Field Notice: FN - 72524 - During Software Upgrade/Downgrade, Cisco IOS APs Might Remain in Downloading State After December 4, 2022 Due to Certificate Expiration - Software Upgrade Recommended

Available Languages

Updated:December 21, 2022

Document ID:FN72524

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.3	21-Dec-22	Updated the Workaround/Solution Section
1.2	16-Dec-22	Updated Recommended Action, Products Affected, MDF tags, Problem Description, Background, Problem Symptom, Workaround/Solution.
1.1	08-Dec-22	Updated the Product Tags
1.0	08-Dec-22	Initial Release

Products Affected

Affected OS Type	Affected Software Product	Affected Release	Affected Release Number
IOS	IOS	15.3	15.3(3)JA1, 15.3(3)JA1m, 15.3(3)JA4, 15.3(3)JA5, 15.3(3)JA7, 15.3(3)JA8, 15.3(3)JA9, 15.3(3)JA10, 15.3(3)JA11, 15.3(3)JA12, 15.3(3)JAA, 15.3(3)JAB, 15.3(3)JAX, 15.3(3)JAX1, 15.3(3)JAX2, 15.3(3)JB, 15.3(3)JBB, 15.3(3)JBB1, 15.3(3)JBB2, 15.3(3)JBB4, 15.3(3)JBB5, 15.3(3)JBB6, 15.3(3)JC, 15.3(3)JC1, 15.3(3)JC2, 15.3(3)JC3, 15.3(3)JC4, 15.3(3)JC5, 15.3(3)JC6, 15.3(3)JC7, 15.3(3)JC8, 15.3(3)JC9, 15.3(3)JC14, 15.3(3)JC15, 15.3(3)JC50, 15.3(3)JD, 15.3(3)JD2, 15.3(3)JD3, 15.3(3)JD4, 15.3(3)JD5, 15.3(3)JD6, 15.3(3)JD7, 15.3(3)JD8, 15.3(3)JD9, 15.3(3)JD11, 15.3(3)JD12, 15.3(3)JD13, 15.3(3)JD14, 15.3(3)JD16, 15.3(3)JD17, 15.3(3)JDA17, 15.3(3)JE, 15.3(3)JF, 15.3(3)JF1, 15.3(3)JF4, 15.3(3)JF5, 15.3(3)JF7, 15.3(3)JF8, 15.3(3)JF9, 15.3(3)JF10, 15.3(3)JF11, 15.3(3)JF12, 15.3(3)JF12i, 15.3(3)JF14, 15.3(3)JF14i, 15.3(3)JF15, 15.3(3)JG1, 15.3(3)JH, 15.3(3)JH1, 15.3(3)JI1, 15.3(3)JI3, 15.3(3)JI4, 15.3(3)JI5, 15.3(3)JI6, 15.3(3)JJ, 15.3(3)JJ1, 15.3(3)JK, 15.3(3)JK1, 15.3(3)JK1t, 15.3(3)JK2, 15.3(3)JK2a, 15.3(3)JK3, 15.3(3)JK4, 15.3(3)JK5, 15.3(3)JK6, 15.3(3)JK7, 15.3(3)JK8, 15.3(3)JK8a, 15.3(3)JPI1, 15.3(3)JPI1t, 15.3(3)JPI4, 15.3(3)JPI5, 15.3(3)JPI6a, 15.3(3)JPI7, 15.3(3)JPI8a, 15.3(3)JPI9, 15.3(3)JPI10, 15.3(3)JPJ2, 15.3(3)JPJ2t, 15.3(3)JPJ3, 15.3(3)JPJ3a, 15.3(3)JPJ4, 15.3(3)JPJ5, 15.3(3)JPJ6, 15.3(3)JPJ7, 15.3(3)JPJ7c, 15.3(3)JPJ8a, 15.3(3)JPJ9, 15.3(3)JPK, 15.3(3)JPK1, 15.3(3)JPK2, 15.3(3)JPK3, 15.3(3)JPK4, 15.3(3)JPK5, 15.3(3)JPL, 15.3(3)JPM, 15.3(3)JPN, 15.3(3)JPN1, 15.3(3)JPO
NON-IOS	Wireless LAN Controller Software	8.0	8.0.100.0, 8.0.104.0, 8.0.110.0, 8.0.115.0, 8.0.116.0, 8.0.120.0, 8.0.121.0, 8.0.132.0, 8.0.133.0, 8.0.135.0, 8.0.140.0, 8.0.150.0, 8.0.152.0
NON-IOS	Wireless LAN Controller Software	8.1	8.1.101.0, 8.1.102.0, 8.1.111.0, 8.1.120.0, 8.1.121.0, 8.1.122.0, 8.1.131.0, 8.1.132.0
NON-IOS	Wireless LAN Controller Software	8.2	8.2.100.0, 8.2.110.0, 8.2.111.0, 8.2.121.0, 8.2.130.0, 8.2.141.0, 8.2.151.0, 8.2.160.0, 8.2.161.0, 8.2.164.0, 8.2.166.0, 8.2.170.0
NON-IOS	Wireless LAN Controller Software	8.3	8.3.102.0, 8.3.108.0, 8.3.111.0, 8.3.112.0, 8.3.121.0, 8.3.122.0, 8.3.130.0, 8.3.131.0, 8.3.132.0, 8.3.133.0, 8.3.135.0, 8.3.140.0, 8.3.141.0, 8.3.143.0, 8.3.150.0
NON-IOS	Wireless LAN Controller Software	8.4	8.4.100.0
NON-IOS	Wireless LAN Controller Software	8.5	8.5.103.0, 8.5.105.0, 8.5.108.0, 8.5.109.0, 8.5.110.0, 8.5.120.0, 8.5.131.0, 8.5.135.0, 8.5.140.0, 8.5.151.0, 8.5.160.0, 8.5.161.0, 8.5.171.0, 8.5.182.0, 8.5IRCM
NON-IOS	Wireless LAN Controller Software	8.6	8.6.101.0
NON-IOS	Wireless LAN Controller Software	8.7	8.7.102.0, 8.7.106.0
NON-IOS	Wireless LAN Controller Software	8.8	8.8.100.0, 8.8.111.0, 8.8.120.0, 8.8.125.0, 8.8.130.0
NON-IOS	Wireless LAN Controller Software	8.9	8.9.100.0, 8.9.111.0
NON-IOS	Wireless LAN Controller Software	8.10	8.10.105.0, 8.10.112.0, 8.10.113.0, 8.10.121.0, 8.10.122.0, 8.10.130.0, 8.10.142.0, 8.10.151.0, 8.10.162.0, 8.10.171.0, 8.10.181.0, 8.10.182.0
NON-IOS	IOSXE	16	16.1.0, 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.1a, 16.3.2, 16.3.3, 16.3.3a, 16.3.4, 16.3.5, 16.3.5a, 16.3.5b, 16.3.5c, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.10.1, 16.10.1e, 16.11.1b, 16.11.1c, 16.12.1, 16.12.1s, 16.12.1t, 16.12.2, 16.12.2s, 16.12.3, 16.12.4, 16.12.4a, 16.12.5, 16.12.6a, 16.12.7, 16.12.8
NON-IOS	IOSXE	17	17.1.1, 17.1.1a, 17.1.1s, 17.1.1t, 17.2.1a, 17.3.1, 17.3.2a, 17.3.3, 17.3.4, 17.3.4c, 17.3.5a, 17.3.5b, 17.3.6, 17.4.1, 17.5.1, 17.6.1, 17.6.2, 17.6.3, 17.6.4, 17.7.1, 17.8.1, 17.9.1, 17.9.1a, 17.9.2, 17.10.1
NON-IOS	IOSXE	3	3.6.0aE, 3.6.0bE, 3.6.0E, 3.6.1E, 3.6.2aE, 3.6.3E, 3.6.4E, 3.6.5aE, 3.6.5bE, 3.6.5E, 3.6.6E, 3.6.7aE, 3.6.7bE, 3.6.7E, 3.6.8E, 3.6.9aE, 3.6.9E, 3.6.10E, 3.7.0E, 3.7.1E, 3.7.2E, 3.7.3E, 3.7.4E, 3.7.5E

Defect Information

Defect ID	Headline
CSCwd80290	IOS AP image validation certificate failed/expired, causing AP join issues.

