Solved: 9800 HA SSO and Certificate Setup/Failover

tcebak · ‎11-06-2024

Good Day,

I have 2 questions related to the SSL certificate for a pair of 9800-40's set up in an HA SSO pair.

Using the Guide: "Configure High Availability SSO on Catalyst 9800 | Quick Start Guide - Cisco" and setting up the IP's. saying that basically you set up both WLC with IP's. and each get a RMI IP.
Does the RMI IP have to be in the same vlan/subnet as the main WLC IP? I assume it makes more sense to put them together since all 3 addresses are routable.
Also, with AAA i have to make sure to call out the WLC WMI WLC and both RMI IP's

Secondly, Having set up HA SSO and using a CA signed certificate. I assume i still use the primary WLC WMI IP to manage the device, so that IP should resolve to the DNS name. but should i also have Both RMI IP's resolve to the DNS name as well.
wlc01 - WMI 10.1.1.10
WLC01 - RMI 10.1.1.11
WLC02 - RMI 10.1.1.20

I think i read that "Generate and Download CSR Certificates on Catalyst 9800 WLCs - Cisco" the certificae should copy over to the secondary, but i also see where some people still upload it to the secondary wlc which you would access with the wlc02 RMI ip address.

Lastly, during a failover, does the primary ip switch between the devices. AKA, 10.1.1.10 will access the Primary/Active WLC. But if you needed to mess or look at a certain device, you use that devices RMI ip address.

Thank you for your time and please let me know if i need to further explain anything.

jagan.chowdam · ‎11-06-2024

The Redundancy Management Interface (RMI) is used as a secondary link between the active and standby Cisco Catalyst 9800 Series Wireless Controllers. This interface is the same as the wireless management interface, and the IP address on this interface is configured in the same subnet as the Wireless Management IP.

Two HA interfaces (RMI and RP) must be configured on the same subnet, and the subnet cannot be shared with any other interfaces on the device.

Ref: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m_vewlc_high_availability.html#restrictions-high-avail

Jagan Chowdam

View solution in original post

marce1000 · ‎11-06-2024

- A few items , you do not need to copy the certificate to the secondary ; the primary IP remains transparent available during a failover ; RMI's must not be in the same subnet as the main WLC IP ; they don't need DNS names

Foremost : when configuring the 9800 controller ; always validate such issues ; with by using WirelessAnalyzer :
this is done with the CLI command show tech wireless ; (not a simple show tech) and feed the output from that into
Wireless Config Analyzer
You will (also) get immediate feedback on configuration errors related to these items ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

tcebak · ‎11-06-2024

Thank you about the comment about RMI's being in a different subnet! i think i overlooked that in the example when i was looking through a few different documents.

"when RMI + RP is used, both Standby and Active controllers have a redundancy management interface (RMI) to which are assigned IP addresses, namely used to ensure gateway reachability." Just making sure that those IP's need to be in a valid subnet that can route across the network? or can you put in basically and non-valid subnet that doesn't exist on the network?

Thanks again!

jagan.chowdam · ‎11-06-2024

The Redundancy Management Interface (RMI) is used as a secondary link between the active and standby Cisco Catalyst 9800 Series Wireless Controllers. This interface is the same as the wireless management interface, and the IP address on this interface is configured in the same subnet as the Wireless Management IP.

Two HA interfaces (RMI and RP) must be configured on the same subnet, and the subnet cannot be shared with any other interfaces on the device.

Ref: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m_vewlc_high_availability.html#restrictions-high-avail

Jagan Chowdam

tcebak · ‎11-06-2024

Ok, thank you. i think i keep getting the different connections mixed up in my head, but this is making sense and i'm following now. Thanks! just going to configure it to double check. thanks again!

marce1000 · ‎11-06-2024

- @tcebak Ok , remember to execute the WirelessAnalyzer procedure as described afterwards ; it is kind of mandatory before production use!
You may also find this presentation useful : https://www.ciscolive.com/c/dam/r/ciscolive/global-event/docs/2024/pdf/BRKEWN-2094.pdf
although that only mentions the basics (SSID's , WLAN's,,,,) ; it's not focused on the HA stuff

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

tcebak · ‎11-06-2024

Thank you, that document does help explain the ssid/wlans/etc and pictures/examples make it easier to understand. Luckily i was able to fumble my way through with setting up my single lab 9800 which is still just getting used to the new layout and policies. of course the lab is simple and our PROD switch over will have a lot more, but any documentation always helps and i'll check out the WirelessAnalyzer.

marce1000 · ‎11-06-2024

- Yeah , you can already use WirelessAnalyzer on the lab-9800 to , get a look and feel with it ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '