Solved: WLC 9800-80 HA backup/restore

Luna99923 · ‎10-26-2022

Hello,

I currently have two WLC 9800-80's running 17.3.6 setup in HA. If I need to restore a config do I need to first unpair the WLC's from HA before I restore the config?

Secondly, I'm standing up a pair of WLC 9800-L's that are also going to run 17.3.6 and setup in HA. Essentially the config will be a mirror of the WLC 9800-80's in HA. Instead of having to manually configure the WLC 9800-L's, is there any easier way to apply the config from WLC 9800-80's and change the IP's?

I hope this makes sense

Thanks

Arshad Safrulla · ‎10-26-2022

Hi I assume that you already have both 9800-L in HA. I have not tested this myself as I believe this is not a recommend way to restore config to a different model. Having said that I pretty sure that if you do that

1. certificates will not work
2. interface number mismatch in 9800
3. If the existing 9800 keys are encrypted then key mismatch issues (radius, tacacs keys, passwords and secrets, PSK) will not work after restoring
4. If the redundancy configuration is different from what you have in 9800-L then it might break the HA. If it is same I dont see any issues.

I still believe correct way to do this is that you build the HA first and then paste the config keeping all the above points in mind. It is also possible to configure one WLC first and then add the standby unit.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

View solution in original post

Rich R · ‎10-27-2022

I think @Luna99923 is asking about restoring the 9800-80 config on the 9800-80.
You should be able to just copy the config to startup and reload, should be no need to break SSO.
I'm not sure how the GUI does the restore and haven't tried it myself so you'll have to test that out.
I tend to prefer doing most things on CLI. As @Arshad Safrulla says you're more likely to spot any problems or errors that way whereas the GUI sometimes hides them or only gives an error without any detail.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

Arshad Safrulla · ‎10-26-2022

My approach will be as below;

1. First build the HA SSO for 9800-L

2. Make sure that both the WLC’s are in config sync and SSO state has been achieved.

3. Take a backup from 9800-80 (show run)

4. Open it from a text editor and remove the certificates, redundancy configuration and change the Interface names and IP addresses.

5. You can upload the config file directly and restore it, but I prefer copy and paste as this will give me visibility to any errors.

At no point you need to break the HA if thats already configured. You can start configuring them when the pair is in HA.
If you are using copy and paste and you have site tags configured, then make sure that you re-order the commands to say that no local-site is before you assign the flex profile. Also certain changes to any existing policy profiles will be allowed only after you shut it down, so if thats the case make sure that you add no shut towards the end.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Luna99923 · ‎10-26-2022

Arshad,

Thank you for this information. If I just wanted to restore the configuration on the 9800-80 pair using the same IP's, certificates, policy tags, etc.. Can I do this directly from the GUI by downloading the startup-config to the primary active WLC OR do I need to first unpair the HA pair?

Arshad Safrulla · ‎10-26-2022

Hi I assume that you already have both 9800-L in HA. I have not tested this myself as I believe this is not a recommend way to restore config to a different model. Having said that I pretty sure that if you do that

1. certificates will not work
2. interface number mismatch in 9800
3. If the existing 9800 keys are encrypted then key mismatch issues (radius, tacacs keys, passwords and secrets, PSK) will not work after restoring
4. If the redundancy configuration is different from what you have in 9800-L then it might break the HA. If it is same I dont see any issues.

I still believe correct way to do this is that you build the HA first and then paste the config keeping all the above points in mind. It is also possible to configure one WLC first and then add the standby unit.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Rich R · ‎10-27-2022

I think @Luna99923 is asking about restoring the 9800-80 config on the 9800-80.
You should be able to just copy the config to startup and reload, should be no need to break SSO.
I'm not sure how the GUI does the restore and haven't tried it myself so you'll have to test that out.
I tend to prefer doing most things on CLI. As @Arshad Safrulla says you're more likely to spot any problems or errors that way whereas the GUI sometimes hides them or only gives an error without any detail.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Luna99923 · ‎10-27-2022

Thank you so much @rich and @Arshad Safrulla !

This is exactly the information I was looking for.

abhilash.vijayanand · ‎01-22-2024

Hello @Luna99923 - I don't see any message that states what you did at last.
I have similar setup. I have cisco 9800-L-F-K9 in HA and failed, i have got the RMA but i don't want to do the manual configuration. I'm lucky enough that i have back-up of sh tech and others. Can this be used to push it to the controller which me manually entering the configuration?

Rich R · ‎01-23-2024

@abhilash.vijayanand if you use show tech as your backup you will lose all keys and passwords which are automatically removed from show tech. You need a backup of running or startup-config. As long as the base config is there and same version of software installed the config will sync when you connect to the active WLC.
Cisco has published a video on this topic: https://www.youtube.com/watch?v=7P6LEP6c9wY

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Luna99923 · ‎06-03-2024

I tried to restore a backup config to a lab 9800-L-C and since the backup contained password encryption, I got a bunch of errors when restoring. Is there any way to bypass this or do I have to manually put in the keys unencrypted?

Rich R · ‎06-03-2024

If you configure the same original AES encryption master key before restoring the config then the encrypted keys won't be a problem. If you don't have the original master key then yes, you will have to re-enter all those keys @Luna99923

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Luna99923 · ‎06-04-2024

Thanks. Where in the configuration do I enter this and what is the command. I do have the original master key.

Rich R · ‎06-04-2024

conf t
password encryption aes
key config-key password-encrypt <your-master-key>
end
wr

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Luna99923 · ‎06-04-2024

How would I do this if I just wanted to copy the config from startup and reload? Or would the only way be to manually paste

password encryption aes
key config-key password-encrypt <your-master-key>

and then the rest of the config?

Rich R · ‎06-24-2024

Yes manual paste is your only option.
The AES key is not part of the config and must be present (and correct) before restoring the encrypted configs for them to be correctly decrypted.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390