Solved: 5520 WLC in HA Pair (SSO) - How to break the SSO

jaketheape · ‎10-07-2022

Hi All,

I'm hoping you can advise here. We have 2x 5520 wlc's in an SSO pair. I've tried to replicate breaking the SSO pair and what would happen in GNS3 however, gns3 doesn't seem to support redundancy in the wlc. So am looking for advice form someone who has broken an SSO pair, what the procedure would be, and what was observed during the breaking of the SSO. I'm thinking it should be fairly straightforward, just not too sure of what to expect once the SSO has been broken. Any help/advice greatly appreciated. Thankyou.

Rich R · ‎10-09-2022

The command is in the link @balaji.bandi provided and also newer version of the guide at https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-7/High_Availability_DG.html#pgfId-202217

Disabling SSO on HA Pair

1. On primary controller, disable SSO using the command:

Config redundancy mode disable

The Active and Standby WLCs reboot once this command is executed.

The standby controller, when it comes back after the reboot, has the same IP address on interfaces as the primary controller and all the ports disabled.

2. On the standby controller, re-enter the correct IP addresses corresponding to the management and dynamic interfaces and execute the following command:

Config port adminmode all enable

3. Save the configuration on the controller.

4. To re-enable SSO, execute the command Config redundancy sso on the primary and secondary controllers.

Both controllers reboot and pair up in the SSO mode. The standby will sync its configuration from the primary and come back in Hot-standby mode.

Also discussed at https://community.cisco.com/t5/wireless/what-happens-when-splitting-ha-pair-wlc-5508/td-p/3211533

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

View solution in original post

balaji.bandi · ‎10-08-2022

HA means you need 2 Physical one to work as HA

you can refer below guide :

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-1/HA_SSO_DG/High_Availability_DG.html

You can break the HA for some reasons like :

replacing the failed unit or upgrade for testing so on...

personally, I do not believe this works on GNS3 as HA, since I have not come across that vWLC supports HA here.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

jaketheape · ‎10-10-2022

Thankyou for your reply. Yes we already have a HA which I want to break as this is no longer required. I will take a look at the commands you have posted.

Rich R · ‎10-09-2022

The command is in the link @balaji.bandi provided and also newer version of the guide at https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-7/High_Availability_DG.html#pgfId-202217

Disabling SSO on HA Pair

1. On primary controller, disable SSO using the command:

Config redundancy mode disable

The Active and Standby WLCs reboot once this command is executed.

The standby controller, when it comes back after the reboot, has the same IP address on interfaces as the primary controller and all the ports disabled.

2. On the standby controller, re-enter the correct IP addresses corresponding to the management and dynamic interfaces and execute the following command:

Config port adminmode all enable

3. Save the configuration on the controller.

4. To re-enable SSO, execute the command Config redundancy sso on the primary and secondary controllers.

Both controllers reboot and pair up in the SSO mode. The standby will sync its configuration from the primary and come back in Hot-standby mode.

Also discussed at https://community.cisco.com/t5/wireless/what-happens-when-splitting-ha-pair-wlc-5508/td-p/3211533

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

jaketheape · ‎10-10-2022

Thankyou. Exactly what I was looking for I just wanted to know how the controller would react once I had disabled the SSO as I cant do this in a virtual lab environment. The standby controller will be used at another site as a foreign controller so I wont require step 2 of your solution.

jaketheape · ‎10-13-2022

Hi again,

You mention this 'The standby controller, when it comes back after the reboot, has the same IP address on interfaces as the primary controller and all the ports disabled.' So will that mean I wont be able to access what was the standby controller? you say same ip addresses i imagine will be using the same management ip address as primary but disabled?.. As long as the primary comes back up with the APs on this i will be decommissioning what was the secondary controller so don't necessarily need remote access - but if it causes issues and i need to get on remotely that could be a problem..

jaketheape · ‎10-18-2022

I broke the SSO all went well. The secondary controller, now stand alone had all its ports disabled as I had expected. I ran the command to re-enable to ports:

Config port adminmode all enable

However, I cannot get back on the service-port / or ping it. The port is set to dhcp and I can see it come up strangely in the dhcp server.

I also tried using the management port but it looks like this was configured to use fibre - how can i change it so that the rj45 port for management is used? Any ideas on both ?

Thanks

Rich R · ‎10-13-2022

And that's why you should always have the CIMC connected and configured.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs