10-22-2019 11:26 AM
Hello guys,
In my lab I can’t make working the upgrading remote site APS through RFDM AP.
My upgrades are successful, but through VX9000 and not through the RFDM AP.
The test is very simple, VX9000 + 2 pieces of AP7532 in the same vlan.
VX running config:
!### show running-config
!
! Configuration of VX9000 version 7.2.1.1-006R
!
!
version 2.7
!
!
client-identity-group default
 load default-fingerprints
!
ip access-list BROADCAST-MULTICAST-CONTROL
 permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
 permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"
 deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"
 deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"
 deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"
 permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
!
mac access-list PERMIT-ARP-AND-IPv4
 permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"
 permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"
!
ip snmp-access-list default
 permit any
!
firewall-policy default
 no ip dos tcp-sequence-past-window
!
!
mint-policy global-default
!
meshpoint-qos-policy default
!
wlan-qos-policy default
 qos trust dscp
 qos trust wmm
!
radio-qos-policy default
!
!
management-policy default
 no telnet
 no http server
 https server
 rest-server
 ssh
 user admin password 1 b3c4e90173bd1f030e821f04ee833f17e78b4133788ffb40f12928bfabba10c8 role superuser access all
 snmp-server community 0 private rw
 snmp-server community 0 public ro
 snmp-server user snmptrap v3 encrypted des auth md5 0 admin123
 snmp-server user snmpmanager v3 encrypted des auth md5 0 admin123
 t5 snmp-server community public ro 192.168.0.1
 t5 snmp-server community private rw 192.168.0.1
!
ex3500-management-policy default
 snmp-server community public ro
 snmp-server community private rw
 snmp-server notify-filter 1 remote 127.0.0.1
 snmp-server view defaultview 1 included
!
ex3500-qos-class-map-policy default
!
ex3500-qos-policy-map default
!
database-policy default
!
profile vx9000 default-vx9000
 no autoinstall configuration
 no autoinstall firmware
 no device-upgrade auto
 crypto ikev1 policy ikev1-default 
  isakmp-proposal default encryption aes-256 group 2 hash sha 
 crypto ikev2 policy ikev2-default 
  isakmp-proposal default encryption aes-256 group 2 hash sha 
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto load-management
 crypto remote-vpn-client
 interface xge1
 interface xge2
 interface xge3
 interface xge4
 interface ge1
 interface ge2
 use firewall-policy default
 logging on
 service pm sys-restart
 router bgp
 adoption-mode controller
!
profile ap7532 default-ap7532
 autoinstall configuration
 autoinstall firmware
 crypto ikev1 policy ikev1-default 
  isakmp-proposal default encryption aes-256 group 2 hash sha 
 crypto ikev2 policy ikev2-default 
  isakmp-proposal default encryption aes-256 group 2 hash sha 
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto load-management
 crypto remote-vpn-client
 interface radio1
 interface radio2
 interface ge1
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  ip dhcp client request options all
 interface pppoe1
 use firewall-policy default
 use client-identity-group default
 logging on
 controller host 172.17.8.3 pool 1 level 2
 service pm sys-restart
 router ospf
 adoption-mode controller
!
rf-domain VXtest
 country-code il
!
rf-domain default
 no country-code
 control-vlan 1
!
vx9000 08-00-27-1D-96-AB
 use profile default-vx9000
 use rf-domain VXtest
 hostname vx9000-1D96AB
 license AAP VX-DEMO-16AAP-LICENSE
 license ADSEC DEFAULT-ADV-SEC-LICENSE
 no mint mlcp vlan
 autoinstall firmware
 interface ge1
 interface ge2
 interface vlan1
  ip address dhcp
!
ap7532 B8-50-01-71-C0-D4
 use profile default-ap7532
 use rf-domain default
 hostname ap7532-71C0D4
!
ap7532 B8-50-01-74-3E-6C
 use profile default-ap7532
 use rf-domain default
 hostname ap7532-743E6C
!
