Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem converting any AP to LAP - Cert not yet valid

All, I have a problem trying to convert APs to LAP.

I have the following scenario:

- 2 WLC 5508.

- For the WLC the image is 7.0.220.0

- 10 APs registered. 7 Cisco 1310 and 3 Cisco 1242.

- Time on the WLC indicates is July 4th 2013 - 19:20:00

I have 5 more APs ( Cisco 1231G and Cisco 1310) all of them are Autonomous.

Im using the Cisco upgrade tool, which I already use to convert the first 10 APs, and I have over and over the same problem, no matter if I use the Cisco 1231 or the Cisco 1310. Once I run the upgrade tool, in the middle of the process I had the following error on the AP:

*Mar  1 00:15:15.088: %SYS-5-CONFIG_I: Configured from console by console

*Mar  1 00:25:39.198: %SYS-6-CLOCKUPDATE: System clock has been updated from 00:25:39 UTC Fri Mar 1 2002 to 00:25:39 UTC Fri Mar 1 2002, configured from console by moncl on vty0 (181.142.103.159).

*Mar  1 00:25:40.395: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down

*Mar  1 00:25:40.498: %SYS-5-CONFIG_I: Configured from console by moncl on vty0 (181.142.103.159)

*Mar  1 00:25:41.395: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down

*Jul  2 18:11:51.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 00:25:41 UTC Fri Mar 1 2002 to 18:11:51 UTC Tue Jul 2 2013, configured from console by moncl on vty0 (181.142.103.159).

Jul  2 18:13:22.641: %SSH-5-ENABLED: SSH 1.99 has been enabled

Jul  2 18:14:14.498: %SYS-5-CONFIG_I: Configured from console by moncl on vty0 (181.142.103.159)

%CRYPTO_PKI: CA Cert not yet valid or is expired -

    start date: 13:41:22 UTC Jul 31 2003

    end   date: 13:41:22 UTC Apr 29 2013

xa2arcbdepo02#

I tried setting manually the clock and also using the clock of the WLC, but with the same result.

I also tried to convert manually, but with the same result.

Also Im using c1310-rcvk9w8-tar.124-21a.JA2.tar and c1200-rcvk9w8-tar.124-21a.JA2.tar

Please, I really need your help because Im stuck with this problem!!.

Thank you all!!

24 REPLIES
Hall of Fame Super Gold

Problem converting any AP to LAP - Cert not yet valid

Post the following output:

1.  WLC:  sh sysinfo;

2.  WLC:  sh time;

3.  AP:  sh version;

4.  AP:  sh inventory; and

5.  AP:  sh ip interface brief

New Member

Re: Problem converting any AP to LAP - Cert not yet valid

Following the info:


(Cisco Controller) >show time

Time............................................. Wed Jul  4 19:48:12 2013

Timezone delta................................... 0:0

Timezone location................................ (GMT -3:00) Buenos Aires (Agentina)

NTP Servers

    NTP Polling Interval.........................     86400

     Index     NTP Key Index     NTP Server      NTP Msg Auth Status

    -------  ---------------------------------------------------------------

(Cisco Controller) >

(Cisco Controller) >

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.

Product Name..................................... Cisco Controller

Product Version.................................. 7.0.220.0

Bootloader Version............................... 1.0.1

Field Recovery Image Version..................... 6.0.182.0

Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27

Build Type....................................... DATA + WPS

System Name...................................... WLC-EDASA_1

System Location.................................. Montecristo

System Contact...................................

System ObjectID.................................. 1.3.6.1.4.1.9.1.1069

IP Address....................................... 181.142.123.23

Last Reset....................................... Power on reset

System Up Time................................... 4 days 7 hrs 14 mins 1 secs

System Timezone Location......................... (GMT -3:00) Buenos Aires (Agentina)

Current Boot License Level....................... base

Current Boot License Type........................ Permanent

Next Boot License Level.......................... base

Next Boot License Type........................... Permanent

Configured Country............................... AR  - Argentina

--More-- or (q)uit

Operating Environment............................ Commercial (0 to 40 C)

Internal Temp Alarm Limits....................... 0 to 65 C

Internal Temperature............................. +43 C

External Temperature............................. +27 C

Fan Status....................................... OK

State of 802.11b Network......................... Enabled

State of 802.11a Network......................... Disabled

Number of WLANs.................................. 4

Number of Active Clients......................... 4

Burned-in MAC Address............................ 2C:54:2D:72:CE:80

Power Supply 1................................... Present, OK

Power Supply 2................................... Absent

Maximum number of APs supported.................. 50

(Cisco Controller) >

xa2arcbdepo02#sh ver

Cisco IOS Software, C1310 Software (C1310-K9W7-M), Version 12.3(7)JA2, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2005 by Cisco Systems, Inc.

Compiled Fri 18-Nov-05 12:55 by ssearch

ROM: Bootstrap program is C1310 boot loader

BOOTLDR: C1310 Boot Loader (C1310-BOOT-M) Version 12.2(15)JA,  RELEASE SOFTWARE (fc1)

xa2arcbdepo02 uptime is 1 hour, 27 minutes

System returned to ROM by power-on

System image file is "flash:/c1310-k9w7-mx.123-7.JA2/c1310-k9w7-mx.123-7.JA2"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

cisco AIR-BR1310G-A-K9-R   (PowerPCElvis) processor (revision A0) with 24566K/8192K bytes of memory.

Processor board ID FOC08420N5Z

PowerPCElvis CPU at 262Mhz, revision number 0x0950

Last reset from power-on

1 FastEthernet interface

1 802.11 Radio(s)

32K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address: 00:12:43:85:54:12

Part Number                          : 73-8960-03

PCA Assembly Number                  : 800-24963-02

PCA Revision Number                  : A0

PCB Serial Number                    : FOC08420N5Z

Top Assembly Part Number             : 800-25292-01

Top Assembly Serial Number           : FTX0844U0EW

Top Revision Number                  : A0

Product/Model Number                 : AIR-BR1310G-A-K9-R 

Configuration register is 0xF

xa2arcbdepo02#sh inventory

NAME: "BR1310", DESCR: "Cisco Aironet 1300 Series (IEEE 802.11g) Bridge"

PID: , VID: , SN: FTX0844U0EW

xa2arcbdepo02#sh ip int br

Interface                  IP-Address      OK? Method Status                Protocol

BVI1                       181.142.123.11  YES NVRAM  up                    up     

Dot11Radio0                unassigned      YES NVRAM  up                    up     

FastEthernet0              unassigned      YES NVRAM  up                    up     

xa2arcbdepo02#

Hall of Fame Super Gold

Problem converting any AP to LAP - Cert not yet valid

C1310 Software (C1310-K9W7-M), Version 12.3(7)JA2

This IOS version does NOT look like a controller-based IOS.

Supporting Oversized Access Point Images

New Member

Problem converting any AP to LAP - Cert not yet valid

This is the Autonomous image. I dont say before but I also tried downgrading and upgrading the IOS of both, the Cisco 1231 and the Cisco 1310, but always had the same problem. The certificate is expired before I can use it, exactly 2 moths before the day I run the upgrade tool. More info, when I tried to upgrade to LAP using a manual method, the same problem appears with the same date ( 2 months from the day I run it)....

What I dont understand is that the first 10 APs were converted without any problem, with the same image, but now I cant...

What else should I check?

Please, help!

New Member

Problem converting any AP to LAP - Cert not yet valid

With what image should I try on the Autonomous AP to run the upgrade tool?

Hall of Fame Super Gold

Problem converting any AP to LAP - Cert not yet valid

With what image should I try on the Autonomous AP to run the upgrade tool?

Try the latest one.

Hall of Fame Super Silver

Re: Problem converting any AP to LAP - Cert not yet valid

New Member

Problem converting any AP to LAP - Cert not yet valid

Thank you Scott for the replay, but unfortunately I wasnt able to make this works!!

I downgrade the tool and also upgrade and downgrade the autonomous image, with no luck.

Also, changed the PC and the AP. Always with the same result.

When I use the upgrade tool, the result is the same, the certificate is two expired....

The first symptom I saw on the AP is that the tool updates the AP clock to one less than the actual hour. For example if I run the toll now (10AM), the tool update the clock of the AP to 9AM....

I already check the time of the PC and the time of the WLC and they both match exactly.

I used the two options available on the tool related to time (use the WLC time and use a predefined time) with the same result.

I guess that the only option is to manually update the AP, but unfortuntaly I dont know how to generate a base 64 certificate...

did you see another way to make it?. anything else to check or probe?.

I really your support.

VIP Purple

Problem converting any AP to LAP - Cert not yet valid

HI Jorge,

For the LWAP conversion, use the recovery image ( e.g  c1140-rcvk9w8-tar.124-25d.JAL.tar). We can use the command on the autonomous AP priviledge mode.

