7.2.110.0 - caveat emptor

renoufi · ‎09-13-2012

After recently upgrading to 7.2.110.0 and WCS to NCS 1.0 my advice would be.....don't do it.

I am only posting this here so that others who may be experiencing pain from this upgrade or are contemplating the upgrade are aware of some of the pitfalls.

I had to upgrade a customer site due to 3600i APs not being supported by older 7.0.116.0 firmware.

The release notes for the MSE upgrade are vague and, in places, wrong. As a result the clients MSE upgrade failed at the first attempt with no explanation as to why. TAC could only recommend trying again. The second attempt succeeded but now the MSE won't start its 1Gb interfaces unless they are tied to 100 Mb. That case is still open.

Guest access using 5508 anchor controllers failed completely at my site with 7.2.110.0. I have just back rev'ed to 7.0.116.0 in order to get guest access going again. After several days of head scratching I logged it with Cisco. It took TAC 2 days to figure that one out.

NCS 1.0 seems to have a bug in the lobby ambassador, giving completely different pages depending on whether you open with IE or Firefox. Haven't fully diagnosed that one or logged it with TAC yet.

I also managed to break the entire wirelss network when the new 3600s were brought into NCS. It was proabably a mistake on my part, but it seemed the addition of the new APs removed the VLAN information from my existing APs, specifically Native VLAN and Locally Switched VLAN configuration.

Scott Fella · ‎09-13-2012

Thats too bad that it went the way it did. As a consultant, I have had to do many of these upgrades and you kind of figure out what works and what doesn't. The upgrade to 7.2, has been an issue when the FUS image is not installed. There use to be a FUS image that you need to sit on the console and hit 'Y' at each prompt and that takes around 30 minutes to complete. The new FUS 1.7.0.0 is automated so all you need to do is upload the code and reboot. This also take around 30 minutes.

As far as NCS, I think you need to use Chrome. All the other browsers just don't work right and if you upgrade to PI 1.2, then you really need to use Chrome.

MSE is a funny one and the initial script you run, is not so great. I write the mac address and gateway to the ifcfg-eth0, because depending on what port is discoved first, that is eth0. So manually adding the mac address to the ifcfg-eth0, this will never change.

Enter the following commands after you complete the startup wizard

/etc/init.d/network restart

echo GATEWAY=10.7.6.1 >> /etc/sysconfig/network-scripts/ifcfg-eth0

echo HWADDR=00:1E:67:15:B8:59 >> /etc/sysconfig/network-scripts/ifcfg-eth0

ifconfig eth0

Verify the configuration for eth0

Check system status

start|stop|restart|reload|status

/etc/init.d/msed status

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

renoufi · ‎09-13-2012

Thanks for the update Scott. I'll try the MSE trick and see what happens.

Scott Fella · ‎09-13-2012

Just remember, you can also add additional fields if you want.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

renoufi · ‎09-13-2012

More info on controller revisions.

As per the TAC suggestion, I upgraded the 5508 anchor controllers to 7.3.101.0. Unfortunately the 7.3.101.0 image has the same symptoms as 7.2.110.0. Guest Access fails.

I tried 7.0.235.3 which works successfully. So at this stage it appears either 7.0.116.0 or 7.0.235.3 can be used on the anchor.

Scott Fella · ‎09-13-2012

Interesting. I have had no issues with 7.2.110.0 and 7.3.101.0 and anchoring.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

renoufi · ‎09-18-2012

That is interesting. Possibly something perculiar about this particular customer site? I'd be interested to know the following:

i. Is your anchor in a DMZ behind a firewall? (My client has this configuration)

ii. Are you using the default 1.1.1.1 address for the virtual interface? (My client uses a 10.x.x..x address) Cisco were keen to blame this and DNS but the results of testing seemed to indicate a different problem and/or bug

Scott Fella · ‎09-19-2012

My installs had a dmz wlc and I always use a 172.x.x.x or some private address that is not used on my clients network. I never use 1.1.1.1 for many many years now. I did when the 2006 were out. My anchor wlc would have a different mobility group name but that's about it.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

renoufi · ‎02-12-2013

After only six months of head scrathing by Cisco, it seems a bug has emerged.

Bug CSCuc69522 relates to the anchor controller issue. Cisco are providing an engineering release and apparently it's fixed in v8.0 (not available yet)

Since I first posted about 7.2.110, we have also tried to use 7.3 and 7.4 at another customer site with the corresponding MSE/NCS/ISE and EAP-TLS.

The list of problems encountered in quite mind boggling. We even came across this obscure bug that had only been seen in 5 cases worldwide and we were the only site that manged to get a dump of the issue. CSCud00831/CSCud77446

The MSE solution proposed by Scott was also (evenetually) proposed by TAC. It fixed the MSE NIC boot problem but now the MSE has died again (responds to icmp but nothing else). Another trip to the data centre required to diagnose it further.....