Solved: Migrating 9800CL HA to a new pair

andre.ortega · ‎07-30-2025

Hi,

We have a pair of 9800CL running on VMware, managed by Catalyst Center and integrated with ISE (Trustsec).

These VMs are experiencing issues, with HA failing (the active WLC loses connectivity to the gateway and goes to status "removed").

TAC suggested installing new VMs and migrating the configuration. Given Catalyst Center and Trustsec, what are the steps for this migration?

Saikat Nandy · ‎07-31-2025

There could be some issues here and there but here is my game-plan.
1. Remove your existing WLC entry from DNAC inventory so that DNAC think it does not exists at all.
2. Take config backup from your current WLC.
3. Spin up a new VM with required spec and just configure Service Port (Gig1 for out of band management). You should get SSH and GUI access out of it.
4. load ur backup config - except WMI config. Just necessary config. SNMP, DNAC you can do later, should not be a show-stopper.
5. In the MW, power off your existing VM/WLC.
6. Configure WMI with same IP, WMI and SSC.
7. I am expecting the APs to start join to the new WLC.
8. Start validating client connectivity.
9. Once validated, you can add the new WLC back to DNAC.
10. Once DNAC, SNMP all are done, then plan for HA.

Now coming back to Trustsec, I think you need some adjustment in the ISE. From WLC side just config and ISE IP. But in ISE you need something and for that you can open an ISE TAC case and get this clarified.

View solution in original post

Haydn Andrews · ‎07-30-2025

Firstly TAC should have provided the procedure, I do recommend asking them to validate it, and having them engage the Cat Centre team.

If CCC wasnt involved I would say just spin up new VM, to base config. Shut old one down and then dump the config of the old one onto the new one and there you go.

I do not believe that will have the same results if its a managed CCC WLC.

When you say HA are you talking SSO or N+1?

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

andre.ortega · ‎07-31-2025

TAC asked us to do that (create a new VM and migrate). I inquired about the procedure, but we are working with the WLC team, and the engineer said he cannot help with that...

We have SSO. Initially, I considered copying the config to the new one, but CatCenter contains information about the serial number, so I'm uncertain about the outcome. Additionally, ISE with TrustSec has the TrustSec password (usually the serial number), and that will change in this case.

Ambuj M · ‎07-30-2025

this does not sound like WLC issue and sounds more like VMware issue, so you should open case with them and have them look, can be a number of issue VM loosing gateway connectivity, controller is behaving normal when loosing gateway connectivity.

-hope this helps-

andre.ortega · ‎07-31-2025

I have a case, and was TAC that asked to do that.

Mark Elsen · ‎07-31-2025

- @andre.ortega A HA unit/member removed points to a loss of communication on the
Redundancy Port between the two controllers.

Validate the configuration of the active controller using the CLI command show tech wireless
and feed the output from that into Wireless Config Analyzer

+ Could you include a drawing or picture of the HA topology with network links and the VMware boxes ?

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

andre.ortega · ‎07-31-2025

We completed all checks, and aside from the status, there is nothing in the network causing a loss of communication.

Mark Elsen · ‎07-31-2025

- @andre.ortega So did you execute the Wireless Config Analyzer procedure because it is very important (tx) ?
And what about the topology drawing which I asked ?

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

andre.ortega · ‎07-31-2025

Yes, we execute the Wireless Config Analyzer

Mark Elsen · ‎07-31-2025

- @andre.ortega Great ; clarifying my topology argument ; are the 2 9800CL on the same VMware box or different ?

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Saikat Nandy · ‎07-31-2025

Based on the description, it looks like you are having HA-SSO as Active is going in 'removed' state post losing the GW reachability. When you say TAC has suggested to spin up new VMs and move the config there, I am assuming they meant the entire setup both Active & Standby - not just Standby.
If my assumption is true, then you can take the config backup of existing WLC and load it in the new 9800-CL deployment. Now since this is 9800-CL you need to generate a new SSC in the new controllers. So you can probably try -
1. Spin up a new VM and load 9800-CL.
2. Configure it with a different IP address than your existing one as well as generate SSC.
3. Load the backup config (only the one needed and do it manually - you can leave DNAC telemetry settings out as the moment you add the WLC to DNAC all these will be pushed)
4. You can validate and do some testing with APs and clients. (make sure your SSIDs are working)

Now if you do not have 'to much' dependency (AP high availability+DNAC+ISE+SNMP etc), continue the new 9800-CL with new IP address. or else you will have to change it back to old IP address - but again can not be done with MW.
Secondly when you say WLC is DNAC managed, is it just assurance or are you pushing config via dnac? In either case I am not too much worried because you can provision the new WLC in DNAC and config should get pushed.

Note - Nothing mentioned about the Standby WLC so far. Once your active is up and running with new VM, you can deploy Standby and add it in HA which will be easy.

Please refer Table 2 - https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-cl-dg.html. People often don't choose the correct spec while deploying the 9800-CL.

andre.ortega · ‎07-31-2025

Thanks. You understood perfectly. We need to create two new WLCs to replace the whole HA pair.

Ideally, we want to keep the same IP we have in production.

Everything is managed by DNAC (assurance, config).

In this case, how do we keep the IP? Do you know what the impact would be? I'm concerned because on DNAC we have the serial, and mainly, in ISE we have TrustSec.

I don't know what will happen when we have the new WLC with a different serial but the same IP. Also I don't know if we have a workflow in DNAC for this case.

Saikat Nandy · ‎07-31-2025

There could be some issues here and there but here is my game-plan.
1. Remove your existing WLC entry from DNAC inventory so that DNAC think it does not exists at all.
2. Take config backup from your current WLC.
3. Spin up a new VM with required spec and just configure Service Port (Gig1 for out of band management). You should get SSH and GUI access out of it.
4. load ur backup config - except WMI config. Just necessary config. SNMP, DNAC you can do later, should not be a show-stopper.
5. In the MW, power off your existing VM/WLC.
6. Configure WMI with same IP, WMI and SSC.
7. I am expecting the APs to start join to the new WLC.
8. Start validating client connectivity.
9. Once validated, you can add the new WLC back to DNAC.
10. Once DNAC, SNMP all are done, then plan for HA.

Now coming back to Trustsec, I think you need some adjustment in the ISE. From WLC side just config and ISE IP. But in ISE you need something and for that you can open an ISE TAC case and get this clarified.

andre.ortega · ‎07-31-2025

I opened a TAC, and we are waiting for a response.