![]() ![]() Validity period ended on 21:37:36 UTC Dec 4 2022 *Dec 6 21:35:24.327: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The AP logs will show errors similar to the following when encountering this problem: On a SHA-1 AP (manufactured prior to mid-2014): *Dec 6 21:35:24.259: Using SHA-1 signed certificate for image signing validation. 1ĬAP3702E.4CD4 17.3.6.76 Downloading On an IOS-XE C9800 WLCĬ9800#show ap summary 9800-L#show ap summaryĪP Name Slots AP Model Ethernet MAC Radio MAC Location Country IP Address StateĪP2702E 2 2702E 0081.c4fb.2e74 843d.c673.10d0 default location 192.168.202.105 Downloading 0ĪP Name Primary Image Backup Image Status Version Next Retry Time Retry Count Predownload In 8.5, use show ap image all which will show a nonzero number of APs in "Downloading". On the WLC, show ap image status (AireOS 8.10) will show the affected APs in "Downloading" status. Then, to positively identify the problem, ssh, telnet or console into the affected APs and view their logs (or look for AP logs on your syslog server.) To verify whether you are running into this problem, first check on the WLC for APs stuck in Downloading status. ![]() The problem is seen for all AireOS and IOS-XE versions. So, after December 4, 2022, when an AP downloads code due to software upgrade/downgrade or due to moving between WLCs running different versions, the AP will fail to validate the image and will remain in a download image loop indefinitely. IOS APs use this certificate to validate the image downloaded from the WLC, before installing the software on the AP. The image signing certificates bundled in the AP IOS images were issued on December 4, 2012, and expired on December 4, 2022. When IOS APs are upgraded or downgraded via CAPWAP, after December 4, 2022, they may get stuck in an image download loop, and thereby fail to join the WLC, due to a failure to validate the signing certificate in the downloaded image. APs that run AP-COS (802.11ac Wave 2, Wi-Fi 6, Wi-Fi 6E APs) are not affected, nor are IOS APs in autonomous mode. AireOS, Catalyst 9800 series and Converged Access controllers are affected. The affected lightweight IOS images were built from December 2012 through November 2022. This issue is tracked by Cisco bug CSCwd80290 and the Field Notice FN72524 and is caused by an AP image signing certificate validation failure. This document provides details on IOS access point (AP) join failures, seen with both AireOS and C9800 Wireless LAN Controllers (WLCs), after December 4, 2022. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |