Network Guys

Share your knowledge!

Cisco WLC High Availability

I’m currently in a project where a school needs to integrate a wireless network. They buy a Cisco WLC 5508 with built-in license for 25 access points (AIR-CT5508-25-K9) and a WLC for high availability (AIR-CT5508-HA-K9). The HA-WLC is automatically sharing the configuration and the license for 90 days from the main WLC. I will show you how to make a wireless-controller-cluster.

First you can completely configure the first WLC as you wish. In our example we are using the following IP addresses:

WLC Active
Management: 192.168.150.61 /22
Redundancy-MGNT: 192.168.150.63 /22
Service-Port: 192.168.1.61 /24
Virtual: 192.0.2.1

WLC Passive
Management: 192.168.150.62 /22
Redundancy-MGNT: 192.168.150.64 /22
Service-Port: 192.168.1.62 /24
Virtual: 192.0.2.1 (needs to be the same as the Active Unit)

Configure only the management-, service-port- and virtual-interface like this on the first WLC:

wlc1-interfaces

 

Configure the second WLC (our standby unit) with the IP addresses given above with console to access the webinterface. Keep in mind to active it with a shell-command, posted some month ago in this post. Now we will configure the redundancy-settings as shown in the images below:

First WLC:

wlc1-ha

 

Second WLC:

wlc2-ha

 

After this step, please click on the Apply-Button to save this settings. Now you can connect both WLCs at the Redundany Port (RP) with a single copper cable:

wlc-rp

 

Both controllers are still unique and didn’t see each other. To build the cluster, we will activate the function “AP SSO” on both WLCs. After applying the settings, the controllers are rebooting. I recommend to connect a console cable to the standby unit to watch the redundancy process. Active the “AP SSO” function on the first WLC, click on Apply. After this, do the same on the second WLC:

wlc1-sso

 

The redundancy port IP addresses are configured automatically. You will see that the first and second octet will change to 169.254.x.x. From the console port of the second WLC, you can see the comparing of the configuration and licenses:

Starting Redundancy: Starting Peer Search Timer of 120 seconds

Found the Peer. Starting Role Determination…

Error:Unable to add Licenses on secondary Controller
Standby started downloading configurations from Active…

Standby comparing its own configurations with the configurations downloaded from Active…

Startup XMLs are different, reboot required
Restarting system. Reason: rsyncmgrXferTrasport ..

Updating license storage … Done.
Restarting system.

after the second reboot:

Starting Redundancy: Starting Peer Search Timer of 120 seconds

Found the Peer. Starting Role Determination…
Standby started downloading configurations from Active…

Standby comparing its own configurations with the configurations downloaded from Active…

Startup XMLs are same, no reboot required
Standby continue…
ok

The whole cluster is now reachable via the first management interface (192.168.150.61 in our example) so the IP address 192.168.150.62 is now free but I would keep this address blocked in your network. Please check the redundancy summary and interfaces after your cluster-configuration:

Interfaces:

wlc1-interfaces-ha

 

redundancy-summary at the active WLC via webinterface:

wlc1-redundancy

 

redundancy-summary on the standby WLC via shell:

(Cisco Controller-Standby) >show interface summary
Number of Interfaces…………………….. 5

Interface Name Port Vlan Id IP Address Type Ap Mgr Guest
——————————– —- ——– ————— ——- —— —–
management 1 untagged 192.168.150.61 Static Yes No
redundancy-management 1 untagged 192.168.150.64 Static No No
redundancy-port – untagged 169.254.150.64 Static No No
service-port N/A N/A 192.168.1.62 Static No No
virtual N/A N/A 1.1.1.1 Static No No

(Cisco Controller-Standby) >show redundancy summary
Redundancy Mode = SSO ENABLED
Local State = STANDBY HOT
Peer State = ACTIVE
Unit = Secondary – HA SKU (Inherited AP License Count = 25)
Unit ID = E4:C7:22:AA:CB:80
Redundancy State = SSO (Both AP and Client SSO)
Mobility MAC = A4:93:4C:FB:5D:C0
Average Redundancy Peer Reachability Latency = 1396 usecs
Average Management Gateway Reachability Latency = 381 usecs

Redundancy Management IP Address…………….. 192.168.150.64
Peer Redundancy Management IP Address………… 192.168.150.63
Redundancy Port IP Address………………….. 169.254.150.64
Peer Redundancy Port IP Address……………… 169.254.150.63

 

I hope you can understand my “quick-and-dirty” tutorial :-) please comment if something is not understandable. Have a great day!

 

/update: Watch a HA failure scenario in this post!

109 Responses

  1. Ok, thanks. I’m using 7.4.110 and in the summary redundandy option only appears AP SSO and not Client SSO like you.

    I think that these release 7.4.110 don’t support Client SSO

    What do you think ?

  2. Don’t you have a running SmartNET? You can download the new software version with it. I don’t know if Client SSO isn’t supported at your version.

  3. Hi Michel

    On Access Point Cisco (3600 or 2600) you config lwapp ap controller ip address ?

    1.WLC Active 192.168.150.61

    2.WLC Passive 192.168.150.62

    If config access point, has Controller IP Address Wlc Active.

    When WLC ACTIVE was then fails. It is able to sync with WLC Passive?

    Without specifying controller ip address WLC Passive.

    1. Hi :)

      no you will have only 1 visual WLC IP, so you have only one IP address where your APs are connecting to. Both WLCs are sharing the IP address.

  4. hi michel, the time i tried setting up the HA, i had the same error message which is:

    Error:Unable to add Licenses on secondary Controller

    i could not do anymore testing as our customer is already using the primary wlc in there temporary set-up.
    is this error message normal? or will it be a potential problem. thanks

    1. Hmm the second controller needs to be a “HA-WLC”. You can convert a “normal” WLC to a HA-Unit. But this WLC needs at least a 50-AP license for that. If you have a running SmartNET contract, I would open a support case @ cisco.com immediately. It’s free!

  5. Hi Michel,

    Thank you for this web page.

    I need to configure 2 x Cisco5508 in cluster mode.

    APs and WLC management ip addresses will be in a same vlan. Do i need to configure DHCP option43?

    If yes, i will use Cisco 6509 as a DHCP server. And do i need to configure DHCP option 43 for both WLC management ip addresses? or only visual ip address?

    Is the visual ip address 192.168.150.61 in your config?

    Thanks…

    1. Hi Ozgur,

      yes you can use DHCP option 43. Just insert the single visual ip address. When your APs are in the same VLAN as the mgnt interface, they will find the WLC with a broadcast request.

  6. Hi Michel
    i am a problem that configure on secondary wlc.
    I get this error:
    Controller should have a threshold base AP count to be configured as secondary. please read the documentation for further details
    c
    Can you help me
    TNKS

    1. Hi Pietro,

      is the secondary WLC on factory-default? Can you tell me the Productname of this unit? When it is a normal WLC, you need at least a minimum of 50 AP license. I found something @ Cisco: https://supportforums.cisco.com/thread/2234561

      “If you want to convert any existing WLC as a Standby WLC, do so using the config redundancy unit secondary command in the CLI. This CLI command will only work if the WLC which is intended to work as Standby has some number of permanent license count.”

  7. Hi Michel
    What do you mean whit “producname”?
    (Cisco Controller) > or cisco 5508?
    i have 2 wlc, is the same as software 7.5.102 and hardware.
    Both have the same licenze;
    (Cisco Controller) >show license in-use

    StoreIndex: 1 Feature: base-ap-count Version: 1.0
    License Type: Permanent
    License State: Active, In Use
    License Count: 25 /25 (Active/In-use)
    License Priority: Medium

    1. I meant “show inventory” or “show version”

      I can see your problem: Your device is only licensed for 25 APs but you need at least a 50 AP license on it to convert this device to a HA-SKU (this HA-SKU can directly be ordered). Converting is described here: https://supportforums.cisco.com/thread/2262357

      a user described the need perfectly:

      “You can make a WLC function as an HA sku as long as the WLC has a 50 AP license. This really is good for larger environments with 5508’s or large capacity WLC’s to save on cost of licensing.”

  8. Hi,
    to obtain a config of active-active cluster, we have to buy n.2 AIR-CT5508-50-K9? and not
    n.1 AIR-CT5508-50-K9
    n.1 AIR-CT5508-HA-K9
    as active-passive cluster happen?!

    It’s correct?

    Anybody use active-active cluster config?

    thanks

    1. Normaly you have two WLC devices and a config where both controllers are given to the access point. A hot standyby cluster contains (for example) a AIR-CT5508-50-K9 and a AIR-CT5508-HA-K9 device (active-passive; 1 management IP).

      I would only configure a HA cluster when you have more than 50 APs because you don’t need to buy/add further licenses for both WLCs. If you have two 25-AP-license-WLCs you have two devices in the network. It depends on your environment.

      Daniele, you can convert AIR-CT5508-50-K9 to AIR-CT5508-HA-K9 (to convert you need at least 50 AP license on a WLC and AIR-CT5508-50-K9 has this as factory-default). Watch this: https://supportforums.cisco.com/thread/2262357

  9. Hello Michel

    Your blog is Awesome. It has more information in detail. I thoroughly understood the concepts. I have one doubt here.

    As per your statement, The whole cluster is now reachable via the first management interface (192.168.150.61 in our example) so the IP address 192.168.150.62 is now free but I would keep this address blocked in your network.

    In this case, if i want to manage Standby WLC. which IP address i need to use to manage?

    or i can use 192.168.150.61 address to manage both the WLCs ? Please explain me in detail.

    Once again thanks for your blogs

    1. Hi Nandhakumar!

      Thank you very much for the complement :)

      yeah at first, you give every WLC a unique IP address for the installation. After this, there is only a single IP address visuable, both WLCs are sharing the IP 192.168.150.61. The address 192.168.150.62 is now free. You configure only via Webinterface at 192.168.150.61. Both WLCs are clustering the configuration and system files with the redundant-link (different IPs).

  10. Hi Michal

    Thanks for your Update. Really it is very useful blogs for Network admins. I got the clear idea from your reply.I understood WLC HA after reading your blog. You have given a easy steps and understandable way.I was not clear when i was studying cisco article. But your articles are very good.

    If possible please share the step-by-step document for Guest Wireless MobiltyAnchor.

    Much appreciated…..

    Thanks

  11. Hi Michel

    Good day… As per your document today i have tried to configure HA between 5508 controllers. Both controllers are same version 7.4.121. When i do HA, on standby controller i got the below error messages.

    cannot open the file /mnt/application/ha/InheritedApCount.txt
    cannot open the file /mnt/application/ha/InheritedApCount.txt
    Redundancy Link is down. Entering maintenance mode to avoid network conflict.

    Entering maintenance mode….

    WLC01:

    Management ip – 10.205.254.11
    Redundancy Mgmt Ip – 10.205.254.13

    WLC02:

    Management ip – 10.205.254.12
    Redundancy Mgmt Ip – 10.205.254.14

    How to check the redundancy link status ?

    Could you please help me where it is getting failed.

  12. Hi Michel

    Cable is connected and LED status is green. After this error message i tried one more time to configure HA and it was successful. The actual problem was i have rebooted both WLC one another one. When HA tries to communicate to Primary WLC also rebooting state. This is a reason i got this error message.

  13. Hi,

    I have two wlc 5508 with HA mode, If unfortunally redudndent link disconnected and standby wlc goes to mantainance mode.

    then again I connected redundent link but second wlc does not come in ha, it still remain in mantainance mode.

    What is the configuration that device goes to mantainance mode to HA Mode automatically. withought reboot mantainance controller.

    1. Hi Tarun,

      that is a good question. The danger of this is, that you have two active WLCs (both are thinking that the partner is down). I would reboot the secondary by hand. I would open a support case (TAC) @ Cisco.com. Do you have a running SmartNET?

  14. Hello,
    query any release version can be used for HA or there is an initial version that brings that option?
    Thanks

    1. Hi Gerardo. I recommend Version 7.4. I think that HA is available since 7,2, here is a cut out from the “Cisco Wireless LAN Controller Configuration Guide, Release 7.4″ in the High Availability” section:

      – In Release 7.3.x, AP SSO is supported but client SSO is not supported, which means that after an HA setup that uses Release 7.3.x encounters a switchover, all the clients associated with the Cisco WLC are deauthenticated and are forced to reassociate.

      – You must manually configure the mobility MAC address on the then active controller post switchover, when a peer controller has a controller software release that is prior to Release 7.2.

      1. Thanks for your help,

        Now I have 2 questions:

        It can enable HA redundancy with WC 24 licenses Primary and WC 50 licenses Secundary?

        I get the following error, which may be the cause?

        “Cannot open the file /mnt/application/ha/InheritedApCount.txt”
        Note: I have 1 AP en WC Primary (in laboratory)

        Thanks, I await your response

        greetings,

        1. If you have at least a 5508 Controller you can convert the 50 AP license unit to the slave unit. Example from http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-5/High_Availability_DG.html :

          Configuration on Primary WLC:

          configure interface address management 10.0.56.2 255.255.255.0 10.0.56.1
          configure interface address redundancy-management 10.0.56.10 peer-redundancy-management 10.0.56.11
          configure redundancy unit primary
          configure redundancy mode sso

          Configuration on Hot Standby WLC:

          configure interface address management 10.0.56.3 255.255.255.0 10.0.56.1
          configure interface address redundancy-management 10.0.56.11 peer-redundancy-management 10.0.56.10
          configure redundancy unit secondary
          configure redundancy mode sso

          if this is not workin, try to reset the device with “reset system” and “recover-config” at the CLI.

          Do you have a running SmartNET? I would recommend to upgrade to the latest version.

          1. Hello Michel

            By setting “redundacy sso mode” the WC5508 performs a boot, the order is important?, should I do it first secondary?

            Thank´s

          2. Hello Michel,

            I reset witth “reset system” and “recover-confiog” at the CLI.