!
endInfo from VX:
vx9000-1D96AB#show mint ne
1 mint neighbors of 12.1D.96.AB:
1B.71.C0.D4 (ap7532-71C0D4) at level 2, best adjacency ip-172.17.8.4:24576
vx9000-1D96AB#show global domain managers 
-----------------------------------------------------------------------------------------------------
                      RF-DOMAIN                              MANAGER          HOST-NAME  APS  CLIENTS
-----------------------------------------------------------------------------------------------------
                         VXtest                    08-00-27-1D-96-AB      vx9000-1D96AB    0        0
                        default                    B8-50-01-71-C0-D4      ap7532-71C0D4    2        0
-----------------------------------------------------------------------------------------------------
Total number of RF-domain displayed: 2
vx9000-1D96AB#show device-upgrade history 
-------------------------------------------------------------------------------------------------
            Device      RESULT                 TIME  RETRIES        UPGRADED-BY LAST-UPDATE-ERROR
-------------------------------------------------------------------------------------------------
     ap7532-743E6C        done  2019-10-22 09:23:31        0      vx9000-1D96AB -
     ap7532-71C0D4        done  2019-10-22 09:24:42        0      vx9000-1D96AB -
Total number of entries displayed: 2
vx9000-1D96AB#show mint neighbors on ap7532-71C0D4
2 mint neighbors of 1B.71.C0.D4:
1B.74.3E.6C (ap7532-743E6C) at level 1, best adjacency vlan-1
12.1D.96.AB (vx9000-1D96AB) at level 2, best adjacency ip-172.17.8.3:24576
vx9000-1D96AB#show mint neighbors on ap7532-743E6C
1 mint neighbors of 1B.74.3E.6C:
1B.71.C0.D4 (ap7532-71C0D4) at level 1, best adjacency vlan-1
vx9000-1D96AB#show mint links 
1 mint links on 12.1D.96.AB:
link ip-172.17.8.4:24576 at level 2, 1 adjacencies, (used)What is wrong with my configuration?
Why I can’t make the upgrades working through RFDM AP?
Thanks,
Aviv
Solved! Go to Solution.
10-23-2019 06:53 PM
I can certainly testify that this works perfectly in WiNG-5. (Can’t imagine how it would’ve gotten messed up in WiNG-7 though). This topology is used for a HUGE number of deployments. If something was fundamentally broken in this regard, we’d have heard about it long before now.
From the controller, my output looks like this:
NX(config)#sh device-upgrade history on LAB
-------------------------------------------------------------------------------------------------
            Device      RESULT                 TIME  RETRIES        UPGRADED-BY LAST-UPDATE-ERROR
-------------------------------------------------------------------------------------------------
LAB-MCX done 2019-03-13 13:15:37 0 8533-Floor-1 -
8533-Floor-2 done 2019-03-13 13:14:39 0 8533-Floor-1 -
   8533-Floor-2      done  2018-11-09 12:39:30        0       8533-Floor-1      -
Total number of entries displayed: 3
On the RFDM AP, the output shows this (the non-RFDM AP output is empty)
(You can see in the first column (Device) the listing of non-RFDM APs that this RFDM AP had upgraded.
8533-Floor-1#sh device-upgrade history
-------------------------------------------------------------------------------------------------
            Device      RESULT                 TIME  RETRIES        UPGRADED-BY LAST-UPDATE-ERROR
-------------------------------------------------------------------------------------------------
8533-Floor-2 done 2019-03-13 13:14:39 0 8533-Floor-1 -
LAB-MCX done 2019-03-13 13:15:37 0 8533-Floor-1 -
  8533-Floor-2       done  2018-11-09 12:39:30        0       8533-Floor-1      -
Total number of entries displayed: 3
10-22-2019 12:52 PM
Hi Avi,
Everything looks good. And how the upgrade process looks like? You can monitor it with "watch 4 sh device-upgrade status". Also the devices can skip the update while already running requested release and without "force" option in upgrade command..
Misha
