Convert Cisco Lightweight AP to Mobility Express

Hi all

Today I’m going to write a short post on how to convert a lightweight AP to an Mobility Express AP. It’s a very simple process and only takes a few minutes to complete.

First you need to download the ME image from the Cisco webpage. Extract the compressed file to a TFTP server.

Login to the AP with console access using Cisco / Cisco as username and password (this is offcourse only if you haven’t changed the password on the AP.

ap-type mobility-express tftp://<TFTP Server IP>/<filename>

When the file is uploaded the AP will reboot and load the new image. The AP will use 2 IP’s. 1 for the ME and 1 for the AP.

During my upgrade I had one issue. It failed repeatedly and I worked a while before I discovered the reason.

Image transfer complete.
Image downloaded, writing to flash...
do CHECK_ME, part1 is active part
upgrade.sh: Error: image not found.
+ do_upgrade CHECK_ME
+ [ ! -r /tmp/part.tar ]
+ loudlog Error: image not found.
+ logger -p 0 -t upgrade Error: image not found.
+ echo upgrade.sh: Error: image not found.
upgrade.sh: Error: image not found.
+ return 1
+ status=1
+ set +x
Error: Image update failed.

I read on the internet that this error could be caused due to lack of space. I had free space left so I could quickly rule that issue out. I have another ME in the same network, it seems that the ME image can’t be uploaded when there is an ME of the same L2 network as the ME you are trying to install. The issue I had dissapeared when I disconnected the other ME.

After the upgrade has been completed the ME will reboot and start a setup wizard.

Enter Administrative User Name (24 characters max): admin
Enter Administrative Password (3 to 127 characters): ********
Re-enter Administrative Password                 : ********
System Name [Cisco-dcf7.193e.4c00] (24 characters max): hostname
Enter Country Code list (enter 'help' for a list of countries) [US]: NO
Configure a NTP server now? [YES][no]: yes
Use default NTP servers [YES][no]:
Enter timezone location index (enter 'help' for a list of timezones): 14
Management Interface IP Address Configuration [STATIC][dhcp]: dhcp
Create Management DHCP Scope? [yes][NO]:
Employee Network Name (SSID)?: SSIDName
Employee Network Security? [PSK][enterprise]:PSK
Employee PSK Passphrase (8-63 characters)?: ***********
Re-enter Employee PSK Passphrase: ***********
Enable RF Parameter Optimization? [YES][no]:
Client Density [TYPICAL][Low][High]:
Traffic with Voice [NO][Yes]:

Configuration correct? If yes, system will save it and reset. [yes][NO]: yes

Configuration saved!

There is a few things that you need to get correct when going trough the options. The first one is country code. This is important to have correct freqency since it need to meet the local regulations. Since my AP’s are in Norway I choose NO as the country code.

The second one is the management interface. You can choose to have it set to static or dhcp. I normally set these ME’s up for clients and configure them with DHCP. If you choose DHCP it’s important to note the correct DHCP address when the ME boots up. As previously mentioned the AP will request 2 IP’s. 1 for the ME and 1 for the CAPWAP AP.. After the bootup you should see the following output

[*08/01/2019 17:24:33.6830] ethernet_port wired0, ip 192.168.50.108, netmask 255.255.255.0, gw 192.168.50.1, mtu 1500, bcast 192.168.50.255, dns1 195.159.0.100, dns2 8.8.8.8, domain hjortsenter.internal, vid 0, static_ip_failover false, dhcp_vlan_failover false
[*08/01/2019 17:24:33.6930] chatter: MeshNat: config_ip IP=192.168.50.108 mask=255.255.255.0 GW=192.168.50.1
[*08/01/2019 17:24:38.7614] ethernet_port wired0, ip 192.168.50.110, netmask 255.255.255.0, gw 192.168.50.1, mtu 1500, bcast 192.168.50.255, dns1 195.159.0.100, dns2 8.8.8.8, domain test.internal, vid 0, static_ip_failover false, dhcp_vlan_failover false
[*08/01/2019 17:24:38.7814] chatter: MeshNat: config_ip IP=192.168.50.110 mask=255.255.255.0 GW=192.168.50.1
[*08/01/2019 17:24:41.8004] AP IPv4 Address updated from 0.0.0.0 to 192.168.50.110

The first IP in my example is the IP for the ME (192.168.50.108)
The last IP is for the CAPWAP (192.168.50.110)

Backup and restore config of Mobility Express.

