Migrating from old WLC to new vWLC

Richard Klinkbeil · ‎12-22-2016

Hello all,

I currently have 2x 3502i-A-K9 Ap's connected to a WLC-4402. AP FW is 7.0.252.0 and the WLC FW is 12.4(23c)JA10.

I recently got a Virtual WLC and have it initially configured. I would like to migrate those AP's over to it. I tried setting the new WLC as the master WLC and rebooted a single AP and waited to see if it would connect to the new one. It took awhile but didnt connect and ended up going back to the old 4402.

The vWLC is running FW 8.2.141.0. I also tried setting a secondary WLC in the AP settings to the new vWLC and a simple reboot of the AP didnt have any positive results.

How would I go about migrating these AP's over to the new vWLC? compatibility matrix says the 3500i is supported on the current VWLC firmware?

Leo Laohoo · ‎12-22-2016

I also tried setting a secondary WLC in the AP settings to the new vWLC and a simple reboot of the AP didnt have any positive results.

The vWLC should be in the Primary Controllers settings. This will force the APs to move to the new controller.

Richard Klinkbeil · ‎12-22-2016

Tried that, I went to the AP > HA > Set Primary to vWLC and secondary to old-wlc.......it ended up going back to old WLC......I may need to console into it and watch its boot process.....I know it needs to grab a new IOS to connect to the vWLC (i think).

Leo Laohoo · ‎12-22-2016

Post the complete output to the following commands:

1. vWLC: sh sysinfo;

2. vWLC: sh time; and

3. AP: sh version

Richard Klinkbeil · ‎12-22-2016

Manufacturer's Name.............................. Cisco Systems Inc.

Product Name..................................... Cisco Controller

Product Version.................................. 8.2.141.0

RTOS Version..................................... 8.2.141.0

Bootloader Version............................... 8.2.141.0

Emergency Image Version.......................... 8.2.141.0

Build Type....................................... DATA + WPS

System Name...................................... vWLC

System Location..................................

System Contact...................................

System ObjectID.................................. 1.3.6.1.4.1.9.1.1631

IP Address....................................... 192.168.2.4

IPv6 Address..................................... ::

System Up Time................................... 7 days 21 hrs 4 mins 39 secs

System Timezone Location.........................

System Stats Realtime Interval................... 5

System Stats Normal Interval..................... 180

Configured Country............................... US - United States

State of 802.11b Network......................... Enabled

State of 802.11a Network......................... Enabled

Number of WLANs.................................. 1

Number of Active Clients......................... 0

Burned-in MAC Address............................ 00:50:56:8A:70:23

Maximum number of APs supported.................. 200

System Nas-Id....................................

WLC MIC Certificate Types........................ SHA1

Licensing Type................................... RTU

vWLC config...................................... Small

vWLC Time:

Time............................................. Thu Dec 22 22:53:55 2016

Timezone delta................................... 0:0

Timezone location...............................

NTP Servers

NTP Polling Interval......................... 3600

Index NTP Key Index NTP Server Status NTP Msg Auth Status

------- ----------------------------------------------------------------------------------------------

1 0 192.168.1.6 In Sync AUTH DISABLED

AP info:

cisco AIR-CAP3502I-A-K9 (PowerPC460exr) processor (revision A0) with 81910K/49152K bytes of memory.

Processor board ID FTX1550E11K

PowerPC460exr CPU at 666Mhz, revision number 0x18A8

Last reset from reload

LWAPP image version 7.0.252.0

1 Gigabit Ethernet interface

2 802.11 Radio(s)

32K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address: 64:9E:F3:89:3A:9B

Part Number : 73-12175-05

PCA Assembly Number : 800-32268-05

PCA Revision Number : A0

PCB Serial Number : FOC15455J5Y

Top Assembly Part Number : 800-32891-01

Top Assembly Serial Number : FTX1550E11K

Top Revision Number : A0

Product/Model Number : AIR-CAP3502I-A-K9

Configuration register is 0xF

Leo Laohoo · ‎12-22-2016

Remote or console into the AP and verify if the AP can ping the Management IP address of the vWLC or not.

Richard Klinkbeil · ‎12-22-2016

I was able to ping the other route, From vWLC to AP. I am sure it will work the other way. I will try it though.

Leo Laohoo · ‎12-22-2016

If the AP can ping the vWLC, then check for firewall rules.

Richard Klinkbeil · ‎12-22-2016

they can Ping both ways.

Leo Laohoo · ‎12-22-2016

Can you please post the output to the command "sh license summary"?

Richard Klinkbeil · ‎12-23-2016

Leo, I really appreciate the help. I was able to figure it out. So all of the CERTS were bad on the AP as well as the WLC. Since it was old.

What I did was go grab the latest W8-IOS for the version of the WLC.

I ran an "archive download-sw /overwrite /reload tftp://TFTP-SERVER/W8.TAR"

it downloaded it and installed it. Upon reboot it promptly connected to the vWLC. It also had the new CERTS on the AP at that point. Once I changed the AP to "flex connect" mode it then started broadcasting the WLAN's. (found in deployment guide)

The last roadblock I am hitting is the interfaces/WLAN's are configured like on the WLC 4402, but when I connect to the internal WLAN SSID, it is getting the wrong DHCP address, it keeps getting the IP from the Management network.

Thoughts on fixing that? The internal network is set on a different vlan, from what I understand it should use whatever interface is associated with the WLAN to lookup the DHCP settings. (which are correct at the moment)....Thoughts?

Leo Laohoo · ‎12-23-2016

The internal network is set on a different vlan, from what I understand it should use whatever interface is associated with the WLAN to lookup the DHCP settings. (which are correct at the moment)....Thoughts?

Are the APs attached to any AP Group or not?

Richard Klinkbeil · ‎12-23-2016

They are in the "default group"......I also added them to a "flexconnect" group with mostly default settings.

I noticed the AP was in "flexconnect local" mode and unchecked that box so it sends all data back to the controller. The AP is currently an access port in the AP vlan, and the controller has the trunk port for all other communications.

Richard Klinkbeil · ‎12-23-2016

I figured it out. The "flex connect local" checkbox was the culprit. Once I disabled that. The AP used the controller as the proxy instead of itself and it used the interface settings for the ip address....everything works now and I have all AP's up and running.

Thank you for your help.

Richard Klinkbeil · ‎12-22-2016

Oh check it out. This was the LOG on the one AP:

*Dec 22 15:31:00.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.2.4 peer_port: 5246
*Dec 22 15:31:00.003: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed
*Dec 22 15:31:00.003: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Dec 22 15:31:00.003: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:352 Certificate verified failed!
*Dec 22 15:31:00.003: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 192.168.2.4
*Dec 22 15:31:00.003: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.2.4:5246
*Dec 22 15:31:00.003: %DTLS-3-BAD_RECORD: Erroneous record received from 192.168.2.4: Malformed Certificate
*Dec 22 15:31:00.003: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.2.4:5246
*Dec 22 15:31:00.003: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

So there is an issue with the CERT?