Access Points migration to vWLC. Tips and Tricks.

We recently begun to massively replace our end-of-life Cisco Wireless Controllers 4400 series with ESX-based Cisco Virtual Wireless Controllers (vWLC). The deployment process is straight-forward and well documented by Cisco in “Cisco Virtual Wireless Controller Deployment Guide“. We haven’t had any major issues with the deployment, but we faced some problems when it came to the migration process of the existing AP infrastructure to these new controllers. While current AP models (2600/3600) can join vWLC with no hassle, old, but still decent, AP models (like Cisco 1140 series) require some extra efforts before they can join vWLC…

I would recommend to pay extra attention to Troubleshooting – AP Considerations section of the deployment guide. It literally states the following

  • An AP must be at software version 7.3.1.35 and above to successfully join a virtual controller. Virtual controllers use SSC in order to validate an AP before joining.

There are other items listed as well, but the main requirement is in that one sentence. Cisco Lightweight AP will not join vWLC if that AP lacks Software Release 7.3 or above. For clarity sake, the latest Cisco WLC 4400 Software Release is 7.0.250.0, which implies that it won’t be possible to migrate Lightweight APs from Cisco WLC 4400 to Cisco vWLC in a direct manner.

If you try to associate an AP that runs pre 7.3 WLC Software Release, you will likely notice the following messages in the console CLI, which is a good sign you need to upgrade AP’s software before it can join vWLC:

*Mar 28 12:07:20.227: %CAPWAP-5-SENDJOIN: sending Join Request to 10.175.1.200
*Mar 28 12:07:20.231: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.
*Mar 28 12:07:20.231: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.
*Mar 28 12:07:20.231: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Mar 28 12:07:20.231: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 10.175.1.200
*Mar 28 12:07:20.231: %DTLS-5-ALERT: Received WARNING : Close notify alert from 10.175.1.200
*Mar 28 12:07:30.243: %CAPWAP-3-ERRORLOG: Go join a capwap controller

Before you even start to migrate APs to the vWLC, you have to understand if those APs are being supported in the new version of WLC software (7.3 and above).

Check the WLC 7.3.112.0 Release Notes, specifically “Software Release Support for Access Points” section. There’s a table that lists the majority of Cisco Access Point models and information about their life cycle – First Support and Last Support release versions. The latest column is of highest interest. You can expect an AP to work with the new WLC Software Releases if a dash is displayed in that column. Otherwise you will have to consider replacing APs as well, and not only the WLC.

For example, Cisco Lightweight AP 1142 can be upgraded to software version 7.3 (Last Support release column has the dash). At the same time Cisco Lightweight AP 1220 can not be upgraded (Last Support release version is 7.0.x). After you confirmed that your APs are being supported by WLC 7.3 or above, you can proceed further.

There are two ways to meet this main requirement: Manual and Automatic.

Manual Upgrade (slow, not recommended in large deployments)

This methods does not require any special kit except the console cable and network connectivity to the TFTP server. Process is as follows

  1. Get a recovery image software from the download section at Cisco.com, for WLC 7.3 or above. For example, IOS software that corresponds to WLC Software Release 7.3.112.0 is 15.2(2) JA1 – c1140-rcvk9w8-tar.152-2.JA1.tar;
  2. Interrupt AP boot process by holding Mode button for 30 seconds (until led becomes RED);
  3. Format flash, and download new software from the TFTP server.
    load_helper
    flash_init
    format flash:
    set IP_ADDR 192.168.0.200
    set NETMASK 255.255.255.0
    set DEFAULT_ROUTER 192.168.0.1
    tftp_init
    tar -xtract tftp://192.168.10.5/c1140-rcvk9w8-tar.152-2.JA1.tar flash:
    boot
  4. Reboot AP. It will begin a join process (will upgrade/downgrade to vWLC version, if required);

Automatic Upgrade (recommended)

This process is suitable for large environments, but it requires a presence of hardware WLC that supports Software Release 7.3 and above, like Cisco WLC 5508. Hardware WLC does not require AP to authenticate through SSC (Self-Signed Certificates) hash, thus making it possible for Lightweight AP to join hardware controller with Software Release 7.3 and above without extra efforts, and as result upgrading to the same version of software. The process is described below.

  1. Change an existing DHCP Option 43 to list an IP address of the hardware WLC 7.3 or above (Cisco 5508 will do the trick);
  2. Login to the old WLC’s web page (the one from where you want to migrate compatible APs);
  3. Choose an AP and select “Clear All Config”. This will remove the CAPWAP configuration from AP’s cache and reboot it;
  4. Wait for AP to reboot. It will join hardware WLC 7.3 and upgrade own software. Wait until AP’s status changes to REG;
  5. Change DHCP Option 43 again but this time it has list an IP address of the vWLC
  6. Force an upgraded AP to reboot with factory default settings (“Clear All Config”);
  7. Wait for AP to join vWLC. It may reboot a couple of times, if software versions on hardware and virtual WLCs differ;
  8. Voila – AP will join vWLC without physical intervention.

You can repeat steps 1 through 7 for the rest of APs one by one or in bulk.

One other important requirement to consider is that vWLC will only work with Lightweight APs configured to operate in FlexConnect mode (ex H-REAP). Even though, once upgraded, APs will eventually join vWLC, they won’t be able to associate clients until you switch them to FlexConnect mode. This can be done manually using web interface

vWLC FlexConnect

Or, vWLC can be configured to automatically convert all APs to work in FlexConnect mode after they join the controller for the first time, and after all required upgrades are complete. To do that, execute the following command using vWLC’s CLI:

config ap autoconvert flexconnect enable

Once applied, every single AP associated with this controller, will be switched to FlexConnect mode automatically.

Hope that helps!

Leave a Reply

%d bloggers like this: