Solved: WLC HA upgrade to 8.10 fail

BorislavPenchev0962 · ‎12-01-2021

Hi all,
were not able to perform upgrade of WLC HA pair and now works without redundancy
current IOS 8.5.164.0 goal 8.10 as we need to install 9k APs;
HA SSO looks functional between WLCs

we gets an error - 'Transfer & Validation failed on Standby, Informing the Standby to Re-start the transfer download process'

after Switchover CAPWAP Tunnel and Webgui has some problems

Regards

Boris

BorislavPenchev0962 · ‎12-07-2021

After checking it was observed the standby WLC does not have a manufactured certificates which is due to bug:

CSCuv97685: 5520 or 8540 may have no Manufacturing Installed Certificates. https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuv97685.

Due to the standby WLC not having certificates, it is not able to validate the signature from the primary WLC. Therefore, the upgrade is failing. Below are the analysis from both WLCs:

Primary WLC:

*TransferTask: Dec 02 16:13:16.787: [PA] RESULT_STRING: TFTP receive complete... extracting components.

*TransferTask: Dec 02 16:13:16.787: [PA] RESULT_CODE:6

*TransferTask: Dec 02 16:14:50.662: [PA] RESULT_STRING: Transfer & Validation failed on Standby, Informing the Standby to Re-start the transfer download process

*TransferTask: Dec 02 16:14:50.662: [PA] Transfer & Validation on Standby failed,peerTransferStatus:0,L7_standbyDownloadStatus:0. Informing the standby to Re-start the transfer download process

>show certificate all // Certificate exist on Primary WLC

--------------- Verification Certificates ---------------

Certificate Name:xyz

Secondary WLC:

*TransferTask: Dec 02 16:16:34.663: [SS] RESULT_STRING: Standby receive complete... extracting components.

*TransferTask: Dec 02 16:16:34.663: [SS] RESULT_CODE:6

*TransferTask: Dec 02 16:16:38.699: [SS] RESULT_STRING: Failure while validating the signature!

*TransferTask: Dec 02 16:16:42.743: [SS] RESULT_CODE:7

>show certificate all // no certificate on the standby WLC

--------------- Verification Certificates ---------------

-------------- Identification Certificates --------------

For this issue, we should apply the workaround of the bug by reset the Physical SD card.

The workaround mentioned in Cisco 5520 and 8540 Wireless Controller Troubleshooting Guide

View solution in original post

marce1000 · ‎12-01-2021

>now works without redundancy - what do you mean by that ? Does it not contradict with >HA SSO looks functional between WLCs

>after Switchover CAPWAP Tunnel and Webgui has some problems Was there a switchover ? What are those capwap Tunnel and Gui problems in detail ? Also note : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb64042?rfs=iqvred

M

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

BorislavPenchev0962 · ‎12-02-2021

we have done the following:

Switchover (to Secondary)

https web ui is not working
some (not all) capwap tunnels had an issue and some AP’s rebooted

Again Switchover: (back to Primary)

https is working
Issues with capwap tunnels disappeared

Then Update:

Same error as before
'Transfer & Validation failed on Standby, Informing the Standby to Re-start the transfer download process'

Arshad Safrulla · ‎12-02-2021

Access the standby WLC via service port IP and check the firmware running, and post the outputs for the below

show sysinfo

show redundancy summary

show redundancy statistics

If the WLC us running older firmware (failed the upgrade, then break the HA and you may try upgrading it manually. If it shows the correct AireOS reset the system and build the HA-SSO again. You may also reach out to TAC as this behavior is not expected.

Depending on the controller you may have to upgrade the CIMC as 5520/8540 runs on top of a UCS server.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn810mr6.html

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Leo Laohoo · ‎12-04-2021

Upgrade first to 8.5.17X.X (and later) and then jump to 8.10.X.X.

BorislavPenchev0962 · ‎12-07-2021

After checking it was observed the standby WLC does not have a manufactured certificates which is due to bug:

CSCuv97685: 5520 or 8540 may have no Manufacturing Installed Certificates. https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuv97685.

Due to the standby WLC not having certificates, it is not able to validate the signature from the primary WLC. Therefore, the upgrade is failing. Below are the analysis from both WLCs:

Primary WLC:

*TransferTask: Dec 02 16:13:16.787: [PA] RESULT_STRING: TFTP receive complete... extracting components.

*TransferTask: Dec 02 16:13:16.787: [PA] RESULT_CODE:6

*TransferTask: Dec 02 16:14:50.662: [PA] RESULT_STRING: Transfer & Validation failed on Standby, Informing the Standby to Re-start the transfer download process

*TransferTask: Dec 02 16:14:50.662: [PA] Transfer & Validation on Standby failed,peerTransferStatus:0,L7_standbyDownloadStatus:0. Informing the standby to Re-start the transfer download process

>show certificate all // Certificate exist on Primary WLC

--------------- Verification Certificates ---------------

Certificate Name:xyz

Secondary WLC:

*TransferTask: Dec 02 16:16:34.663: [SS] RESULT_STRING: Standby receive complete... extracting components.

*TransferTask: Dec 02 16:16:34.663: [SS] RESULT_CODE:6

*TransferTask: Dec 02 16:16:38.699: [SS] RESULT_STRING: Failure while validating the signature!

*TransferTask: Dec 02 16:16:42.743: [SS] RESULT_CODE:7

>show certificate all // no certificate on the standby WLC

--------------- Verification Certificates ---------------

-------------- Identification Certificates --------------

For this issue, we should apply the workaround of the bug by reset the Physical SD card.

The workaround mentioned in Cisco 5520 and 8540 Wireless Controller Troubleshooting Guide

JesusReyes · ‎09-28-2022

Hi Friends

In my case I have a WLC 3504 in HA SSO and one week ago i upgraded the WLC to version 8.10.171 (version recommend) but during the "transfer and check the image in stanby" failed and showing this error messages: *TransferTask: Dec 02 16:14:50.662: [PA] Transfer & Validation on Standby failed,peerTransferStatus:0,L7_standbyDownloadStatus:0. Informing the standby to Re-start the transfer download process

The chassis 1 is active and chassis 2 is stanby, i changed the role for each chassis with the command "redundancy force-switchover". And tried again download the image and upgrade the WLC. Finally the upgrade was succesfully

Leo Laohoo · ‎09-28-2022

@JesusReyes wrote:
The chassis 1 is active and chassis 2 is stanby, i changed the role for each chassis with the command "redundancy force-switchover". And tried again download the image and upgrade the WLC. Finally the upgrade was succesfully

That is normal.