AP#archive download-sw /force-reload /overwrite tftp://10.10.10.1/c1140-rcvk9w8-tar.124-25d.JA.tar

Regards

Dont forget to rate helpful posts.

New Member

Problem converting any AP to LAP - Cert not yet valid

Same problem here with an AP 1121 and trying to upgrade under WCS

Hall of Fame Super Silver

Re: Problem converting any AP to LAP - Cert not yet valid

I would not try to use WCS but use the links to convert the AP.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Problem converting any AP to LAP - Cert not yet valid

I'm having the same problem.. did someone get a solution? Any workaround?

Hall of Fame Super Silver

Problem converting any AP to LAP - Cert not yet valid

What problem are you having..... what AP and what are you trying to do.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

Problem converting any AP to LAP - Cert not yet valid

I'm trying to migrate a 1231. This is the debug I see in the AP:

ap#show clock

16:31:17.312 UTC Tue Dec 17 2013

ap#term mon

ap#

Dec 17 16:32:16.663: %SYS-5-CONFIG_I: Configured from console by cisco on vty2 (147.83.194.126)

Dec 17 16:32:26.936: %SYS-5-CONFIG_I: Configured from console by cisco on vty2 (147.83.194.126)

Dec 17 16:32:32.326: %SYS-5-CONFIG_I: Configured from console by cisco on vty2 (147.83.194.126)

Dec 17 16:32:38.476: %SYS-5-CONFIG_I: Configured from console by cisco on vty2 (147.83.194.126)

Dec 16 17:32:03.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 16:32:40 UTC Tue Dec 17 2013 to 17:32:03 UTC Mon Dec 16 2013, configured from console by cisco on vty2 (147.83.194.126).

Dec 16 17:32:05.952: %SYS-6-CLOCKUPDATE: System clock has been updated from 17:32:05 UTC Mon Dec 16 2013 to 17:32:05 UTC Mon Dec 16 2013, configured from console by cisco on vty2 (147.83.194.126).

Dec 16 17:32:06.840: %SYS-5-CONFIG_I: Configured from console by cisco on vty2 (147.83.194.126)

Dec 16 17:32:12.544: %SYS-5-CONFIG_I: Configured from console by cisco on vty2 (147.83.194.126)

Dec 16 17:32:25.890: %SYS-5-CONFIG_I: Configured from console by cisco on vty2 (147.83.194.126)

Dec 16 17:33:18.759: %SYS-5-CONFIG_I: Configured from console by cisco on vty2 (147.83.194.126)

Dec 16 17:33:47.811: %SYS-5-CONFIG_I: Configured from console by cisco on vty2 (147.83.194.126)%CRYPTO_PKI: CA Cert not yet valid or is expired -

    start date: 13:41:22 UTC Jul 31 2003

    end   date: 13:41:22 UTC Apr 29 2013

ap#

ap#sho

ap#show clo

ap#show clock

17:34:44.152 UTC Mon Dec 16 2013

ap#

Dec 16 17:36:38.373: %SYS-5-CONFIG_I: Configured from console by cisco on vty3 (147.83.194.126)

And this is the output I see in the WCS:


START:     Detailed logging started at -> 12.17.2013_17.32.04 INFO:     TELNET to device 10.120.20.11 done. INFO:     Privilege level is equal to 15. INFO:     Setting vty line completed. INFO:     Dumped Environmental variables. INFO:     AP is supported for Upgrade process INFO:     IOS version is greater than or equal to 12.3(7)JA. INFO:     AP needs SSC to be installed INFO:     Device has supported radios. INFO:     Station role is root. INFO:     TELNET to controller 147.83.174.219 done. INFO:     SNTP server 1 147.83.2.206 INFO:     DNS and Domain name configured. INFO:     Mac address of device is 00:11:93:aa:b5:07 INFO:     Completed Dot11Radio0 shutting. INFO:     Device set up done and time configured on device. INFO:     Re-initialised SSC. INFO:     RSA Zeroize done. INFO:     Cleared trust point for SSC certificate. INFO:     Cleared trust point for Airespace new root certificate. INFO:     Cleared trust point for Airespace device root certificate. INFO:     Cleared trust point for Airespace Old root certificate. INFO:     Cleared trust point for Cisco root certificate. INFO:     Cleared trust point for Cisco Manufacture root certificate. INFO:     Generating RSA Keys this takes few mins... INFO:     Generated Self Signed Router Certificate. INFO:     Enable and display SSC. INFO:     Done profile enrollment for Cisco IOS. INFO:     Created trust point for Airespace new root certificate. INFO:     Created trust point for Aires. device root certificate. INFO:     Created trust point for Aires. Old root certificate. INFO:     Created trust point for Cisco root certificate. INFO:     Created trust point for Cisco manuf. root certificate. INFO:     Generated airespace-new-root-cert. ERROR:     10.120.20.11 Telnet/SSH session to the device failed. 1. Check reachability to the device. (OR) 2. Check Telnet/SSH is enabled on the device.

END:     Migration Process Failure: Telnet/SSH session to the device failed.

As you can see, int he WCS says that it can't connect.. but I think that the reason might be on the error that shows the AP about the certificate out of date (same problem than in the original post).

About the AP I'm trying to migrate:

Product/Model Number                 : AIR-AP1231G-E-K9   

Cisco IOS Software, C1200 Software (C1200-K9W7-M), Version 12.3(8)JA2, RELEASE SOFTWARE (fc1)

Hall of Fame Super Silver

Re: Problem converting any AP to LAP - Cert not yet valid

If your ap configuration is large, prior to converting, you should erase the config and setup a telnet username and password. That is what I would try.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: Problem converting any AP to LAP - Cert not yet valid

I already did a reset do defaults.. so the config is actually minimal.

Hall of Fame Super Silver

Re: Problem converting any AP to LAP - Cert not yet valid

Then try using the LWAPP tool but you need XP or convert it manually. I never use WCS to do that.

Using a TFTP Server to Return to a Previous Release

http://www.cisco.com/en/US/docs/wireless/access_point/conversion/lwapp/upgrade/guide/lwapnote.html#wp160918

https://supportforums.cisco.com/docs/DOC-18268

http://www.cisco.com/en/US/docs/wireless/access_point/conversion/lwapp/upgrade/guide/lwapnote.html#wp160918

http://www.youtube.com/watch?v=QQ_NuxdRhQ4

https://supportforums.cisco.com/docs/DOC-14960

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Problem converting any AP to LAP - Cert not yet valid

I had the same problem with an AP1121 when I was trying to migrate to LW with WCS, but I solved this migrating these aps with cisco LWAPP upgrade tool.

Hall of Fame Super Silver

Re: Problem converting any AP to LAP - Cert not yet valid

Here is a link to find out the SSC you need to add to the WLC.

https://www.cisco.com/public/technotes/smbsa/en/us/wireless/upgrd_auto_Aironet_acc_pts_lgtwt_mode.pdf

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Problem converting any AP to LAP - Cert not yet valid

Thanks for the information, but no way to use the WCS to do this conversion? It looks to me as just a matter of an outadated certificate somewhere.

We don't use Windows in our workstations and I'd need to setup a virtual machine just for this conversion. I find it a bit disappointing considering that we have the WCS for this sort of things.

No idea of which certificate should I update and how?

New Member

Problem converting any AP to LAP - Cert not yet valid

The way i did it, is to set the wlcs time to something before the cert expiration day.

It worked for me.

I think it would be nice, that at least the upgrade tool receives a new update with a new cert.

Hall of Fame Super Silver

Re: Problem converting any AP to LAP - Cert not yet valid

Time is always necessary when you want an AP to join the WLC. Older APs like the 1200's and 1230's that have a SSC can be a pain, but no matter how you try to convert these APs from autonomous to lightweight, the SSC can cause you issues if the tool your using doesn't import the SSC or if the time is off. Nothing else you can really do, but understand what you need to have done in order for the AP's to join. Other AP's don't have this issue, but the time still need to be correct for them to join.

I don't use WCS nor do I like the tool, but the upgrade tool does work. I prefer just to use the archive command to convert and then if there is an SSC, I would use the debug to discover the hash.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Problem converting any AP to LAP - Cert not yet valid

Hi Scott,

the debugging is handy if you convert 1-5 APs with more you become insane.

I know that the 1200 and 1230er are "out of ebay" but i have many costumers with such old APs and they want to migrate to newer ones in little steps.

The upgrade tool is really helpful if you want to migrate a lot of APs.

Hall of Fame Super Silver

Re: Problem converting any AP to LAP - Cert not yet valid

I understand... A few months ago, I had to convert 200+ 1230's and I used the upgrade tool. I had to load XP on an old laptop to do the conversions. There were about 5 that we had to debug due to the tool not upgrading the AP properly.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
1977
Views
0
Helpful
24
Replies