This discussion is locked

Ask the Expert: High Availability on Wireless Lan Controller (WLC)

Unanswered Question
Mar 8th, 2013

High Availability on Wireless Lan Controller (WLC) with Madhuri C.- Read the bioWith Madhuri C.

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions of Cisco expert Madhuri C.about the new High Availability (HA) feature (that is, AP SSO) set within the Cisco Unified Wireless Network software release version 7.3 This feature allows the access point (AP) to establish a CAPWAP tunnel with the Active WLC and share a mirror copy of the AP database with the Standby WLC. The APs do not go into the Discovery state when the Active WLC fails and the Standby WLC takes over the network as the Active WLC.

Madhuri C. is a customer support engineer at the Cisco Technical Assistance Center in Bangalore, India. During her four years of experience she has worked on a wide range of Cisco wireless products and technology such as autonomous IOS (aIOS) access points, wireless routers, wireless LAN controllers, wireless VoIP phones, wireless control systems, network control systems, prime infrastructure, and mobility services engines. She has also worked in LAN switching technology.

Remember to use the rating system to let Madhuri know if you have received an adequate response. 


Madhuri might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Wireless Mobility sub community discussion forum shortly after the event. This event lasts through March,22 2013. Visit this forum often to view responses to your questions and the questions of other community members. 

More Information :

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4.9 (17 ratings)
huangedmc Sat, 03/09/2013 - 10:12

hi Madhuri:

The examples in the document show the management IP's used on primary & standby are &

Is it correct that in this case, will always be used as the active management IP, even after a switchover?

Meaning the previous standby would have after switchover?

If that's the case, is it the same for all the interfaces, including the redundancy interface?


Also, if we have the ability to extend a VLAN between two datacenters, what's to stop us from deploying WLC HA in two different locations?

Would that be a valid design / deployment?



Madhuri C Sun, 03/10/2013 - 03:14

Hi Kevin,

Great question..

Yes, (Primary WLC IP)  will be the active managment IP as soon as the HA Pairing is up. Meaning, initially before SSO is enabled, both WLCs would have unique managment IP address in same subnet which would be on WLC1 and on WLC2 as per config example. After HA SSO is configured and HA pairing is up, one WLC will come up as active, other WLC will come up as standby hot and both WLCs would have the same management IP

This would remain consistent even after switchover. That is previous standby or currnet active would have as the managment IP which is the previous active WLC IP address.

Redundancy interface would still have unique IP address on both WLCs before and after enabling HA SSO. Considering the same example, would still be the redundancy management ip on WLC1 and would be the redundancy ip on WLC2. This interface is used to check connectivity to network and to the peer thus would remain unique always.

Regarding WLCs in different location :  It is required for us to have direct physical connectivity between the two WLCs via the redundancy port and also they should have management IP in same subnet. The distance between the two WLCs can got upto 100 metres as per the cabling standard.

If the distance between the two locations is higher than this and if cabling is not possible between two WLCs then you can consider old AP failover feature.

Link :

As per this old feature all you would need is IP connectivity between two WLCs, APs. However this triggers new AP discovery and thus the delay.



skronawithleitner Mon, 03/11/2013 - 00:57

Hi there,

the linked document states:

"In order to achieve HA, WiSM-2 WLCs should only be deployed in a single chassis or deployed between multiple Catalyst 6500 chassis using VSS."

So two 6500 in standalone mode (but with high bandwidth-connection between them) wont work? Should work? Could work? The only difference is that it is a 802.1q trunk instead of an VSL...

Because that info is new to me, and VSS is not an option at the moment.

Madhuri C Mon, 03/11/2013 - 01:22


Unfortunately two standalone devices in different chassis would not work as these would not act as single logical switch.

This setup is not recommended and tested  as of now.

