Relocate the existing Controller or setup a new controller

gamane · ‎05-14-2023

Hi Everyone,

We have an existing Wireless Controller(AIR-CT5508-K9) in one of our Data center and this controller services 60 AP spreadout accross six different sites/ offices.

Note that the existing data center where the controller is located will be decomisionned so we are planning to relocate the existing controller or setup a new controller..

Question number 1: If we are to set up a another controller fron a new data center then copy the config from the existing controller then migrate the APs one by one to new controller, would this be feasible?

Question number 2: How long APs can function controller less?

Thanks,

gamane

marce1000 · ‎05-15-2023

Q1 : Is feasible , but if possible don't migrate the existing controller , the 5508 platform is old , look at the 9800 based platform(s) and or solutions
Q2 : If they are in CAPWAP (client) mode , then they can not work without a controller,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R · ‎05-15-2023

I'll add to that - there's really not enough information to answer Q2 properly.

For example if the APs are in flexconnect mode and using local switching and local authentication then they can probably keep working in standalone mode. If they're not then the degree of impact really depends on the exact design and configuration. If everything gets tunnelled back to the WLC over CAPWAP then you'll lose it all as soon as they lose connection to the WLC.

This doc is old but will give you some idea what I'm talking about:
https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-wlc-00.html#toc-hId-961437047

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

gamane · ‎05-24-2023

Hi @marce1000 @Rich R I really appreciate all your time in answering my questions. I do have some follow up inquiries and I hope you can provide some feedback as well.

1. How do I check if the APs are in flex connect mode or CAPWAP mdoe?
2. We are bringing up a second controller on a different ip address? Is it possible to migrate the APs one by one? 3. Any issues anyone can think of other than connectivity.

Regards,

gamane

marce1000 · ‎05-24-2023

>...1. How do I check if the APs are in flex connect mode or CAPWAP mode?
That is defined in the AP settings in the controller configuration pages

>...Is it possible to migrate the APs one by one?
If DHCP option 43 is used to point to the designate controller for the AP then you can change that per access point (e.g.)

>...(bringing up second controller) Any issues anyone can think of other than connectivity.
It is for instance strongly advised to run a configuration check on the new controller , before production release , with this procedure : https://community.cisco.com/t5/networking-knowledge-base/show-the-complete-configuration-without-breaks-pauses-on-cisco/ta-p/3115114#toc-hId-1039672820 , have the output analyzed with https://cway.cisco.com/wireless-config-analyzer/ , if the new controller is a 9800 based model then use the command show tech wireless instead as input for WirelessAnalyzer ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R · ‎05-24-2023

1. "show ap mode local" and "show ap mode flexconnect"

2. Option 43 if you have them on different subnets - easily achieved by simply moving the AP switch port to a new VLAN, or manually edit the primary/secondary controllers on the AP HA tab (that will override anything it learns from option 43) - can also be done from CLI with "config ap primary-base <wlc-name> <ap-name> <wlc-IP>" and "config ap secondary-base <wlc-name> <ap-name> <wlc-IP>" When changing the AP HA setting it should take effect sometime within the ap-primary-discovery-timeout time (default value is 120 seconds/2 minutes) which is how often the AP should check for the configured primary.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/ap_connectivity_to_cisco_wlc.html?bookSearch=true#ID2960

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

JPavonM · ‎05-24-2023

The quick way to check if AP mode is Flexconnect or not is to use this command on the CLI, if it returns "FlexConnect" then you are there:
grep include "AP Mode " "show ap config general <your_ap_name_here>"
Regarding issues when moving from legacy AireOS WLCs to new IOS-XE WLCs, there could be a lot, but always related to config traslation. One way would be to use the embedded conversion tool for an untrained admin on the new code, but this introduces a lot of weird configd, my recommendaton, do it manually, but then you would need to do lot of tests until having something that would be working.

gamane · ‎05-30-2023

Hi @JPavonM @marce1000 @Rich R . Thanks again for the feedback.
I am also trying to introduce another radius server for this existing controller, currently the radius server that is being used is for authenticating wireless users, but this radius server will be decommissioned soon, but we plan to replace that with a new one but it will be in a different location. Would you be able to share the instructions on how we introduce a new radius server to the controller and how to test it with the existing wlan ?

JPavonM · ‎05-30-2023

The best way to test this is to create a new WLAN profile with the same specs than the production one but different ID, assign this to an AP group where your test AP would be, and try to connect.

If that works, then you ar ready to swap the AAA server in the production WLAN.

gamane · ‎06-05-2023

Hi @JPavonM ,

I tried to use the new radius server but users were unable to connect and is giving them an error "can't connect to the network". I did ran a debug from the controller and it seems the request from the user was picked up by the controller. Controller then relayed the packet to Radius server for authentication but radius server sent an "Authentication failed" reply.

Below is a screenshot of the debug aaa all enable. I would appreciate if you could provide some thoughts or workarounds on this.

JPavonM · ‎06-05-2023

To debug the authentication you need to look into RADIUS server logs, maybe wrong certificate selected, or wrong AD group, or wront EAP type.

gamane · ‎06-05-2023

Thanks @JPavonM , I'll look into this.

gamane · ‎06-05-2023

@JPavonM @Rich R @marce1000 . I've read an article where in to enable HA, both controllers redundancy port and redundancy management interfaces must be configured in the same subnet.

My question is, is it possible to have different subnets for redundancy port and redundancy management interfaces? This is because the secondary controller is located in another location..

Rich R · ‎06-06-2023

What you've read is correct. It's not recommended to have them in separate locations but if you do (at your own risk, latency will be important) then you'll need layer 2 connectivity between them.
If you have them in separate locations then you should rather consider N+1 HA instead of HA SSO.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

gamane · ‎06-11-2023

@Rich R What if I will just set up another Controller hosted in a different location. Copy paste the configuration from the existing controller except it's IP address. Please note that the new controller will have the same connectivity to existing APs controlled by the existing controller. My question is;

1. Will it create an issue if the new Controller is powered up which has the same config(except the IP address) of the existing controller like for example, Access Points will start register to the new Controller?

2. How can I manually de-register the APs from the existing controller and re-register them to the new controller?

Thanks,

gamane