Splitting a 9800-40 HA pair

WayneWeezy · ‎08-02-2024

Hello, I have a 9800-40 WLC in an HA pair covering 2 sites that are connected via 1gb MPLS circuit. It has been requested to break the HA pair and move one controller to the other site. Each site uses its own vlan's for users connecting so I am trying to figure out the steps needed to make this split successful. The plan is to break the HA on the primary, and remove all vlans/ssid's from the 2nd WLC and take it to the remote site. I will need to assign a new management IP on it as well. My question is once I have the 2nd WLC online at the remote site I will disable the AP's on the switches as they are going to the primary, but when they come back online how will they find the local WLC instead of the one across the WAN? Am I missing any other key steps to this?

MHM Cisco World · ‎08-02-2024

The WLC HA use active WLC mgmt IP in dns or dhcp to make AP discover it'

Since now you split it' I think ypu need one side to change it mgmt IP and use this IP in dns/dhcp in that site to make AP discover WLC in that site.

MHM

WayneWeezy · ‎08-02-2024

thats right, I recall creating a DHCP scope option 43 when they were first set up, pointing to the HA WLC. So I will need to create a new VLAN on the remote site for the AP's, and add that option 43 pointing to the standalone remote WLC. Then on my switchports for the AP's, I will need to change the native vlan command to point to that new one. Does that sound accurate?

marce1000 · ‎08-02-2024

- This is not a good plan, in the context of 'coming from an HA pair' ; if that is needed the current HA solution which was implemented is lost. Ok, let's then leave that alone for the moment : if you target a controller for a new purpose then configure it from scratch (again) for that purpose. Note that when checking out a 9800 configuration you can always use CLI command
show tech wireless and feed that into Wireless Config Analyzer
Note that this not work with show tech

Note that in a solid business context HA was configured for a good reason and with that some reason , then another controller
should have been bought for this (new) purpose. Besides if the left over controller is left also with the HA configuration in place
unwanted side effects could occur, and then in essence it should be reconfigured too from scratch.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

WayneWeezy · ‎08-02-2024

I understand an HA pair is going to be the best solution, but this is a management call at this point. A perfect scenario would be getting an HA pair at each site but I dont forsee that happening. Are you saying if I break HA, I will lose configurations on the secondary? If the config remains, my thought was 90% of the work was already done and a few minor changes would be needed. I would need to remove the vlans, ssids, policies and management IP. Everything else would be the same, including the ISE integrations. So from what I understand you are recommending wiping the WLC and building it out from scratch at the remote site?

marce1000 · ‎08-02-2024

>... Are you saying if I break HA, I will lose configurations on the secondary? If the config remains...
- Then a better approach would be the following : save the running configuration from the current (primary) controller
to an external repository 2) Initialize the 'new' controller (former standby). 3) On the saved configuration from the
former primary = review it with an editor and make the needed changes to make the new controller to become
functional for the new place (such as management ip etc.). Then copy that configuration into the new controller and of course save it too
And foremost as mentioned : issue the command show tech wireless and feed the output into
Wireless Debug Analyzer
As stated this procedure does not work from a simple show tech output ; when this procedure is used (mandatory)
then in the resulting excell all errors red-flagged in the wlc-checkresults tab must always be corrected!!

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R · ‎08-04-2024

I would recommend running them as N+1 redundancy for each other which is better than no redundancy at all.
The APs in site A have WLC A as primary and WLC B as secondary. The APs in site B have WLC B as primary and WLC A as secondary. And you configure option 43 accordingly at each site (remember you can configure both WLC IPs in option 43 with f108.01.02.03.04.05.06.07.08 where 1.2.3.4 and 5.6.7.8 are the WLC IPs. This means you'll need both sites' configs on both WLCs and to keep them updated with any changes at either site.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

WayneWeezy · ‎08-07-2024

I like this idea. I was told the plan was to get rid of the MPLS connection between sites and just go with a VPN, will this still work?

Rich R · ‎08-07-2024

Just need to keep in mind possible impact of MTU reduction caused by VPN overhead because CAPWAP traffic is UDP.

The APs can do path MTU discovery but that relies on all the components between the AP and WLC behaving correctly to enable MTU discovery. Otherwise you'll need to consider static MTU setting which I mentioned at https://community.cisco.com/t5/wireless/capwap-3-data-keepalive-err-failed-to-receive-data-keep-alive/m-p/5157023/highlight/true#M274228 earlier.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Leo Laohoo · ‎08-10-2024

@WayneWeezy wrote:
I understand an HA pair is going to be the best solution

For a 9800-40/-80, HA SSO is not ideal with the one (or more) following scenarios:

1. More than 50% AP count, i. e. more than 1000 APs;
2. More than 50% daily client count, i. e. more than 16k client per day;
3. External Web Authentication (PSK is fine)

N + 1 is better because different "VSS"-related processes will not be "misbehaving" (so to speak).

Also, be aware of the recently-revised (03 May 2024) of the Cisco Catalyst 9800 Series Configuration Best Practices.

WayneWeezy · ‎08-21-2024

thanks for all the replies. I think I have a plan in place