Wireless Business Unit would be tracking this in future releases. But current release only supports Single chassis or Multiple Chassis with VSL Link/VSS setup.



skronawithleitner Mon, 03/11/2013 - 01:43


that is pretty bad, because I just ordered based on that document:

(WLC HA Q&A) which states:

"The two WiSM2 blades could be placed within the same chassis or across two chassis. The latency of the link connecting the two chassis needs to be less than 80 ms."

what would have been no problem. On the other hand, VSS or both in one chassis (only 1 slot to spare) is. Since the second one was ordered as HA-Version, it is now pretty much worthless.

Madhuri C Mon, 03/11/2013 - 08:09


I understand your concern

I just raised a documentation bug to add the Q & A doc with complete info on VSS support for multiple chassis.

Bud ID: CSCuf16936 . It will be made availble in bug toolkit after few days.

For now, with Non-VSS, I guess only option would be to look for a free slot in chassis 1 or move any existing module if possible from chassis 1 to chassis 2 to make room for standby wism2 in first chassis.

Going forward, enabling VSS would be better. Reason being, with VSS it will not only take care of WISM module failure but also we get Chassis, Supervisor failover. Without VSS, in single chassis we would only have WISM redundancy.



cerisier Tue, 03/12/2013 - 07:38


I would like to know what's going to happen in the scenario below please :

We have 1 WLC-5508 under version 7.0 used to manage remote flexconnect AP and backup several remote WLC-2112 also under 7.0.

We plan to deploy a second 5508 in the same location as the first one to backup it.

As we cannot upgrade 2112 beyond 7.0 can we use the two 5508 in 7.3 (or 7.4) in order to use AP-SSO as secondary and tertiary controller ?

What will happen if one 2112 fail ? Does the APs will download the 7.3 image ? will they download again 7.0 image when the 2112 come back up ?

I hope my explanation is clear enough

Thank you for your answer,


Madhuri C Tue, 03/12/2013 - 11:14


I understand that you have one 5508 WLC managing flex mode APs across WAN link and you have several 2100 series WLCs in remote locations which will kick in if 5508 in central location fails. I'm assuming every remote location has one 2100 series WLC as backup in each location. Please feel free to correct if my understanding is wrong here.

As you have planned to deploy a second 5508, best design would be to have two 5508 WLCs upgraded to 7.3 or later in central location. These two WLCs will act like one WLC in HA pair. That is if first 5508 WLC fail then second 5508 WLC will become active. These two together will be primary WLC for APs. You cannot load balance between the 2 5508 WLCs. Second 5508 WLC will just be idle and monitor the health of first 5508 WLC.

Further, if both 5508 WLCs fail(box or network failure), then you could have remote two 2100 series as secondary and tertiary.

If both 5508 WLCs fail, then APs download 7.0 and rejoin 7.3 if  any of the 5508 WLCs is back up.

5508 WLCs have better processing speeds compared to 2100 series thus it is good to make 5508 as primary.

Please refer to :

The above section is similar to your scenario.

Let me know if this answers your question.



cerisier Wed, 03/13/2013 - 11:50

          Hi Madhuri,

     Thanks for your reply, we have a 5508 managing remote flexconnect on some sites et somme other sites where we have 2100 managing local AP. the idea is that when a 2100 fail (there is only one per site) the local AP backup on the 5508, that works fine.

     We plan to deploy a 2nd 5508 at central site to backup the first one as the Wifi infrastructure is now becoming critical. Ideally we would like to take advantage of the new HA backup mode but cannot upgrade 2100 in 7.3. So the main question was : will the AP dowload the 7.3 when backing up on the 5508 and will they downgrade to 7.0 when they get back on the 2100. You sharply answered it and I thank you for that :-)

Best Regards,


manilson Wed, 03/13/2013 - 10:09


I have a similar question regarding hooking up a  secondary HA WLC 5508 running 7.3 whiilst the active/primary unit is  running 7.0 code.

First - will the secondary unit try to become primary when unable to syncronise with primary?

Second - will the secondary disrupt the primary if the RP port is connected to the otherwise HA-unavare wlc-5508?

Third - what state will the secondary wlc when negotiation fails?

The  issue is that we will have to stay on 7.0 release until other  dependancies is met, but in the same time install the new HA controllers  in advance. Should the portchannel interface to the secondary be  shutdown to prevent disturbing the active WLC running 7.0 for safe  measures?

Sincere regards


Madhuri C Wed, 03/13/2013 - 19:02

Thanks Pascal. Glad to hear that all your queries are addressed

Madhuri C Wed, 03/13/2013 - 19:06

Hi Mats,

Great question.

It is required to have primary and secondary in HA pair to be in same version and HA SSO feature on WLC is supported only in 7.3 and later.

Answers :

First : When you have both WLCs upgraded to same 7.3 or later codes then yes, secondary will become active if primary fails.

Second : If both WLCs are on different codes it is not possible to have HA pairing between the two so you won't be able to connect redundancy port between 7.3 wlc and 7.0 HA unaware WLC.

It both WLCs support HA and are on on 7.3 then the matrix below explains on what conditions secondary take over :

(Refer to section : These matrixes provide a clear picture of what condition the WLC Switchover will trigger)

Third :Secondary WLC will ping the default gateway and also primary WLC. If primary WLC has failed completely and if it is only secondary WLC that has connectivity to network then secondary will become active. Switchover happens in this case. If both WLCs have failed to reach gateway then switchover does not happen. Standby will reboot and check for gateway reachability. Will go in to maintenance mode if still not reachable.

If you have three WLCs, then you can upgrade two WLCs to 7.3 and enable HA pairing between the two. If you have two WLCs only as of now and one has to remain in 7.0 then only option would be to use older AP HA feature.

Link :

Once all conditions are met and WLCs are upgraded, you can then enable HA SSO on both WLCs.

To check on dependency with NCS, MSE, WCS , AP support and WLC upgrade you can refer to :

Let me know if this answers your question.



gnijs Thu, 03/14/2013 - 04:34

I have a small question:

Can one HA WISM2 be backup of 2 (or more) primary WISM2 in the same chassis ?



gnijs Thu, 03/14/2013 - 05:01


As long as both controllers need to be directly back-to-back connected, the HA feature is pretty much useless for me. I want to make use of the cheaper licensing in HA mode, but of course, don't want to put my HA controller in the same physical location as my primary. Now i am forced to the 'classical' failover (prim/sec/ter) which also works, but is much more expensive because of the licensing. NOTE: I have L2 extended VLANs between primary and backup location.

Can you explain this requirement in more detail (do you maybe use jumboframes or non-compliant frames for sync ?), because some documentation is not very clear on this.

For example, see also:

What new capabilities are introduced starting with Release 7.4 in high-availability licensing?

Starting with Release 7.4, the -HA SKU can now be used in N+1 mode.

Take a look at Figure 4.

Two 5508 are backed up by a single 5508-HA ?

How is this possible if they need to be back-to-back connected and each 5508 has only one HA port ?

Is this requirement maybe removed in 7.4 code ?



Madhuri C Thu, 03/14/2013 - 08:09

Hi Geert,

Excellent question..I totally hear you and can understand the confusion.

There is doc bug filed for this :

When you have two WLCs connected by physical cable via the redundant port, it is a total 1:1 failover with AP SSO. Here secondary WLC need not be configured individually. All config and WLANs will be inherited from Primary WLC. Also they are in same datacentre so VLANs are consistent, not an issue.

In 7.4, they allow you to use the HA SKU WLC as a backup WLC outside of the SSO for 90 days then afterwards you will get a message trap stating it has been more than 90 so primary WLC should be made available.  In other words it allows you to provide an N:1 back solution so that APs from "N"primary WLCs can fail back to "N+1" standby WLC.

We need to configure the HA-SKU WLCs as a regular backup WLC. It has to be manually configured to support same SSIDs and Security that you would like your APs and clients to have in an event of failover. The HA SKU cannot take the config from N primary WLCs and cannot sync automatically.

There is no need to directly connect this N+1 WLC with any of the N primary WLCs via direct cable and can be in a different geographical location with just ip connectivity. This is no different than your traditional AP HA with primary,sec and tertiary defined.

Basically 7.4 N+1 HA SKU is a cheaper solution and it will support APs on failover from multiple WLCs. With traditional AP HA you need license for each box which is comparatively more expensive.

Table 1 has the limit for HA SKU :



gnijs Thu, 03/14/2013 - 09:38

Hi Madhuri,

Thanks for the explanation, I understand now. Just to be sure: in 7.4 the HA-SKU failover is NOT AP SSO but behaving like normal prim/sec/ter failover  (so taking longer), but possible from several controllers as opposed to AP SSO only possible in 1:1 failover ?



Madhuri C Thu, 03/14/2013 - 09:46

Exactly Geert. You have summarized it perfectly !!



Wekatroniks Fri, 03/15/2013 - 00:04

hi good day sorry.

I'm new to this, but it's a start.

I have a question for you. I am working as a network administrator IP phone, the company made ​​a firmware upgrade to CUCM version 8.5, the following versions was that wireless phones are also updated the firmware to function better with CUCM 8.5, but since this happened,

maybe you hear better than previous versions,

but there is a lot of packet loss, the comuniacion not understood, users complain too much about the wireless phone system.

We could help with any suggestions on how to improve service.

Thanks for your attention

gnijs Fri, 03/15/2013 - 09:02

Hello Madhuri,

Here i am again with a question:

Can a controller that is configured for AP SSO (back to back) at the same time be used as a HA SKU for other controllers ? I guess not, but can you confirm ?



Madhuri C Sat, 03/16/2013 - 01:11

Hi Geert,

Yeah as you have rightly suspected,  we cannot have secondry WLC connected directly to primary to also act as HA SKU for other primary WLCs. This one can only monitor the directly connected primary WLC by sending keepalives via redundant port and check gateway connectivity.

Both the WLCs paired together act like one logial WLC(Both WLCs share same IP)  and this IP can used as primary or secondary to any other AP on a different WLC. However this is traditional AP HA and not fast AP SSO.



thomasholmsgaard Sun, 03/17/2013 - 05:56


Do you have any measurements of traffic imposed on the redundancy link?

I am going to run a couple of wlc5508 in HA between two data centers as a platform for roughly 300 AP´s in flexconnect.

Thank you.

Madhuri C Sun, 03/17/2013 - 18:53



In the data centre (as per above snapshot) there are 2 WLCs active and standby connected by redundancy port.

This is used to synchronize configuration between controllers in the Active and Standby states.

Below is the traffic that is expected on this link :

- Keepalive messages sent  from the standby controller to the active controller every 100 milliseconds (default frequency) to check the health of the active controller. Also notifications are sent in the event of failover.

- Internet Control Message Protocol (ICMP) packets are sent every 1 second from each controller to check reachability to the gateway using the redundant management interface. 

- Bulk configuration during boot up and incremental configuration are synched from the Active WLC to the Standby WLC using the Redundant Port.

Rest of the capwap / LAN traffic happens in the normal way and with active WLC only. A mirror copy of this is sent to standby by active. As standby would be idle and just monitoring the active WLC's health, this traffic is not of a much concern and WLC is good to handle this.

As both WLCs would be adjacent physically, the latency would not be too high. The distance between the connections can go upto 100 meters at per ethernet cable standards.

I understand that you would have APs over WAN in flex mode and two WLCs in a differnet lcoation. One thing to consider is WAN link utilzation and link latency between WLCs and AP. If this is being taken care already, then there is nothing in addition that you need to worry on regarding standby WLC / AP SSO



thomasholmsgaard Mon, 03/18/2013 - 04:59

Thank you! My conclusion was confirmed.

Have a great day.


Madhuri C Mon, 03/18/2013 - 06:26

Great !! You too have a good day Thomas

siddhartham Mon, 03/18/2013 - 10:21

Hi Madhuri,

I have a question regarding the upgrade, we have two 5508 currently running on and we are planning to upgrade them to and configure them as Active/Standby pair for AP SSO failover.

Do the controller lose the config when we enable HA? Do we have to disconnect the secondary controller from the network and manually configure it as a standby and attach it back to the network for them to become a active/standby pair?


