前两周有个客户说想升级一下自己的无线,现在用的是7.6版本的WLC,想升级到8.X 版本的,问我帮忙升级一下,当时我在外面,就让同事帮手。
本以为是简单的一个时期,但是远程升级完后没有SSID 出来,无法使用无线网络,略微奇怪。
回到家后我远程看了下网络环境:
WLC 2504, 升级版本为:8.0.100
AP 型号为2600 1600
我重新看了下WLC 的配置,没有什么异常,然后跟同事确认了下,IOS 也是官网对比了MD5 的 ,是没有为的,就是简单的升级,加载IOS 也是正常。
分析了下,IOS正常,IP地址获取正常,那就查日志吧,看日志果然有error:
*Apr 12 13:37:59.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.
*Apr 12 13:38:00.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.3 peer_port: 5246
*Apr 12 13:38:29.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2214 Max retransmission count reached for Connection 0x8D69EB4!
*Apr 12 13:38:59.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.1.3:5246
*Apr 12 13:38:59.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.
*Apr 12 13:39:00.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.1 peer_port: 5246Peer certificate verification failed FFFFFFFF
*Apr 12 13:39:00.099: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:496 Certificate verified failed!
*Apr 12 13:39:00.099: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.1.1:5246
*Apr 12 13:39:00.099: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.1.1:5246
查阅资料是由于证书问题导致,官网CSCur43050 bug 有介绍:
CSCur43050
Description
Symptom:New Aironet APs with factory installed recovery IOS are able to join the controller 8.0.100.0 and download 15.3(3)JA IOS. But after the AP reload, the APs are unable to join the controller. On the AP, logs similar to the following are seen:
*Oct 16 12:39:06.231: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.
*Oct 16 13:14:56.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: ***.***.***.*** peer_port: 5246Peer certificate verification failed FFFFFFFF
*Oct 16 13:14:56.127: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:496 Certificate verified failed!
*Oct 16 13:14:56.127: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to ***.***.***.***:5246
*Oct 16 13:14:56.127: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to ***.***.***.***:5246
Another symptom of this problem is that the AP may be able to join the 8.0.100.0 controller, download the IOS code, boot up and join the controller OK ... but when it goes to upgrade to newer 8.x code, it gets stuck in a loop failing the download.
*Nov 11 10:13:53.003: Currently running a Release Image
*Nov 11 10:13:53.027: Using SHA-2 signed certificate for image signing validation.
*Nov 11 10:13:53.091: Image signing certificate validation failed (FFFFFFFF).
*Nov 11 10:13:53.091: Failed to validate signature
*Nov 11 10:13:53.091: Digital Signature Failed Validation (flash:/update/ap3g2-k9w8-mx.v153_80mr.201410311616/final_hash)
*Nov 11 10:13:53.091: AP image integrity check FAILED
Aborting Image Download
Download image failed, notify controller!!! From:8.0.100.0 to 8.0.102.34, FailureCode:3
archive download: takes 339 seconds
*Nov 11 10:14:02.399: capwap_image_proc: problem extracting tar file
Conditions:Seen only with APs that were manufactured in August, September or October, 2014 - all Aironet APs were affected EXCEPT the 700 series. Seen with WLCs running 8.0.100.0 or an 8.0.100.x special.
If the WLC was manufactured in September 2014, or later (i.e. has a SHA2 MIC), then the first symptom is seen, i.e. the AP joins the 8.0.100 WLC, downloads the image, but then fails to rejoin.
If the WLC was manufactured before September 2014 (i.e. does not have a SHA2 MIC), then the second symptom is seen, i.e. the AP can join the 8.0.100 WLC OK, but then will fail download during a subsequent upgrade.
Also seen with new APs trying to join a controller running IOS-XE 3.6.0 (15.3(3)JN k9w8 image.) (Track
CSCur50946 for the IOS-XE fix)
Workaround:1. If the WLC has software version 7.6 or earlier, avoid upgrading to 8.0.100.0 and upgrade the WLC directly to version 8.0.110.0 or above.
2. Downgrade to AireOS 7.6.130.0, or to IOS-XE 3.3, if the APs are supported in the earlier code.
3. If the WLC has software version 8.0.100.x, follow these steps:
a. Upgrade the WLC to software version 8.0.104.0:
- All controllers
https://software.cisco.com/download/special/release.html?config=020a1d7471d1b9f18931c04da727ff74- WISM2
https://software.cisco.com/download/special/release.html?config=03c066b2c18c8631a0422589c140e33eb. Allow all APs to join the WLC and upgrade to software version 8.0.104.0.
c. Upgrade the WLC to software version 8.0.110.0 or above.
Note: Step b is required to push the 8.0.104.0 special software version onto the APs in order to allow all future upgrades.
More Info:This issue is now documented as Field Notice 63916:
http://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63916.htmlThis problem affects only APs that were manufactured with incorrect SHA2
certificates. APs with only SHA1 certificates are not affected. To determine
whether an AP is affected, you can check its serial number using this tool:
http://serialnumbervalidation.com/63916/cgi-bin/index.cgiOr you use the following AP exec commands (while the AP
has a 15.3(3)/8.0 image installed):
1. Check for the presence of a SHA2 Parameter Block:
ap#test pb display
if the output of this command includes:
SHA2 Parameter Block Doesn't have any Records
then this AP is not affected. If the output of this command shows
Display of the SHA2 Parameter Block
then
2. See whether a correct SHA2 certificate is present:
ap#show crypto pki trustpoints | include SHA2
if there is no valid SHA2 certificate, then this will show no output.
If there is a valid SHA2 cert, this will show:
cn=Cisco Manufacturing CA SHA2
Only APs which *do* have a SHA2 Parameter Block and which *do not* have
a valid SHA2 certificate are affected by this bug.
The problem symptoms will vary according to whether or not the WLC has a
SHA2 certificate installed. To verify this, use the following command on
the AireOS CLI:
Cisco Controller) >show certificate all
and look for:
Certificate Name: Cisco SHA2 device cert
后面通过升级更高的版本后 AP join 正常了 ! 8.0.100这个版本 也不建议大家使用,可以使用高版本的IOS !