Problem Description

Cisco IOS^®-based Access Points (APs) that use expired certificates for image validation as of December 5, 2022 could cause Cisco IOS AP image downloads from a Wireless LAN Controller (WLC) to fail, which prevents the AP from joining the controller.

This affects all Cisco lightweight APs that run Cisco IOS, which include: 802.11ac Wave 1 APs (IW3702/3700/2700/1700/1570 series) and earlier APs including 700/1530/1550/3600/2600/1600/3500/AP802/AP803 series. The affected lightweight Cisco IOS images were built from December 2012 through November 2022.

Background

Cisco IOS-based APs use a certificate to validate the software image that has been downloaded and installed from the controller before installing that software on the AP. Because this certificate expired on December 5, 2022, validation will fail and the AP will not install the newly downloaded image. The AP will continue to try to download and validate this image, and will continue to fail indefinitely until a workaround or solution is applied.

Cisco Aironet 802.11ac Wave 2 and Catalyst Wi-Fi6/6E Access Point and later APs are not affected by this issue.

For more detail, see IOS AP Image Download Fails Due to Expired Image Signing Certificate Post December 4th, 2022 (CSCwd80290).

Problem Symptom

Affected APs will remain in the downloading state and never complete their join to the WLC. For a more detailed description of the symptom, see IOS AP Image Download Fails Due to Expired Image Signing Certificate Post December 4th, 2022 (CSCwd80290).

Workaround/Solution

This issue does not require hardware replacement.

Solution

Upgrade your WLC to one of the versions in the "Upgrading to Fixed Software" section in IOS AP Image Download Fails Due to Expired Image Signing Certificate Post December 4th, 2022 (CSCwd80290).

Workaround

For any WLC that has APs stuck in the downloading state:

Disable Network Time Protocol (NTP) on the WLC and manually set the WLC date/time to a date before December 2, 2022. The Cisco IOS AP will then be able to download and validate the image, install the new image, and join the controller. Once the AP has joined the controller, NTP can be re-enabled on the controller to assume the correct date and time.
Customers who receive a replacement Cisco IOS-based AP(s) from Cisco via Return Material Authorization (RMA)/Warranty and have not upgraded their WLC(s) to a fixed software version should go through this workaround. For more details, see IOS AP Image Download Fails Due to Expired Image Signing Certificate Post December 4th, 2022 (CSCwd80290).

Additional Information

These AP series are affected:

Cisco Aironet 3700 Series Access Points
Cisco Aironet 2700 Series Access Points
Cisco Aironet 1700 Series Access Points
Cisco Industrial Wireless 3700 Series
Cisco Aironet 1570 Series Access Points
Cisco Aironet 3600 Series Access Points
Cisco Aironet 3500 Series Access Points
Cisco Aironet 2600 Series Access Points
Cisco Aironet 1600 Series Access Points
Cisco Aironet 700 Series Access Points
Cisco Aironet 1530 Series Access Points
Cisco Aironet 1550 Series Access Points
Cisco 800 and 1900 Series ISR Integrated Access Points

These WLCs are affected, only if they control affected Cisco IOS APs:

AireOS Controllers

Cisco Virtual Wireless Controller
Cisco 8500 Series Wireless Controllers
Cisco 5500 Series Wireless Controllers
Cisco 3500 Series Wireless Controllers
Cisco 2500 Series Wireless Controllers
Cisco Flex 7500 Series Wireless LAN Controllers

Converged Access Cisco IOS XE Controllers

Cisco 5700 Series Wireless LAN Controllers
Cisco Catalyst 3850 Series Switches
Cisco Catalyst 3650 Series Switches

Cisco IOS XE Controllers

Cisco Catalyst 9800 Wireless Controllers for Cloud
Cisco Catalyst 9800 Series Wireless Controller

Cisco IOS XE Switches with Embedded Wireless Controllers

Cisco Catalyst 9300 Series Switches
Cisco Catalyst 9300L Series Switches
Cisco Catalyst 9400 Series Switches
Cisco Catalyst 9400 Supervisor Engine
Cisco Catalyst 9500 Series Switches

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)