Madhuri C Mon, 03/18/2013 - 22:30

Hi Siddartha,

Once the two WLCs are upgraded to 7.4, you can manually configure one as primary and other as secondary WLC via GUI or CLI commands.

You can always take a backup from both WLCs before HA pairing just in case it is required.

No, config will not be lost when you enable HA on primary WLC. Once the HA pairing is successful, standby WLC will automatically pickup config from primary WLC. Thus you do not need config of secondary and there is no way to configure secondary WLC once the pairing is done.

After pairing, secondary will be idle and just monitor the priamry wlc  and gateway reachability. You cannot load balance APs between the two  WLCs.

No, Secondary and Primary both are to be connected to each other via redundancy port and both WLCs need to be connected to switch to check on the gateway reachability and to pass traffic.After the above setup is ready, you need to manually configure and choose one WLC as Primary and other as Secondary. Enable HA SSO.

Initially both WLCs should have unique IPs in same subnet. Once the HA SSO mode is enabled, WLCs will negotiate the roles and share the same IP which is that of the primary WLC that you choose. Hereafter you can assume this to be one logical wlc.

You can refer to the 8 steps mentioned below for enabling HA SSO :

Please refer to below section regarding licenses :

Since you have 5508, you need to have minumum of 50 license on standby for this conversion.

Let me know if this answers all your questions.



siddhartham Tue, 03/19/2013 - 14:53

Thats helpfull, thanks for the info.


brobinb Tue, 03/19/2013 - 09:20

Hi Madhuri,

I have two Flex 7510 configured as AP SSO HA pair and work fine. And here is the test I did to verify how the HA behaves:

I disabled the switch ports connected to the primary 75, then the secondary 75 took over control right away (telling this by doing a continuous ping to the primary mgmt IP).

After about 5 minutes, re-enabled the switch ports were disabled, and the ping still replied, not quite sure if the primary unit took the control back.  

Here is the point, I disabled the switch ports connected to the secondary unit, and re-enabled them after a while. I noticed that the secondary unit rebooted, reason showed as 'Gateway not reachable'.

I don't know if this is also apply to the primary unit when I shut down the switch ports and brought them back on. Is this designed to do so or just a bug?

Thanks for you input,


Madhuri C Tue, 03/19/2013 - 11:40

Hi Robin,

WLC1 - Initially configured as Primary and is active currently.

WLC2 - Initially configured as Secondary and in standby mode.

1.  When you disabled switchport going to primary WLC1, gateway would not be reachable from primary. Thus the secondary wlc2 will come up as active wlc.

Scenario :

Network Issues
RP Port StatusPeer Reachable via Redundant ManagementGateway Reachable from ActiveGateway Reachable from StandbySwitchoverResults

UpYesNoYesYesSwitchover happens

2.After above step, WLC2 is still active.

Now when you enabled ports going to WLC1, WLC1 will negotiate and become standby on its own. There is no preempt functionality. That is when the previous Active WLC1 comes back, it will not take the role of the Active WLC, but will negotiate its state with the current Active WLC - WLC2 and transition to a Standby state.

Scenario now would be :

Network Issues
RP Port StatusPeer Reachable via Redundant ManagementGateway Reachable from ActiveGateway Reachable from StandbySwitchoverResults
UpYesYesYesNoNo Action

3. After above step, WLC2 is still active, and WLC 1 is standby. Now ports to WLC2 which is current active is brought down.

Scenario would be :

Network Issues
RP Port StatusPeer Reachable via Redundant ManagementGateway Reachable from ActiveGateway Reachable from StandbySwitchoverResults

UpYesNoYesYesSwitchover happens

so now WLC1 is back as active and WLC2 would be standby for which there is no network connectivity.

4. As WLC2 has switchport down, last scenario would be :

Network Issues
RP Port StatusPeer Reachable via Redundant ManagementGateway Reachable from ActiveGateway Reachable from StandbySwitchoverResults

UpYesYesNoNoStandby will reboot and check for gateway reachability. Will go in to maintenance mode if still not reachable.