Hi all

Lately I have been working with the mobility express AP’s from Cisco.  One of the important things to do when you set up new equipment is to have a backup and restore policy for the config.. I chose the easy way out using tftp, it’s the quickest and easiest way to transfer files as long as you have the tftp server secured. The other option you have is ftp.

transfer upload mode tftp
Sets the mode to tftp, you can also choose ftp but then you need to add in username and password too.

transfer upload datatype config
Choose config as the information to store on the server

transfer encrypt enable
Turns on encryption for the file

transfer encrypt set-key supersecret
Gives the encryption a password

transfer upload serverip 10.10.10.10
Gives the ME an IP to the server where to store the config

transfer upload filename MEconfig.cfg
Filename for the config.

transfer upload start
Start the upload.

transfer upload mode tftp
transfer upload datatype config
transfer encrypt enable
transfer encrypt set-key supersecret
transfer upload serverip 10.10.10.10
transfer upload filename MEconfig.cfg
transfer upload start

You should then get the following output.

Mode……………………………………… TFTP
TFTP Server IP…………………………….. 10.10.10.10
TFTP Path………………………………….
TFTP Filename……………………………… MEconfig.cfg
Data Type…………………………………. Config File
Encryption………………………………… Enabled

Are you sure you want to start? (y/N) y

File transfer operation completed successfully.

So far you have done the backup. Then the second most important thing comes, do the restore. It’s almost the same, but you swap out upload with download.

transfer download datatype config
transfer download mode tftp
transfer encrypt enable
transfer encrypt set-key supersecret
transfer download serverip 10.10.10.10
transfer download filename MEconfig.cfg
transfer download start

After the commands have been entered you should see the following output.

Mode............................................. TFTP
Data Type........................................ Config
TFTP Server IP................................... 10.10.10.10
TFTP Packet Timeout.............................. 6
TFTP Max Retries................................. 10
TFTP Path........................................
TFTP Filename.................................... MEconfig.cfg
Encrypt/Decrypt Flag............................. Enabled

Warning: Downloading configuration will cause the controller to reset...

This may take some time.
Are you sure you want to start? (y/N) y

TFTP Config transfer starting.

TFTP receive complete... updating configuration.

CCO Username & Password will NOT be imported. Please Re-Configure the Credentials 'transfer download ap-images cco-username '
'transfer download ap-images cco-password ' after bootup for Image Download

TFTP receive complete... storing in flash.

Sync config to peers.

System being reset.

 

1121 not registering to WLC

I was converting AP’s from Autonomous to Lightweight AP’s yesterday when I ran into issues with a couple of old 1121G. I only saw the AP register to the controller for 3-4 seconds before it disconnected. While pinging the AP it responded for 1 minute before it did go into a reboot.

I then logged into the WLC to do a debug. I used the following debug command:

(Cisco Controller) >debug capwap errors enable

The output from this repeated itself every time the AP was up and running.

Dec 03 11:26:02.616: 00:1e:4a:a8:b1:88 Join Priority Processing status = 0, Incoming Ap's Priority 0, MaxLrads = 100,joined Aps =1
*spamApTask0: Dec 03 11:26:12.645: Could not find BoardDataPayload
*spamApTask0: Dec 03 11:26:14.685: 00:1e:4a:a8:b1:88 Refusing image download to AP 00:1e:4a:a8:b1:88 - unable to open image file /bsn/ap//c1100
 Error:No such file or directory(2)
*spamApTask0: Dec 03 11:26:14.685: 00:1e:4a:a8:b1:88 Number of open file descriptors for spam process is: 97
*spamApTask0: Dec 03 11:26:14.685: 00:1e:4a:a8:b1:88 Decoding of Image Data failed from AP 00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:15.683: 00:1e:4a:a8:b1:88 Error decrypting packet from AP 00:1e:4a:a8:b1:88
 sessionId 2367ed6d, recvNonce 2367ed6e, sendNonce 2367ed6d
 key b9.87.16.0b.97.72.4e.e8
 c4.c5.ee.e1.d4.c7.f3.62

*spamApTask0: Dec 03 11:26:15.683: 00:1e:4a:a8:b1:88 rxN 00.23.67.ed.6e.00.00.00
 00.00.00.00.00
 txN 00.00.00.00.00.00.00.00
 00.00.00.00.00

