As I've said on other threads, and echoing what Rasika said, vWLC is almost end of life so you should not be starting new deployments with that now.  If you insist then make sure you're using 8.10.185.3 to get the latest available bug fixes (link below).  But like Rasika said 9800-CL is your best bet for a virtual WLC.

Thanks for the answers. I just need the vWLC briefly to do a progressive firmware upgrade of all the APs. I could just upgrade the 5520, but then I will KO all wifi networks for 2 reboots (if the upgrade is a success), and can't do that at the moment.

Can I connect the WLC 5520 with 8.3 with the 9800-CL running catalyst OS? I thought that works only with 8.10.

I will try version 8.10.185.3 as you suggest, but I fear the issue is more KVM platform related. I tried also with VMWare version, but there I get no traffic at all even with vswitch in promiscuous mode. That's why I switched to KVM, that works, but it's just very very slow in download.

Sorry I haven't used vWLC myself so can't talk from experience.  Presume you saw in the release notes:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn85mr8.html#wlc-vwlc
"FlexConnect central switching is supported in only small-scale deployments, wherein the total traffic on controller ports is not more than 500 Mbps"
If you were getting 300Mbps download you could have already been reaching >500Mbps aggregate traffic on the vWLC?

Presume you already have promiscuous mode enabled on vNIC otherwise it wouldn't be working at all?

Cisco actually discontinued support for central switching altogether on vWLC for a while between 8.0 and 8.2 but it's supposed to work in 8.5, but with no performance guarantees.  I guess you could try TAC.

Other options: If you've already replaced some of the other WLCs as you mention, can't you use one of those old ones?  Or don't you have a spare you could use?  If you don't have any then you might have to take the hit on disrupting service for a short while.  If the customer really wanted HA then they would have purchased dual WLC in HA-SSO.  Then you could split the SSO pair and use the 2 single controllers for your migration.  Since they only purchased a single WLC there's an implicit acceptance of the need for downtime - what was the plan if that one failed?

Hello,

I managed to split the two wlc 5520 without downtime:
I unplugged power cord and all interfaces on secondary controller, then rebooted and disabled SSO using console. I changed the management IP to a new one and kept SP and RP disconnected to avoid any strange behavior with the primary controller. Then I reconnected management, joined the secondary controller to mobility group and updated the secondary controller to 8.10.185.3. I'm moving some ap at a time and it seems the wifi users did not perceive any downtime.

The client is not very pleased that now the HA is not instant, but they think it's acceptable. If one controller goes down then al the APs will go down for 5-15 minutes to dowload firmware and reboot.  We tested upgrade and downgrade of AP firmware and it works even with 8.3 to 8.10 and vice versa: they don't loose AP group or AP name.

Thanks again for your answers.