) then you have bigger problems ...

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card