cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4242
Views
5
Helpful
13
Replies

WLC 9800-80 HA backup/restore

Luna99923
Level 1
Level 1

Hello,

I currently have two WLC 9800-80's running 17.3.6 setup in HA.  If I need to restore a config do I need to first unpair the WLC's from HA before I restore the config?

Secondly, I'm standing up a pair of WLC 9800-L's that are also going to run 17.3.6 and setup in HA. Essentially the config will be a mirror of the WLC 9800-80's in HA.  Instead of having to manually configure the WLC 9800-L's, is there any easier way to apply the config from WLC 9800-80's and change the IP's?

I hope this makes sense

Thanks

2 Accepted Solutions

Accepted Solutions

Hi I assume that you already have both 9800-L in HA. I have not tested this myself as I believe this is not a recommend way to restore config to a different model. Having said that I pretty sure that if you do that

1. certificates will not work
2. interface number mismatch in 9800
3. If the existing 9800 keys are encrypted then key mismatch issues (radius, tacacs keys, passwords and secrets, PSK) will not work after restoring
4. If the redundancy configuration is different from what you have in 9800-L then it might break the HA. If it is same I dont see any issues.

I still believe correct way to do this is that you build the HA first and then paste the config keeping all the above points in mind. It is also possible to configure one WLC first and then add the standby unit.

View solution in original post

Rich R
VIP
VIP

I think @Luna99923 is asking about restoring the 9800-80 config on the 9800-80.
You should be able to just copy the config to startup and reload, should be no need to break SSO.
I'm not sure how the GUI does the restore and haven't tried it myself so you'll have to test that out.
I tend to prefer doing most things on CLI.  As @Arshad Safrulla says you're more likely to spot any problems or errors that way whereas the GUI sometimes hides them or only gives an error without any detail.

View solution in original post

13 Replies 13

Arshad Safrulla
VIP Alumni
VIP Alumni

My approach will be as below;

1. First build the HA SSO for 9800-L

2. Make sure that both the WLC’s are in config sync and SSO state has been achieved.

3. Take a backup from 9800-80 (show run)

4. Open it from a text editor and remove the certificates, redundancy configuration and change the Interface names and IP addresses.

5. You can upload the config file directly and restore it, but I prefer copy and paste as this will give me visibility to any errors.

At no point you need to break the HA if thats already configured. You can start configuring them when the pair is in HA.
If you are using copy and paste and you have site tags configured, then make sure that you re-order the commands to say that no local-site is before you assign the flex profile. Also certain changes to any existing policy profiles will be allowed only after you shut it down, so if thats the case make sure that you add no shut towards the end.

 

Arshad,

Thank you for this information.  If I just wanted to restore the configuration on the 9800-80 pair using the same IP's, certificates, policy tags, etc.. Can I do this directly from the GUI by downloading the startup-config to the primary active WLC OR do I need to first unpair the HA pair?

Hi I assume that you already have both 9800-L in HA. I have not tested this myself as I believe this is not a recommend way to restore config to a different model. Having said that I pretty sure that if you do that

1. certificates will not work
2. interface number mismatch in 9800
3. If the existing 9800 keys are encrypted then key mismatch issues (radius, tacacs keys, passwords and secrets, PSK) will not work after restoring
4. If the redundancy configuration is different from what you have in 9800-L then it might break the HA. If it is same I dont see any issues.

I still believe correct way to do this is that you build the HA first and then paste the config keeping all the above points in mind. It is also possible to configure one WLC first and then add the standby unit.

Rich R
VIP
VIP

I think @Luna99923 is asking about restoring the 9800-80 config on the 9800-80.
You should be able to just copy the config to startup and reload, should be no need to break SSO.
I'm not sure how the GUI does the restore and haven't tried it myself so you'll have to test that out.
I tend to prefer doing most things on CLI.  As @Arshad Safrulla says you're more likely to spot any problems or errors that way whereas the GUI sometimes hides them or only gives an error without any detail.

Luna99923
Level 1
Level 1

Thank you so much @rich and @Arshad Safrulla !

This is exactly the information I was looking for.

Hello @Luna99923 - I don't see any message that states what you did at last. 
I have similar setup. I have cisco 9800-L-F-K9 in HA and failed, i have got the RMA but i don't want to do the manual configuration. I'm lucky enough that i have back-up of sh tech and others. Can this be used to push it to the controller which me manually entering the configuration?

@abhilash.vijayanand if you use show tech as your backup you will lose all keys and passwords which are automatically removed from show tech.  You need a backup of running or startup-config.   As long as the base config is there and same version of software installed the config will sync when you connect to the active WLC.
Cisco has published a video on this topic: https://www.youtube.com/watch?v=7P6LEP6c9wY

I tried to restore a backup config to a lab 9800-L-C and since the backup contained password encryption, I got a bunch of errors when restoring. Is there any way to bypass this or do I have to manually put in the keys unencrypted?

If you configure the same original AES encryption master key before restoring the config then the encrypted keys won't be a problem.  If you don't have the original master key then yes, you will have to re-enter all those keys @Luna99923 

Thanks. Where in the configuration do I enter this and what is the command. I do have the original master key.

conf t
password encryption aes
key config-key password-encrypt <your-master-key>
end
wr

How would I do this if I just wanted to copy the config from startup and reload?  Or would the only way be to manually paste 

password encryption aes
key config-key password-encrypt <your-master-key>

and then the rest of the config?

Yes manual paste is your only option.
The AES key is not part of the config and must be present (and correct) before restoring the encrypted configs for them to be correctly decrypted.

Review Cisco Networking for a $25 gift card