#说明
该Blog是针对于AireOS下的AP在更新image的时候,出现的问题,在其他较老的AP遇到类似的问题时,可能同样适用!
#型号
- WLC5508
- AP1602
- software:from 8.5.182 to 8.3.143
#涉及操作
将WLC5508从软件版本8.5.182降级到8.3.143;
通过predownload方式下载AP镜像失败;
重启WLC,AP再次注册WLC同步镜像失败;
#关键错误
AP在从WLC同步完image,解压的过程中报错:
extracting ap1g2-k9w8-mx.153-3.JD16/img_sign_rel.cert (1375 bytes) extracting info.ver (291 bytes)! *Oct 25 11:00:00.681: Currently running a Release Image *Oct 25 11:00:00.777: Using SHA-2 signed certificate for image signing validation. *Oct 25 11:00:00.861: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 4E78A210000000000007) has expired. Validity period ended on 21:43:46 UTC Dec 4 2022 *Oct 25 11:00:00.861: Image signing certificate validation failed (1A). *Oct 25 11:00:00.861: Failed to validate signature *Oct 25 11:00:00.861: Digital Signature Failed Validation (flash:/update/ap1g2-k9w8-mx.153-3.JD16/final_hash) *Oct 25 11:00:00.861: AP image integrity check FAILED Aborting Image Download *Oct 25 11:00:02.673: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_record.c:169 Pkt too old last_seq_num : 10109,Received sequence num: 1 distance: -10108
比较关键的信息可以看到:
- 证书链验证失败
- 证书(SN:4E78A210000000000007)已过期。 有效期截止于 2022 年 12 月 4 日 21:43:46 UTC
- 验证签名失败
- AP 镜像完整性检查失败
#解决方法
通过基本信息查看,WLC的系统时间为2023年,显然是超过了有效期的范围,而LAP同步WLC的时间,也是2023年,那么我们需要将WLC的时间调整到有效期之前。
(Cisco Controller) >config time manual 10/10/22 10:10:10 (Cisco Controller) > (Cisco Controller) > (Cisco Controller) >show time Time............................................. Mon Oct 10 10:10:12 2022 Timezone delta................................... 0:0 Timezone location................................ NTP Servers NTP Polling Interval......................... 600 Index NTP Key Index NTP Server Status NTP Msg Auth Status ------- ----------------------------------------------------------------------------------------------
调整之后查看AP的时间同步,再次下载镜像解压完成,完成注册和镜像同步。
APa0ec.xxx1.xxx5#sho clock *10:25:18.203 UTC Mon Oct 10 2022 APa0ec.xxx1.xxx5# extracting ap1g2-k9w8-mx.153-3.JD16/html/level/15/officeExtendapEvent.shtml.gz (988 bytes)! extracting ap1g2-k9w8-mx.153-3.JD16/img_sign_rel.cert (1375 bytes) extracting info.ver (291 bytes)! *Oct 10 10:14:58.085: Currently running a Release Image *Oct 10 10:14:58.181: Using SHA-2 signed certificate for image signing validation. *Oct 10 10:14:58.265: Image signing certificate validation succeeded. *Oct 10 10:14:59.941: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_record.c:169 Pkt too old last_seq_num : 10109,Received sequence num: 1 distance: -10108 Deleting current version: flash:/ap1g2-k9w8-mx.153-3.JF15... Set booting path to recovery image: ''... *Oct 10 10:15:06.901: AP image integrity check PASSED done. New software image installed in flash:/ap1g2-k9w8-mx.153-3.JD16 Configuring system to use new image...done. archive download: takes 229 seconds ReIniting the reap config file flash:/lwapp_reap.cfg Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255) Writing out the event log to flash:/event.log ... *Oct 10 10:15:24.793: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.123.123.5:5246 *Oct 10 10:15:25.701: Image upgrade successfully, system is now reloading *Oct 10 10:15:25.773: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to the reason code 11 *Oct 10 10:15:25.773: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio1 due to the reason code 11 *Oct 10 10:15:25.801: %SYS-5-RELOAD: Reload requested by capwap image download proc. Reload Reason: NEW IMAGE DOWNLOAD. *Oct 10 10:15:26.061: %LWAPP-5-CHANGED: CAPWAP changed state to DOWN
#参考文档
https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html