            I upgrade to 7.5.102.0 versión

            I configure redundancy mode and it´s not work!, the error in logging is:

            *dtlArpTask: May 20 14:04:08.275: #LOG-3-Q_IND: rmgr_utils.c:267 Ping response from 169.254.7.8 is invalid. Ip address do not match.[…It occurred 2 times.!]
            *rmgrTrasport: May 20 14:03:59.276: #RMGR-3-INVALID_PING_RESPONSE: rmgr_utils.c:267 Ping response from 169.254.7.8 is invalid. Ip address do not match.
            *nim_t: May 20 14:03:17.746: #SIM-3-PORT_UP: sim.c:12623 Physical port 1 is up!.
            *fp_main_task: May 20 14:03:17.746: #CNFGR-3-INV_COMP_ID: cnfgr.c:3029 Invalid Component Id : Unrecognized (94) in cfgConfiguratorInit.
            *fp_main_task: May 20 14:03:17.746: #LOG-3-Q_IND: bonjour_api.c:1394 Service specific query: Sending serive specific query failed[…It occurred 5 times.!]
            *fp_main_task: May 20 14:03:17.707: #BONJOUR-3-SPECIFIC_QUERY_SEND_ERR: bonjour_api.c:1394 Service specific query: Sending serive specific query failed
            *fp_main_task: May 20 14:03:08.271: #SISF-3-INTERNAL: sisf_shim_utils.c:442 Internal error, Failed to set SISF Interface Policy for interface : management
            *fp_main_task: May 20 14:03:08.271: #SISF-3-INTERNAL: sisf_shim_utils.c:442 Internal error, IPv6 Mudule is not initialised. Unable to create SISF Policy for interface: 0.
            *fp_main_task: May 20 14:03:08.269: #SISF-3-INTERNAL: sisf_shim_utils.c:442 Internal error, Can’t create the acl for 0000019F
            *fp_main_task: May 20 14:03:08.269: #SISF-3-INTERNAL: sisf_shim_utils.c:442 Internal error, Can’t create the acl for 00000003
            *fp_main_task: May 20 14:03:08.223: #CNFGR-3-INV_COMP_ID: cnfgr.c:3029 Invalid Component Id : Unrecognized (95) in cfgConfiguratorInit.
            *fp_main_task: May 20 14:03:07.543: #AVC-3-LOAD_CONF_FAILED: avc_cfg.c:241 AVC config is corrupted. Resetting AVC config to default.
            *mmMobility: May 20 14:03:04.419: #MM-0-MM_TASK_CREATE_ERR: mm_ha.c:1500 MobilityHa task message could not be initialized –exiting
            *fp_main_task: May 20 14:03:04.417: #MM-3-MEMBER_ADD_FAILED: mm_dir.c:1329 Could not add Mobility Member. Reason: IP already assigned, Member-Count:1,MAC: 00:00:00:00:00:00, IP: 0.0.0.0
            *mmListen: May 20 14:03:04.209: #MM-3-SOCK_OPER_FAILED: mm_listen.c:10301 Failed to socket option multicast hops a socket.
            *rmgrMain: May 20 14:03:03.875: #RMGR-3-RED_HEARTBEAT_TMOUT: rmgr_main.c:333 rmgrTmoRoleDtermine: Recved GW ping count 0 phyMgr ping count 234.
            *rmgrMain: May 20 14:01:52.875: #RMGR-3-RED_HEARTBEAT_TMOUT: rmgr_main.c:333 rmgrTmoRoleDtermine: Recved GW ping count 0 phyMgr ping count 21.
            *nim_t: May 20 14:01:01.240: #SIM-3-PORT_UP: sim.c:12623 Physical port 1 is up!.

            What is the problema?

            Thank

          3. Oh that are quite a few problems. I think at this point the best way is to open a TAC case at cisco.com maybe there are problems with the file system.

  15. Hello Michel,

    First of all excellent blog on WLC HA. Lays out the concept clearly.

    I have a simple question for you. we have a 5508 WLC which was initially having 12 AP Count license and then a 50 AP count license has been added on it and its currently having 62 AP count license.
    I have been communicated that it also has been converted to a HA-SKU unit with a separate license, buti need to confirm that this unit has the HA-SKU license, which i cannot from the below commands.

    This WLC unit will be acting as a N+1 standby unit for a 5508 WLC with 500 AP license.

    Here are the commands from the 5508 standby unit.

    (Cisco Controller) show>sho   redundancy summary

    Redundancy Mode = SSO DISABLED

    Local State = ACTIVE

    Peer State = N/A

    Unit = Secondary – HA SKU

    Unit ID = 00:27:0D:45:AE:20

    Redundancy State = N/A

    Mobility MAC = 00:27:0D:45:AE:20

    Redundancy Management IP Address…………….. 10.193.33.40

    Peer Redundancy Management IP Address………… 10.193.33.39

    Redundancy Port IP Address………………….. 169.254.33.40

    Peer Redundancy Port IP Address……………… 169.254.33.39

    (Cisco Controller) show>lie cense feature

    Feature name Enforcement Evaluation Clear Allowed Enabled

    base-ap-count yes yes yes yes

    data_encryption yes no yes no

    high_availability yes no yes no

    (Cisco Controller) show>license udi

    Device# PID SN UDI

    ——————————————————————————–

    *0 AIR-CT5508-K9 FCW1347L089 AIR-CT5508-K9:FCW1347L089

    (Cisco Controller) >show license summary

    License Store: Primary License Storage

    StoreIndex: 0 Feature: base Version: 1.0

    License Type: Permanent

    License State: Active, Not in Use

    License Count: Non-Counted

    License Priority: Medium

    License Store: Primary License Storage

    StoreIndex: 1 Feature: base-ap-count Version: 1.0

    License Type: Permanent

    License State: Inactive

    License Count: 12 / 0 (Active/In-use)

    License Priority: Medium

    License Store: Primary License Storage

    StoreIndex: 2 Feature: base-ap-count Version: 1.0

    License Type: Permanent

    License State: Active, In Use

    License Count: 62 /62 (Active/In-use)

    License Priority: Medium

    License Store: Evaluation License Storage

    StoreIndex: 0 Feature: base-ap-count Version: 1.0

    License Type: Evaluation

    License State: Inactive

    Evaluation total period: 8 weeks 4 days

    Evaluation period left: 8 weeks 4 days

    License Count: 500 / 0 (Active/In-use)

    License Priority: None

    1. Hi joydeep,

      there are several points in your output to look ak:

      – the unit name contains “HA SKU” so it is already converted
      – the “show license summary” has the special StoreIndex 0 where 500 APs can be connected if the primary unit fails, the evaluation time is 60 days. You can also see that this HA unit has already shared the 62 AP license as you can see at StoreIndex 2.

      Please activate SSO, it’s currently deactivated at your cluster.

  16. Hi Michel,

    I just implemented AP SSO on my WLC5508s (primary has 200 AP license, secondary has dedicated HA license). Since I can now only communicate with the primary WLC, I need to find a way to at least monitor the redundancy status using SNMP (using Solarwinds). Do you have any knowledge of what OIDs I should be looking at for monitoring the redundancy state?

    Thanks

    1. Hi Austin,

      you can’t monitor your HA-SKU directly. It’s only possible via Cisco Prime or you can receive a SNMP trap with the special OID but I didn’t know the number. Maybe you can collect SNMP traps while power off the main WLC to see the specific error message.

  17. Gerardo you can enable it globally in the GUI the cluster will be restarded, the secondary unit will keep itself the passive one.

    1. Michel,

      We finally have it running HA with two 5508, with version 7.5.102.0, but there is one detail: HA is required to have disabled the internal DHCP Scope?.
      When configuring HA requested disable DHCP Scope and working properly once the HA wanted to have internal DHCP Scope is not possible and indicate:
      “Errror in setting DHCP Scope Lease time” and change the lease time does not affect anything.

      The client would have to replace your internal DHCP Scope of 5508 by an external DHCP?

      Thank’s

  18. Hi Michel,

    In a N+1 HA WLC setup, if the Primary 5508 WLC fails (box or network issue) the AP-count lincese and the APs fail-over to standby 5508 WLC, as a part of N+1 HA operation.
    My question is does the APs need to reboot to get associated with the standby WLC? If yes, whats the typical expected downtime per AP?

    Note: Cisco doc confirms that all client sessions will break and they need to re-auth.

    1. Hi Joydeep,

      no you have no AP disconnectes and you have also SSO so your client won’t disconnect. You have only a re-auth with two standalone WLCs where your access points have configured a primary and a secondary WLC. Also in this case your APs didn’t reboot (both WLCs need the same software version).

  19. Hi Michel is there supposed to be a link light on the redundancy ports on both 5508s when you install the back to back devices? If yes, can you see this link light on the WLCs from the GUI on both WLC or is there a command that shows the redundancy port as active ?

    And as far as the service port being the same IP on both WLCs is that before or after you enable HA-SSO ?

    1. Hi! Yeah there is a led for this but I don’t know if you can see this in the webmanagement, currently I have no access to the customer WLC. The service und management interfaces will become same after configuring HA.

  20. Is there any way to see information about the standby controller once HA is setup? I setup HA at our secondary DC and need to get the serial number off the redundant WLC, preferably without driving.

    1. Hi Mike,

      I see no possibility to do that, only connecting via console from a remote server. Can you open a TAC case @ cisco.com? Would be nice If there is a chance of doing this via SSH :)

    2. hello Mike,

      you can use the service port to reach the standby controller.

      we have a static route to our management network via service port (via 192.168.1.X/24 in the example config), and in this case, you can reach the standby controller (192.168.1.62) via telnet/ssh from your management network.

      after login, you should see the following prompt on the standby controller: (WLCname-Standby).

      hope this helps.

  21. Hello Mike

    it is possible to connect to the standby WLC using Peer Redundancy port Ip via Telnet or SSH.

    Everyday i am connecting through this IP to manage stand by WLC

    Thanks

  22. Hello Michel,

    what to do you recommend; an Active/Active or Active/Standby HA? what do you think the mean advantages/disadvantages of both?

    Thank you :)

    1. Hi Mohammed,

      the mean advantage of an active/active system is that you have to configure only one system and your clients keep working with (hopefully) no packetloss in case the first WLC gets broken and you can save money because you only need to license one WLC for AP-licenses (active/active makes only sense with a minimum of using 50 APs). The other one is a “HA-unit” that keeps the master license for 60 days I think.

      On an Active/Standby System (two WLCs with exact manual config) have the advantage that you can control both with “your own hands” and can update one WLC while the other is working with your running APs. But here you need to license always both WLCs to the same AP-license-level.

  23. Hi

    currently we are using v7.6 and it is stable. I am not sure about v8.0. It’s prefer to use N-1 version always.

    1. Ok that is very strange, so you can’t connect to it via HTTP anymore? Did you test it directly with an attached device or are you coming from a remote network? Keep in mind that you can’t define a gateway for this so you need to add them:

      config route add network-ip-addr ip-netmask gateway

    2. I’ve had this happen when the primary lost a static route that we had made for service port access. The secondary still had the same route. Added the route and everything was back to normal.

  24. Hi Michael,

    Thanks for the article.

    I have a question:
    Do you have any idea how to simulate the failover, step by step. I read High Availability (SSO) Deployment Guide, but I think it’s not quite enough.

    I need to simulate this in front of my customers.

    Thanks..

    1. You can only simulate it by turning off a WLC or disconnecting the network-cables. Put the two WLCs and an access point to a switch and connect a pinging notebook to the wireless network. I think this is the best way to show it to your customers.

  25. Hi

    Mike has given the good steps to fail over the primary role to HA WLC. According to that, i would like to add one more step as well.

    Login to Primary WLC and execute (Cisco Controller) >redundancy force-switchover command and it will forcefully switch over the primary role to HA WLC.

    Thanks
    Nandha

  26. I’ve got 2 WLC’s in a 6513 chassis, I was able to manage them via gui, but once I enabled SSO redundancy, I cannot get to them via http, and they will not go into active / standby mode

    WLC1:
    (WiSM-slot10-1) show>redundancy summary
    Redundancy Mode = SSO ENABLED
    Local State = ACTIVE
    Peer State = UNKNOWN – Communication Down
    Unit = Primary
    Unit ID = BC:16:65:C2:B8:E0
    Redundancy State = Non Redundant
    Mobility MAC = BC:16:65:C2:B8:E0

    Redundancy Management IP Address…………….. 156.124.216.248
    Peer Redundancy Management IP Address………… 156.124.216.250
    Redundancy Port IP Address………………….. 169.254.216.248
    Peer Redundancy Port IP Address……………… 169.254.216.250

    WLC2:
    (WiSM-slot11-1) >show redundancy summary
    Redundancy Mode = SSO ENABLED
    Local State = MAINTENANCE
    Peer State = UNKNOWN – Communication Down
    Unit = Secondary – HA SKU
    Unit ID = 6C:20:56:2C:16:C0
    Redundancy State = Non Redundant
    Mobility MAC = 6C:20:56:2C:16:C0
    Maintenance Mode = Enabled
    Maintenance cause= Peer redundancy management interface is not reachable

    Redundancy Management IP Address…………….. 156.124.216.250
    Peer Redundancy Management IP Address………… 156.124.216.248
    Redundancy Port IP Address………………….. 169.254.216.250
    Peer Redundancy Port IP Address……………… 169.254.216.248

    thanks for the help.

    1. Try to reboot manually both WLC. Check the redundancy port is UP or down.
      if not help.
      Repeat all steps again and be sure that both WLC reboot double.

    1. Hi,

      no :-/ to convert a WLC to a HA-Unit, you need at least the …50-K9. I think your choice will be to leave them both in your network and configure primary and secondary WLC to you global access point configuration. Keep in mind to configure a mobility group between them.

      1. Hi,

        How about if both is air-ct5508-k9 with base-ap-count 100 each permanent license?

        Can this configure as active satndby?

        Thanks in advance.

  27. Hi, I have 2 controllers currently configured a licensed 200 aps and the second is a unit HA

    I forced one switchover and sso procedure, it worked properly,

    Now 2 questions

    when the primary controller becomes available I see that the controller remains active HA

    I conclude that there is no fallback to cause the primary controller becomes active again, am I right?

    What if the controller remains H. A. as active until one sso happen again? It may take months …. until it is resubmitted.

    It is advisable to force a switchover and make the main controller is active?

    1. Hmm that is a good question. Did you try the command “redundancy force-switchover”? You need to make you primary WLC to be the active one! The HA-UNIT (your second WLC) only keeps the licenses for 60 days, I don’t know if this keeps going on when unit 2 is seeing unit 1 again.

  28. Here is the test scenario:
    + 2 * 5508 WLC with redundant port connectivity
    + Firmware version: 8.0.110.0
    I configured the WLCs so that one will be the active and one will be the standby. But I got the problem when testing the failover of the WLCs.
    If the active WLC fails, the management IP will be unreachable in one minute, then the standby will take over the role as the active WLC. But according to the design/specification, the failover process should be occurred immediately and the management IP is still pingable.
    Does anyone have any ideas regarding this issue?
    Thanks.

  29. Hi everyone :
    I have some problem
    I config both WLC , you can see information below . but Both WLC cannot communicate on SSO mode , but I try to ping both WLC on CLI success . Can you help for this promblem? Thank you so much.
    WLC – Primary :
    Interface Name Port Vlan Id IP Address Type Ap Mgr Guest
    management LAG 611 10.63.5.23 Static No No
    redundancy-management LAG 611 10.63.5.25 Static No No
    redundancy-port – untagged 169.254.5.25 Static No No
    service-port N/A N/A 10.10.10.1 Static No No
    ======================================================================
    WLC – Secondary :
    Interface Name Port Vlan Id IP Address Type Ap Mgr Guest
    ——————————– —- ——– ————— ——- —— —–
    management LAG 611 10.63.5.22 Static Yes No
    redundancy-management LAG 611 10.63.5.24 Static No No
    redundancy-port – untagged 169.254.5.24 Static No No
    service-port N/A N/A 10.10.10.2 Static No No

    =============================================================

    1. (Cisco Controller) >show redundancy summary
      Redundancy Mode = SSO ENABLED
      Local State = MAINTENANCE
      Peer State = UNKNOWN – Communication Down
      Unit = Primary
      Unit ID = F4:CF:E2:83:E2:40
      Redundancy State = Non Redundant
      Mobility MAC = 1C:DF:0F:C6:90:40
      Maintenance Mode = Enabled
      Maintenance cause= Default Gateway not reachable

      Redundancy Management IP Address…………….. 10.63.5.25
      Peer Redundancy Management IP Address………… 10.63.5.24
      Redundancy Port IP Address………………….. 169.254.5.25
      Peer Redundancy Port IP Address……………… 169.254.5.24

      =====================================================================
      (Cisco Controller) >show redundancy summary
      Redundancy Mode = SSO ENABLED
      Local State = MAINTENANCE
      Peer State = UNKNOWN – Communication Down
      Unit = Secondary – HA SKU
      Unit ID = F4:CF:E2:94:BE:C0
      Redundancy State = Non Redundant
      Mobility MAC = F4:CF:E2:94:BE:C0
      Maintenance Mode = Enabled
      Maintenance cause= Default Gateway not reachable

      Redundancy Management IP Address…………….. 10.63.5.24
      Peer Redundancy Management IP Address………… 10.63.5.25
      Redundancy Port IP Address………………….. 169.254.5.24
      Peer Redundancy Port IP Address……………… 169.254.5.25

      1. Hmm I don’t know what the problem is, did you restart both WLCs? It’s hard to help just with this :) did you update the WLCs? in case of a problem I would open a TAC case at cisco.com for this.

  30. Dear Michel, thank you for you post, it is really helpful.
    Which IP address will be main IP address for all AP’s?
    I mean AIX clusters or e.g. Alteon swithes has special IP for HA which represents cluster.
    AIX has service IP, Alteon has VIR.
    Which IP in Cisco HA is “main”?
    If ther is not, which IP from you example will be setup on Access Points?
    Thank you in advance for your replay,
    PS. regards from Poland neighbor:)

  31. Any idea on how to perform a ios update for a HA stack? Have configured (thanks to this great blogpost) two 5508’s both running 8.0.110 and i want to upgrade to 115?

    Can i just upload the image to the active one and will this by synchronized?

    1. Well i decided to take the gamble ;-).

      Only thing is that when you issue the reboot command you can actually reboot the active, the peer or both the controllers.

      I rebooted the primary and within 60 seconds the peer (which was taking over control).

      I wonder however if it is possible to reboot them one after another so you will not have any downtime when upgrading an software image.

      Maybe this works within minor software updates like this and not on major ones?

      Anyone has knowledge of this?

      See for output when starting the FTP transfer of the image and the result.

      This may take some time.
      Are you sure you want to start? (y/N) y

      FTP Code transfer starting.

      FTP receive complete… extracting components.

      Checking Version Built.

      Image version check passed.

      Waiting for the Transfer & Validation result from Standby.

      Standby – Standby receive complete… extracting components.

      Standby – Checking Version Built.

      Standby – Image version check passed.

      Executing backup script.

      Standby – Writing new RTOS to flash disk.

      Writing new FP to flash disk.

      Standby – Writing new FP to flash disk.

      Standby – Writing new AP Image Bundle to flash disk.

      Executing fini script.

      FTP File transfer successful on Active Controller

      Standby – Executing fini script.

      File transfer is successful
      Reboot the controller for update to complete
      Optionally, pre-download the image to APs before rebooting to reduce network downtime.

      Transfer Download complete on Active & Standby

      1. So you only update the first one and just restart the first controller? Does the second controller reboot after the first is available again and upgrade itself automatically?

        1. Well I thought, just after rebooting the first (current active) one, that things might go wrong when a version mismatch occurs (which could be the case). So within 60 seconds I rebooted the other one. So I can’t answer that question.

  32. Hi Michael,

    Is there anyway by which I can add standby controller in our monitoring tools?

    Regards,
    Anuj

  33. Thanks for this nicely documented Blog, Do i need to configure the HA with WLANS,SSID…etc ? or that’s going to be configured by the primary

    1. Hi Natheer,

      you only have 1 webinterface where you configure your wireless network. The configuration will by synced immediately to the other node.

  34. Hi Michel,

    You mentioned on Oct 15 of 2014. “On an Active/Standby System (two WLCs with exact manual config) have the advantage that you can control both with “your own hands” and can update one WLC while the other is working with your running APs. But here you need to license always both WLCs to the same AP-license-level.”

    My company plan to use this configuration, could you share any official documents that we could refer them?

  35. Hi Michel,

    Great thanks for your quick response and useful document. You also mentioned “But here you need to license always both WLCs to the same AP-license-level”.

    Could you share any official document to explain WLC license count since I need to convince my leadership why we need 2x license for the seamless configuration in case upgrading WLC?

  36. I think it is simply because this configuration is based on two standalone controllers. So we need to buy 2x amount AP licenses for these 2 controllers in advance.

  37. HI Michael,

    I am working for a customer that has 37 ap licenses now. it was shipped with 12 and then add 25 ap license.
    they want to implement ha

    I would like to ask you the following

    If they buy a HA SKU controller with 0 licenses and this controller will take over the 37 licenses and ap if the primary controller fails, I can use only active-active deployment or active-standby?

    If they buy a normal controller with 50 AP license (also add existing controller to have 50 AP licenses) I can use standby-active or active-active ?

  38. With a HA-SKU Device you will have active-active function and you will have to configure only one controller, if the primary licensed unit will fail, the ha-sku unit will takeover.

    If you buy another standalone unit with a 50 ap license, you will have two units which need to configured with the same wifi networks etc. every change has to be done on both units. When you have more than 50 APs, two standalone controllers are more expensive because you have to license both units.

    1. Not really, you can point the first half of your APs to the first controller and the second one handles the others. You can place two standalone controllers in different locations (I had a customer with two WLCs placed in different towns). A HA cluster needs to be in one place (because the dedicated link needs jumbo frames between them).

  39. I understand. but for this question ?

    And what is the reason to buy 2x controllers with 50 ap on each ? For what ?

  40. To place them on two locations for example. Or you don’t trust the ha system and have two WLCs so you can bring all APs to unit 2 and can update unit 1 without problems.

  41. Hi Michael,

    Thanks for the article.

    I have a this scenario:
    – 2 Cisco WLC 5508
    – one with 100 AP Licence and Sw 8.0.115
    – one with 12 AP licence and SW 8.0.135
    is possible HA ?? and how i do ??
    thanks ….

  42. Hi Ciccio,

    the second one needs at least 50 AP licenses to convert to a HA SKU unit. I think rebuying a HA SKU 5508 directly will be cheaper but check it first.

  43. Thanks a lot Michel, really …. do you thing is cheaper to buy a new license ??
    What kind of license ??? i had understood that was possible convert a 50 AP license ( tha i must will buy ….) in a HA SKU license …
    thanks again …

Leave a Reply

Click on the button to load the content from jetpack.wordpress.com.

Load content

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Certificates

ekahau Certified Survey Engineer
ATP_wsrgb
ACMP2
suca
Post Categories
Post Archives