cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1659
Views
10
Helpful
9
Replies

Failed Cisco 1230 AP LWAPP upgrade

wp_morris
Level 1
Level 1

I reciently tried to upgrade my 1231 AP to LWAPP using the Upgrade Tool 3.0 for Cisco IOS AP's. The upgrade tool stated that the upgrade was a success with no errors. Now the AP boots itself with image c1200-rcvk9w8-mx fine, then states "lwapp_crypto_init: PKI_StartSession Failed." then "Reload requested by LWAPP CLIENT. Reload Reason: FAILED CRYPTO INIT". I get about 3 to 5 seconds of enable time before the AP reloads. Reload cancel command does not work. Boot system command does not work. upgrade command does not work. Any suggestions?

Thank you.

9 Replies 9

Richard Atkin
Level 4
Level 4

Do you get any hits in the WLC logs?

Also, what LWAPP image did you give to the AP when you migrated it? I think that reload behaviour was specific to some of the older code releases. Try re-imaging it with a newer release?

You don't have a low MTU path between the AP and WLC?

Regards,

Richard

Hi Richard,

I have no hits in the WLC logs, or in my ACS / Radius / TACACS logs for this AP.

I flashed this AP with image c1200-rcvk9w8-tar.123-11JX1.tar which installed itself when I installed upgrade tool 3.0. Both appeared to be the latest versions that I could find on Cisco's site.

It appears that I can not re-image the AP because of the rebooting cycle. If I can stop that cycle then I could have a chance to work on it. But the AP reloads about 20 seconds after getting a prompt. BTW, I am consoled into the AP.

MTU between AP and WLC is fine.

Thank you for your assistance.

Bill

Rob Huffman
Hall of Fame
Hall of Fame

Hi Bill,

Is that the whole error message? It sounds very similar to this problem;

You receive this error message on the AP after the conversion:

*Mar 1 00:00:23.535: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY

*Mar 1 00:00:23.550: LWAPP_CLIENT_ERROR_DEBUG: lwapp_crypto_init_ssc_keys_and_

certs no certs in the SSC Private File

*Mar 1 00:00:23.550: LWAPP_CLIENT_ERROR_DEBUG:

*Mar 1 00:00:23.551: lwapp_crypto_init: PKI_StartSession failed

*Mar 1 00:00:23.720: %SYS-5-RELOAD: Reload requested by LWAPP CLIENT.

Reload Reason: FAILED CRYPTO INIT.

*Mar 1 00:00:23.721: %LWAPP-5-CHANGED: LWAPP changed state to DOWNThe AP reloads after 30 seconds and starts the process over again.

Resolution

Complete this step:

You have an SSC AP. Once you convert to LWAPP AP, add the SSC and its MAC address under the AP Authentication list in the controller.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008072d9a1.shtml#prob

In the case of the SSC APs, no certificate is created on the controller. The upgrade tool has the AP generate a Rivest, Shamir, and Adelman (RSA) key pair that is used to sign a self-generated certificate (the SSC). The upgrade tool adds an entry to the controller authentication list with the MAC address of the AP and public key-hash. The controller needs the public key-hash in order to validate the SSC signature.

If the entry has not been added to the controller, check the output CSV file. There should be entries for each AP. If you find the entry, import that file into the controller. If you use the controller command-line interface (CLI) (with use of the config auth-list command) or the switch web, you must import one file at a time. With a WCS, you can import the whole CSV file as a template.

Here is an excellent doc that outlines this process;

Self-Signed Certificate Manual Addition to the Controller for LWAPP-Converted APs

http://www.cisco.com/en/US/products/ps7206/products_configuration_example09186a00806a426c.shtml

Hope this helps!

Rob

Rob,

The error sequence you posted is dead on. I've read the two links you provided. However, the controller already has the SSC key for the AP. The link to the controller is solid, for I've plugged a regular LWAPP onto this line and it came right up. It is appearing to me that it is the AP that does not have the SSC key. Either that or the key it has differs from what the update utility placed in the WLC. I have re-entered the key using the data in the CSV file. It matched exactly what the upgrade utility entered. I can not get debugging to work on the AP because of the rebooting. Other commands are not active. They are listed in help, but answer that they are not active / running.

I'm about ready to use a Louisville Slugger fine tuning tool on this AP. I'd like to just put the old IOS image back on it and start over again, but it won't upgrade software or copy from anywhere.

Thank you for the assistance. Any other suggestions are greatly appreciated.

Rob Huffman
Hall of Fame
Hall of Fame

Hi Bill,

Don't pull out the Slugger quite yet :) Try this method using the AP's mode button and a TFTP setup;

Here is a conversion method;

Reverting the Access Point Back to Autonomous Mode

http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00804fc3dc.html#wp161272

You can convert an access point from lightweight mode back to autonomous mode by loading a Cisco IOS Release that supports autonomous mode (Cisco IOS release 12.3(7)JA or earlier). If the access point is associated to a controller, you can use the controller to load the Cisco IOS release. If the access point is not associated to a controller, you can load the Cisco IOS release using TFTP.

Using a TFTP Server to Return to a Previous Release

Follow these steps to revert from LWAPP mode to autonomous mode by loading a Cisco IOS release using a TFTP server:

--------------------------------------------------------------------------------

Step 1 The static IP address of the PC on which your TFTP server software runs should be between 10.0.0.2 and 10.0.0.30.

Step 2 Make sure that the PC contains the access point image file (such as c1200-k9w7-tar.122-15.JA.tar for a 1200 series access point) in the TFTP server folder and that the TFTP server is activated.

Step 3 Rename the access point image file in the TFTP server folder to c1200-k9w7-tar.default for a 1200 series access point, c1130-k9w7-tar.default for an 1130 series access point, and c1240-k9w7-tar.default for a 1240 series access point.

Step 4 Connect the PC to the access point using a Category 5 (CAT5) Ethernet cable.

Step 5 Disconnect power from the access point.

Step 6 Press and hold MODE while you reconnect power to the access point.

Step 7 Hold the MODE button until the status LED turns red (approximately 20 to 30 seconds) and then release.

Step 8 Wait until the access point reboots, as indicated by all LEDs turning green followed by the Status LED blinking green.

Step 9 After the access point reboots, reconfigure it using the GUI or the CLI.

From this doc;

http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00804fc3dc.html#wp161272

Hope this helps!

Rob

Rob,

I didn't have to use the slugger on it (much). Being able to roll it back to the IOS image was invaluable. Thank you! I ended up having to manually load the LWAPP recovery image and adding the hash to the controller. The upgrade tool kept having different issues about upgrading the AP, so I just gave up and did it manually.

Thank you again for your help.

Bill

Hi Bill,

You are most welcome :) Thanks for posting back with your resolution. 5 points for helping others with this good info and for saving the life of another wayward AP!

Take care,

Rob

We are using 1121Gs but am experiencing the same issues. THe last couple of links do not work or htey have moved. Does anyone have any new ways to correct this issue?

Thanks

Dwane

Hi Dwane,

Here you go my friend :)

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

http://www.cisco.com/en/US/docs/wireless/access_point/conversion/lwapp/upgrade/guide/lwapnote.html#wp161272

Self-Signed Certificate Manual Addition to the Controller for LWAPP-Converted APs

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00806a426c.shtml

LWAPP Upgrade Tool Troubleshoot Tips

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008072d9a1.shtml

Hope this helps!

Rob

Why do they keep moving these things :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: