Wednesday, February 11, 2009

Wism Upgrade from 4.1.181.0 to 4.2.176.0

Today we have finished the upgrade of our two Wireless Lan Controllers Wism Modules from 4.1.181.0 version to 4.2.176.0 ... (Thanks to Stefano Messia ;-) )

Some tips, tricks and problems:
  • Read carefully the "Wireless LAN Controller (WLC) Software Upgrade" guide, follow the instruction for software upload via tftp
  • Keep in mind that the upgrade instructions are for a single controller, if you have multiple controllers, you must plan a contemporary upgrade.
    The most important thing is: when I reboot a controller, all my AP will register on the other controllers, if my controller has a new Software release, the AP will automatically download a new mini-IOS the first time (and if it have a older sw version, the ap will dowload and downgrade back ;-( ).

So, I have two controllers, upgraded and rebooted the first, the Ap have registered and downloaded the upgrade.. suddenly during the software download the load balance features between the controllers has moved several Ap to the other (with the old 4.1...) and ...they have downgraded back to the old IOS...!
In fact, with two Wism, one with 4.2.176 and one with 4.1.181, in the middle of the upgrade, there where a sort of Access Point loop, registering on a Wism, downloading the upgrade, moving to the other Wism and downloading the "downgrade" sw...
If there is a downloading access point, you cannot reboot the wism module...
To solve we have shooted down completely the portchannel of the "old" version wism, so we have rebooted it... (extremely discouraged by the instructions ;-( )

Problems POST-upgrade to 4.2.176.0
  1. The DHCP Proxy feature will automatically disabled, so all clients cannot use the service until we have troubleshooted it ( tip: show dhcp proxy and config dhcp proxy {enable | disable} from cli )
  2. with WebAuth, we use an external https auth page: with 4.2.176 it's disabled by default the SSLv2 support, the wism will use SSLv3, so some clients cannot see the auth page.. (the oldest browsers....) (tip: to enable SSLv2 with cli: config network secureweb cipher-option sslv2 enable )
  3. after an intensive troubleshooting, we found problems with the web authentication page. In fact, most of times with 4.2.176.0 the redirect to the external auth page doesn't work! After a lot of tries and debugs, we have created a .tar with our custom authentication page and uploading via tftp into each controller. (see instructions: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml#guide )
    To enable the new "Customized bundle" you must go in the "Wlan" - click on ssid - Security L3 - choose "Override global config", select the "Customized (Downloaded)" and choose "login.html". (see picture below ;-)




Interesting Links for troubleshooting web authentication on Wireless Lan Controllers:



NOTE: we still have problems with web auth redirects, seems to be an unofficial "bug" of the 4.2.176.0 and of the 5.2.157.0. (see: this educause.edu post and this one ). Maybe in the next weeks we'll decide to downgrade to 4.2.130.0 )

NOTE2: 30 mar 2009 we have made a DOWNGRADE to 4.2.130 version and solved the webauth login page problems.

No comments: