Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
908
Views
15
Helpful
5
Replies

FlexConnect 8.3 to 8.5 upgrade in SSO

Go to solution
Arne Bier
VIP
VIP

‎05-10-2020 02:58 PM - edited ‎07-05-2021 12:02 PM

Hello

 

Is there any good advice when upgrading an SSO pair of 8510's from 8.3 to 8.5 ? 

There are a couple of thousand APs in Flex mode - but the Flex Groups contain APs from multiple sites - hence I am doubting that the FlexAP Upgrade will be of much benefit, since the remote sites cannot communicate with one another.

 

I have read the Release Notes and the Admin Guide and it seems to me that a standard AP pre-load would be required (and could take some time to trickle down to all the APs in remote locations).

 

I am also planning on running the TAC script that checks the flash file-system on the APs. I have run it before and I don't know if I can trust it - e.g. I have seen APs reported as Bad, then run script again, then it's good, and then run script again and it says the same AP is bad. I did the upgrade and the AP was just fine. On the other hand, a few APs that were reported as "good" went AWOL.

 

is there any danger in upgrading from 8.3.14x to 8.5.151.0 ? What precautions, other than saving the config, can be done to ensure that the upgrade goes smoothly? And any famous last words of advice for an SSO deployment?

 

regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Arne Bier

‎05-10-2020 09:05 PM

Well from my experience and comfort, I typically will migrate a few AP’s to see how well it goes and go from there. I know the 3702’s will be a nightmare due to the double upgrade. Again, it’s safer to have that one controller that you can migrate to. The risk will be during your testing as no one can say how easy or hard it will be. The time it takes for AP’s to download, come back up, you verify all AP’s are online and clients connected depends on your workflow.
-Scott
*** Please rate helpful posts ***

View solution in original post

5 Replies 5

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎05-10-2020 04:42 PM

SSO deployments are tough without another controller you can migrate AP’s to. If your not scared, you can remove the secondary and factory reset that and configure it as another controller. Run N+1 until you have all your sites upgraded then you can co figure the secondary back and get your SSO up and running. Just an option.
-Scott
*** Please rate helpful posts ***

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Scott Fella

‎05-10-2020 07:55 PM

Just to clarify. You don’t have to break SSO, just pull the secondary controller and factory reset that. Your primary will show that SSO is down but it will function. You build your other controller with the image you want, setup mobility between the two and then move AP’s or site until you are done.
-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Scott Fella

‎05-10-2020 08:55 PM

Hi @Scott Fella 

 

thanks for the advice. In the past we have used a loan controller to slowly migrate chunks of the APs across, while maintaining the old SSO pair until the end, and then upgrade it without APs. But in the absence of a loan WLC, the suggestion of breaking the SSO is definitely an option.

How scary should an AireOS upgrade be? I see no reason why an 8.3.143 to 8.5.151 upgrade render a controller so broken that APs can't register anywhere, and therefore stay unregistered, causing a total outage.  Kind of makes a mockery of a "highly available" solution, if you ask me. 

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Arne Bier

‎05-10-2020 09:05 PM

Well from my experience and comfort, I typically will migrate a few AP’s to see how well it goes and go from there. I know the 3702’s will be a nightmare due to the double upgrade. Again, it’s safer to have that one controller that you can migrate to. The risk will be during your testing as no one can say how easy or hard it will be. The time it takes for AP’s to download, come back up, you verify all AP’s are online and clients connected depends on your workflow.
-Scott
*** Please rate helpful posts ***

Go to solution
Rich R
VIP
VIP
In response to Scott Fella

‎05-11-2020 06:43 AM - edited ‎05-11-2020 06:50 AM

You shouldn't expect any major gotchas but make sure you've read through the release notes before you start - it's amazing how many people don't and then are surprised when they encounter something mentioned in the release notes.
Also if you're upgrading to 8.5 it should be 8.5.161.0 not 8.5.151.0 because that resolves some critical security vulnerabilties as well as other fixes.

ps: refer to Leo's reply in a previous post about how to manually download the image to 3700 APs in advance to avoid the double download and reload which you'll get with standard pre-download.

https://community.cisco.com/t5/other-wireless-mobility-subjects/ap-migration-stuck-in-downloading-status/td-p/4075419

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card