Controller Based WLANs

An existing VGW VPNC may have to be decommissioned and replaced with a new VPNC for various reasons.

The requirement is to restore the same config from old VPNC to the new VPNC.

When the new VPNC is moved to the same group in Central as the old VPNC, it can get all the config done at the group level. 

However, the "Device-level" config present in the old VPNC will not be copied to the new VPNC unless the changes are manually done in the new VPNC at the device-level.
 

1. Device-level changes (local-overrides) need to be copied from the old VPNC and pushed to the new VPNC through API after making make necessary changes.
2. Change the DC Preference for the BGW Groups and point to the new VPNC so that it can form IPsec tunnel to the new VPNC. 

Step 1:

• Retrieve the "Device-level" (local-override) config for the old VGW VPNC. 
• Navigate to "Device-level" of the old VPNC -> Config -> Config Audit -> Local Overrides -> Manage local overrides -> View config Difference. 
• Copy all the local overrides to a text file. 

​

Step 2:

• If there are any PSK (password) based configurations done at device-level, (example: isakmp key, mgmt-user, NTP key etc), they will be in encrypted format in the output from Step-2.
• Replace the encrypted passwords with the actual password in the text file where the local overrides output is copied from Step-1.
• For example, replace the encrypted password in the below command.

• crypto-local isakmp key 716c1a35f5699413dae01e00b13ca92cbecc63199ff63ef1 address 1.2.3.4 netmask 255.255.255.255

• Replace the encrypted password with the actual password as below in the text file copied from Step-1.

• crypto-local isakmp key password address 1.2.3.4 netmask 255.255.255.255

Step 3:

• Remove the vgw_est_srv config from the config.
• The new VGW will have its own vgw_est_srv profile which is unique to each device. 
• Hence remove the vgw_est_srv profile config from the local-override config of the old VPNC as this profile need not be pushed to the new VPNC. 
• Remove the below config completely from the text file from Step-1.

• est profile vgw_est_srv
  password d81aa10f53836201e57af68c31c01c9088c834d2c260a37966aabe50f7be3f068720a4e9db16a56ea175ba389145f3b77895a0495b3969a5
  username VG22102xxxxx,02:1A:1E:xx:xx:xx,MC-VA,VGW
  

Step 4:

• Deploy the new instance of VGW (VPNC) in Aruba Central. 

Note: 

• If there is additional license available, proceed with this step. 
• If there is no additional license available, delete the old VGW deployment so that license will be available to accommodate the new VPNC.

Step 5:

• Push the config in the text file to the new VPNC using API. 

Step 6: 

• Ensure that the new VPNC has the connectivity to reach Central. 

Step 7:

• Navigate to the Branch group(s) -> VPN -> SDWAN Overlay and change the DC Preference. 
• Remove the old VPNC from DC preference and point the new VPNC.

Navigate to "Device-level" of the new VPNC -> Config -> Config Audit -> Local Overrides -> Manage local overrides -> View config Difference. 

Check and confirm if the new device has all the local-overrides which were pushed through API.