Wireless Access

Hi,

I would ask how do local controllers behavior in an operation of master controller replacements. I will change all master controller on the cluster (active and standby) with new models

I followed the best practice in order to have the new all masters as previous:

- same firmware [6.4.5.11]
- backup and restore of flashback.tar.gz
-ecc

And I checked the configuration on new controllers like redundancy, AP configuration and vrrp ip. All was ok.

But I have a doubt. When I will change the masters how will local controllers negoziate the IPSec with a cluster with the same IP but with a different hash? Will it be necessary to do a reboot?

Thanks a lot

Regards

As long as the preshared key for IPSec matches on both devices, the IPSec SA will negotiate correctly.

The output is hashed when you do a "show run" on the controller, but the actual passphrase is saved on the device. If you restored from a flashbackup, then correct password should be there. On the new controller, you can use the command "encrypt disable" before doing "show run" in order to verify that the correct IPSec key is in fact installed. If it is not, you'll want to set this correctly on the new device, as a mismatch in keys will mean the IPSec SA does not establish.

Hi Charlie,

thank you for your answer.

You have confirm my suspect. In fact I have done as you wrote. I launched the comand encripytion disable and I checked passwords for IPSec and the importation was been good. So I will procede with the replacement

Regards

Roberto

Let us know how it goes.

Hi Charlie and alls,

Just as I promised, I would give a report on migration.

Like Charlie said, I verified the IPSec key through "show run" comand.
Yes, I didn't have any problem on these aspect.

But I had a very strange situazion. I had exported the flashbackup.tar.gz file from old controller and I had imported it on new.
I restored and rebooted controller.

So when the new controller became the master of production environment I discoverd that roles had been not imported.
I tried to copy from the old but system didn't accept because they was alread present but not manageable.

I don't know if it is all clear but what do you think it went wrong?

Regards

What was the Controller model that the config originated from, and the controller model you restored the backup to? It's possible there were issues with the config due to port/vlan changes.

Hi Charlie,

I'm very sorry. I totaly forgotted to answer.

The origin model was  a 7205 model and the destination was 7210. We did this migration because of limit of licenses.

I checked vlan and port and yes they changed but after restore of flashbackup, I modified these objects and I re-connected in order to start VRRP. I did a "clear" show running-config with passwords as you wrote. But net destinations and roles were not imported.

So I thought to cut and copy from the eldest but the new reported that settings were already present even if not visible

Regards

Roberto Zanardo