Solved: Cisco AP stuck in Boot Loop - Digital Signature Failed Validation

malering · ‎08-21-2014

So I had a image go bad on an 3602i AP, loaded up a new IOS on the AP. Loaded the new IOS, everything seems fine until it get just about done with the boot and then it reboots itself again. Lots of output but the meat and potatos is this

*Aug 10 07:44:19.999: Using SHA-1 signed certificate for image signing validation.
*Aug 10 07:44:19.999: Error opening file flash:/ap3g2-k9w8-mx.153-3.JA/final_hash.sig
*Aug 10 07:44:19.999: Digital Signature Failed Validation (flash:/ap3g2-k9w8-mx.153-3.JA/final_hash)
*Aug 10 07:44:19.999: AP image integrity check FAILED!

*Aug 10 07:44:19.999: Release image validation failure - restarting AP.

Any ideas?

LJ Gabrillo · ‎08-21-2014

Ohh, looks like the image you uploaded is corrupted. Its digital signature is,

Try this when you try to upload a new image
1. If you got it from a *.tar file, extract it to get to the *.bin file

2. copy that bin file

#copy /verify tftp:<IP> flash:

though, try to download the image again.

View solution in original post

LJ Gabrillo · ‎08-21-2014

Ohh, looks like the image you uploaded is corrupted. Its digital signature is,

Try this when you try to upload a new image
1. If you got it from a *.tar file, extract it to get to the *.bin file

2. copy that bin file

#copy /verify tftp:<IP> flash:

though, try to download the image again.

rosaho · ‎07-30-2015

This discussion has been reposted from Additional Communities to the Other Wireless - Mobility Subjects community.

Saurav Lodh · ‎08-22-2014

Reloading the Access Point Image

If your access point has a firmware failure, you must reload the complete access point image file using the Web browser interface or on 1100 and 1200 series access points, by pressing and holding the MODE button for around 30 seconds. You can use the browser interface if the access point firmware is still fully operational and you want to upgrade the firmware image. However, you can use the MODE button when the access point has a corrupt firmware image. On 350 series access points, you cannot use the MODE button to reload the image file, but you can use the CLI through a Telnet or console port connection.

refer http://www.cisco.com/c/en/us/td/docs/wireless/access_point/12-2_15_JA/configuration/guide/i12215sc/s15trb.html

malering · ‎08-26-2014

Thanks for the replies everyone! This was a new IOS pushed out to the device AFTER a IOS failure. So no web browser access. The new IOS had an issue with the hash, which I thought was weird (obviously a bad image). Rather than try to reinvent the wheel, I just used the recovery image.

What I ended up doing was downloading, and booting off of inside rommon, the recovery image via tar -xtract over tftp, letting the WLC grab the AP and push out the IOS onto the AP which solved my issue. Thanks again for the help.

Lovleen Arora · ‎08-25-2014

Worked for me.

Load AP with recovery LWAPP image, then just plug into the WLC network and it was perfect..

Thanks

malering · ‎08-26-2014

Glad I could help!

wanfaris90 · ‎01-07-2018

* perform a mode button image recovery

OR, if you can get onto the AP console, and if the AP has another viable IOS image on flash, then:

* hit the escape key when you see "Interrupt within 5 seconds to abort boot process"
* at the ap: bootloader prompt, enter the following command:
ap: dir flash:
* look for a viable IOS image folder, such as "c1140-rcvk9w8-mx"
* set the bootloader BOOT variable to boot that image, for example:
ap: set BOOT flash:/c1140-rcvk9w8-mx/c1140-rcvk9w8-mx
* issue the command
ap: reset