A Cloud AP Fails to Be Upgraded
Symptom
A cloud AP fails to be upgraded.
Possible Causes
- The network between the AP and file server fails.
- The AP upgrade file does not exist on the file server.
- The device certificate is incorrect.
Troubleshooting Procedure
- Check the network connectivity.
When the AP needs an upgrade, the cloud management platform delivers a message, and the AP then downloads the upgrade file from the file server. The network between the AP and file server may be abnormal even if the AP can go online. Therefore, you need to check the network connectivity between the AP and file server.
Check whether the AP and file server can communicate with each other.- Ping the IP address of the file server from the AP for a long time to check whether the file server is reachable and whether packet loss occurs.
<AP> ping -c 1000 10.1.1.1 PING 10.1.1.1: 56 data bytes, press CTRL_C to break Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=128 time=3 ms Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=128 time=1 ms Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=128 time=1 ms Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=128 time=1 ms Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=128 time=1 ms ...
- Check whether a firewall is deployed between the device and file server and whether the firewall allows HTTPS packets to pass through. If not, enable the firewall to allow HTTPS packets to pass through.
[Firewall] interface GigabitEthernet 1/0/1 [Firewall-GigabitEthernet1/0/1] service-manage https permit
- Check whether the upgrade port number on the cloud AP is disabled. The upgrade port number on the cloud AP is different from its provisioning port number. Therefore, ensure that the common port numbers on the cloud AP are enabled.
- Ping the IP address of the file server from the AP for a long time to check whether the file server is reachable and whether packet loss occurs.
- Check whether the AP upgrade file exists on the file server.
If the AP fails to be upgraded after a version upgrade or data migration is performed on the file server, you are advised to conduct this check.
- Check the device and file server certificates.
- Check whether the device certificates are valid.
- Check whether the local certificate is valid.
Run the pki validate-certificate local realm default command. If Local encryption certificate is valid is displayed in the command output, the local certificate is valid. If the local certificate is invalid, replace the local certificate.
[AP] pki validate-certificate local realm default Info: It will take a few seconds or more to validate specified certificate. Please wait a moment. Info: Local encryption certificate is valid. Info: It will take a few seconds or more to validate specified certificate. Please wait a moment. Info: Local signature certificate is valid.
- Check whether the CA certificate is valid.
Run the pki validate-certificate ca realm default command. If CA certificate is valid is displayed in the command output, the CA certificate is valid. If the CA certificate is invalid, replace the CA certificate.
[AP] pki validate-certificate ca realm default The trusted CA's fingerprint is: MD5 fingerprint:2F3F BBBC 8347 0CEF 92D9 757E 3A8A 2E86 SHA1 fingerprint:60B2 B7BE EF2F 832C 596E FF75 CD4C F82B 19B0 7904 SHA256 fingerprint:DA2A BE92 25D7 95A3 80E2 899D 530E F031 8A5B 32BC 81AA FD44 88BA 961D DF75 02D4 Is the fingerprint correct?(Y/N):y Info: CA certificate is valid.
- Check whether the local certificate is valid.
- If both the local and CA certificates are valid, check whether the certificates match those on the cloud management platform.
- Check whether the device certificates are new or old.
Run the display pki certificate local realm default command on the AP to check the issuer of the local certificate.
- If CN=Huawei Equipment CA or Huawei Enterprise Network Product CA is displayed in the command output, the certificate is new.Figure 16-1 Issuer of a new certificate
- If CN=Huawei Switch & Enterprise Communication Product Line CA is displayed in the command output, the certificate is old.Figure 16-2 Issuer of an old certificate
- If CN=Huawei Equipment CA or Huawei Enterprise Network Product CA is displayed in the command output, the certificate is new.
- Check whether the issuer of the CA certificate is the same as that of the local certificate.
If not, cloud management platform services are affected. You need to replace the certificate.
If the CA list contains both the new and old certificates, both the new and old certificates are trusted. This situation is normal.
For details about how to replace a certificate, see Replacing Device Certificates.
- Check whether the device certificates are new or old.
- Check whether the certificate issuer maps the service port.
A device with a new certificate uses port 18020 to download the software package, while a device with an old certificate uses port 18021.
Run the telnet IP address port number command to connect a PC to the file server. If the connection fails, replace the certificate.
- Check whether the device certificates are valid.
- Troubleshoot based on error information returned by the cloud management platform.
The following lists possible causes for upgrade failures and troubleshooting methods:
- nospace in AP memory: The device memory is insufficient.
Restart the AP and perform an upgrade again.
- Upgrade restrictions exist.
Select a proper software version for upgrade according to the upgrade guide.
- nospace in AP memory: The device memory is insufficient.
- Collect the following information:
- Device information
Information Type
View
Command
Version information
Diagnostic view
vrbd
Patch information
All views
display patch-information
Startup information
All views
display startup
Configuration information
All views
display current-configuration
File system information
All views
dir flash:/
- Log files
Export all log files (in the .dblg, .log, .dblg.zip, or .log.zip format) that record the fault occurrence time in the flash:/logfile directory using FTP or through the web platform.
- Device information