*spamApTask0: Dec 03 11:26:15.683: 00:1e:4a:a8:b1:88 Decryption of message from AP failed00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:15.683: 00:1e:4a:a8:b1:88 Security processing of Image Data failed for AP 00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:16.687: 00:1e:4a:a8:b1:88 Error decrypting packet from AP 00:1e:4a:a8:b1:88
 sessionId 2367ed6d, recvNonce 2367ed6e, sendNonce 2367ed6d
 key b9.87.16.0b.97.72.4e.e8
 c4.c5.ee.e1.d4.c7.f3.62

*spamApTask0: Dec 03 11:26:16.687: 00:1e:4a:a8:b1:88 rxN 00.23.67.ed.6e.00.00.00
 00.00.00.00.00
 txN 00.00.00.00.00.00.00.00
 00.00.00.00.00

*spamApTask0: Dec 03 11:26:16.687: 00:1e:4a:a8:b1:88 Decryption of message from AP failed00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:16.687: 00:1e:4a:a8:b1:88 Security processing of Image Data failed for AP 00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:17.686: 00:1e:4a:a8:b1:88 Error decrypting packet from AP 00:1e:4a:a8:b1:88
 sessionId 2367ed6d, recvNonce 2367ed6e, sendNonce 2367ed6d
 key b9.87.16.0b.97.72.4e.e8
 c4.c5.ee.e1.d4.c7.f3.62

*spamApTask0: Dec 03 11:26:17.686: 00:1e:4a:a8:b1:88 rxN 00.23.67.ed.6e.00.00.00
 00.00.00.00.00
 txN 00.00.00.00.00.00.00.00
 00.00.00.00.00

*spamApTask0: Dec 03 11:26:17.686: 00:1e:4a:a8:b1:88 Decryption of message from AP failed00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:17.686: 00:1e:4a:a8:b1:88 Security processing of Image Data failed for AP 00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:18.687: 00:1e:4a:a8:b1:88 Error decrypting packet from AP 00:1e:4a:a8:b1:88
 sessionId 2367ed6d, recvNonce 2367ed6e, sendNonce 2367ed6d
 key b9.87.16.0b.97.72.4e.e8
 c4.c5.ee.e1.d4.c7.f3.62

*spamApTask0: Dec 03 11:26:18.687: 00:1e:4a:a8:b1:88 rxN 00.23.67.ed.6e.00.00.00
 00.00.00.00.00
 txN 00.00.00.00.00.00.00.00
 00.00.00.00.00

*spamApTask0: Dec 03 11:26:18.687: 00:1e:4a:a8:b1:88 Decryption of message from AP failed00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:18.687: 00:1e:4a:a8:b1:88 Security processing of Image Data failed for AP 00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:19.690: 00:1e:4a:a8:b1:88 Error decrypting packet from AP 00:1e:4a:a8:b1:88
 sessionId 2367ed6d, recvNonce 2367ed6e, sendNonce 2367ed6d
 key b9.87.16.0b.97.72.4e.e8
 c4.c5.ee.e1.d4.c7.f3.62

*spamApTask0: Dec 03 11:26:19.690: 00:1e:4a:a8:b1:88 rxN 00.23.67.ed.6e.00.00.00
 00.00.00.00.00
 txN 00.00.00.00.00.00.00.00
 00.00.00.00.00

*spamApTask0: Dec 03 11:26:19.690: 00:1e:4a:a8:b1:88 Decryption of message from AP failed00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:19.690: 00:1e:4a:a8:b1:88 Security processing of Image Data failed for AP 00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:20.733: Unable to find deleted AP 00:1e:4a:a8:b1:88
*spamApTask0: Dec 03 11:26:20.733: 00:1e:4a:a8:b1:88 Join Priority Processing status = 0, Incoming Ap's Priority 0, MaxLrads = 100,joined Aps =1
*spamReceiveTask: Dec 03 11:26:32.658: b4:b6:76:c3:56:db Unable to get RadId. Sending of PMK cache entry to all APs in flexconnect group failed :: bssid 00:00:00:00:00:00

Security processing of Image Data failed for AP was a message in the output that I thought was strange and also other references to the image. I then checked the Cisco Wireless Controller Compability Matrix, to my dissapointment the AP was no longer supported. It ended up with a long and slow process of having one of the local guys in Chile downgrading from Controllerbased AP to a Standalone….