#說明
該Blog是針對於AireOS下的AP在更新image的時候,出現的問題,在其他較老的AP遇到類似的問題時,可能同樣適用!
#型號
- WLC5508
- AP1602
- software:from 8.5.182 to 8.3.143
#涉及操作
將WLC5508從軟件版本8.5.182降級到8.3.143;
通過predownload方式下載AP鏡像失敗;
重啓WLC,AP再次註冊WLC同步鏡像失敗;
#關鍵錯誤
AP在從WLC同步完image,解壓的過程中報錯:
extracting ap1g2-k9w8-mx.153-3.JD16/img_sign_rel.cert (1375 bytes) extracting info.ver (291 bytes)! *Oct 25 11:00:00.681: Currently running a Release Image *Oct 25 11:00:00.777: Using SHA-2 signed certificate for image signing validation. *Oct 25 11:00:00.861: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 4E78A210000000000007) has expired. Validity period ended on 21:43:46 UTC Dec 4 2022 *Oct 25 11:00:00.861: Image signing certificate validation failed (1A). *Oct 25 11:00:00.861: Failed to validate signature *Oct 25 11:00:00.861: Digital Signature Failed Validation (flash:/update/ap1g2-k9w8-mx.153-3.JD16/final_hash) *Oct 25 11:00:00.861: AP image integrity check FAILED Aborting Image Download *Oct 25 11:00:02.673: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_record.c:169 Pkt too old last_seq_num : 10109,Received sequence num: 1 distance: -10108
比較關鍵的信息可以看到:
- 證書鏈驗證失敗
- 證書(SN:4E78A210000000000007)已過期。 有效期截止於 2022 年 12 月 4 日 21:43:46 UTC
- 驗證簽名失敗
- AP 鏡像完整性檢查失敗
#解決方法
通過基本信息查看,WLC的系統時間爲2023年,顯然是超過了有效期的範圍,而LAP同步WLC的時間,也是2023年,那麼我們需要將WLC的時間調整到有效期之前。
(Cisco Controller) >config time manual 10/10/22 10:10:10 (Cisco Controller) > (Cisco Controller) > (Cisco Controller) >show time Time............................................. Mon Oct 10 10:10:12 2022 Timezone delta................................... 0:0 Timezone location................................ NTP Servers NTP Polling Interval......................... 600 Index NTP Key Index NTP Server Status NTP Msg Auth Status ------- ----------------------------------------------------------------------------------------------
調整之後查看AP的時間同步,再次下載鏡像解壓完成,完成註冊和鏡像同步。
APa0ec.xxx1.xxx5#sho clock *10:25:18.203 UTC Mon Oct 10 2022 APa0ec.xxx1.xxx5# extracting ap1g2-k9w8-mx.153-3.JD16/html/level/15/officeExtendapEvent.shtml.gz (988 bytes)! extracting ap1g2-k9w8-mx.153-3.JD16/img_sign_rel.cert (1375 bytes) extracting info.ver (291 bytes)! *Oct 10 10:14:58.085: Currently running a Release Image *Oct 10 10:14:58.181: Using SHA-2 signed certificate for image signing validation. *Oct 10 10:14:58.265: Image signing certificate validation succeeded. *Oct 10 10:14:59.941: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_record.c:169 Pkt too old last_seq_num : 10109,Received sequence num: 1 distance: -10108 Deleting current version: flash:/ap1g2-k9w8-mx.153-3.JF15... Set booting path to recovery image: ''... *Oct 10 10:15:06.901: AP image integrity check PASSED done. New software image installed in flash:/ap1g2-k9w8-mx.153-3.JD16 Configuring system to use new image...done. archive download: takes 229 seconds ReIniting the reap config file flash:/lwapp_reap.cfg Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255) Writing out the event log to flash:/event.log ... *Oct 10 10:15:24.793: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.123.123.5:5246 *Oct 10 10:15:25.701: Image upgrade successfully, system is now reloading *Oct 10 10:15:25.773: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to the reason code 11 *Oct 10 10:15:25.773: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio1 due to the reason code 11 *Oct 10 10:15:25.801: %SYS-5-RELOAD: Reload requested by capwap image download proc. Reload Reason: NEW IMAGE DOWNLOAD. *Oct 10 10:15:26.061: %LWAPP-5-CHANGED: CAPWAP changed state to DOWN
#參考文檔
https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html