Thus everything you have noticed is working as per design and is not a bug

We can get more clarity on this by issuing 'show redundancy summary' on both WLCs at every step to see current active, currnet standby and maintenance mode reason.

Let me know if this answered all your questions.



Stefan Engel Thu, 03/21/2013 - 08:29

Hello Madhuri,

I have a question regarding license.

We have two 5508 in our datacenter running 7.2, which I plan to upgrade to either 7.3 or 7.4. All our APs are in flex-connect mode. Each WLC has license for 200 APs (permanent). So I actually 'could' connect 400 AP (while give up redundancy).

Once I enable HA SSO, will I have 200 licence in total..or?

If I understand correct, the standby need to have minimum 50 license. Means I could move 150 from the secondary to my primary, which would give me a total of 350?

And in the future, if we need add APs, we just purchase add lic for the primary?

Appreciate your feedback.



Madhuri C Thu, 03/21/2013 - 10:26

Hi Stefan,

You can certainly transfer 150 license to primary wlc. This would make it 350 on one and 50 on standby to facilitate the HA pairing.

Please refer to rehost license section in below link :

Alternatively you could also raise a case with Cisco TAC  licensing team and they will be able to assist in moving 150 license from secondary to your primary.

For high-availability controllers when you enable HA, the controllers  synchronize with the enabled license count of the primary controller and support  high availability for up to the license count enabled on the primary controller.

Thus in future, you just need to add license on primary.



Stefan Engel Thu, 03/21/2013 - 17:38

Thank you, all clear now.

Sent from Cisco Technical Support iPad App

manilson Fri, 03/22/2013 - 02:21

Hi Madhuri.

I have been led to believe that the rehosting was limited to adder licenses only.


"Revoking a license from one controller and installing it on another is called rehosting. You might want to rehost a license in order to change the purpose of a controller. For example, if you want to move your OfficeExtend or indoor mesh access points to a different controller, you could transfer the adder license from one controller to another controller of the same model, say from one 5500 series controller to another 5500 series controller (intramodel transfer). This can be done in the case of RMA or a network rearchitecture that requires you to transfer licenses from one appliance to another. It is not possible to rehost base licenses in normal scenarios of network rearchitecture. The only exception where the transfer of base licenses is allowed is for RMA when you get a replacement hardware when your existing appliance has a failure."

Has this been changed?

Sincere Regards

Madhuri C Fri, 03/22/2013 - 07:38

Hi Mats,

Using RMA portal when you move licenses from a bad box to the RMA device AIR-CT5508-CA-K9, all licenses [including base-ap-count, wplus, wplus-ap-count] except for the base license and evaluation

will be moved over to the new device. Old device would still have permanent base AP license on it even after rehost.

The RMA WLC is by default shipped with base license thus there is no need to move base license to new one.

To transfer license to RMA box, you can refer to :

Under special cases, if there is issue with base license, Cisco TAC licensing team can send you the base license. Also they can check base-ap-count of old box and they send you one .lic file with base and base-ap-count feature set included to reflect the right AP count on new WLC.

In that case you would see one base license as permanent-active and other one as permanent-inactive.  We would not have option to delete or modify priority of base license.



manilson Fri, 03/22/2013 - 09:12

Thanks Madhuri.

I need to be more specific.

If we have two AIR-CT5508-250-K9 with each 250 base licenses, and we want to implement HA-SSO.  Then we would normally loose 200 AP licenses unless the base licenses could be reenginered and reshosted:

initial state                              prefered outcome

AIR-CT5508-250-K9                 AIR-CT5508-250-K9 + L-LIC-CT5508-100A x 2

AIR-CT5508-250-K9                 AIR-CT5508-HA-K9

Would this be possible, and how?

Since the old licenses are "hard" base licenses, customers are locked with the old AP redundancy scheme since just enabling HA on a WLC pair with the base license above 50 AP will loose these licenses.

If possible this would mean that the threshold for existing Cisco customers to upgrade to HA-SSO is drastically reduced.

Sincere Regards


byju70 Thu, 03/21/2013 - 08:48

Hi Madhuri,

I am upgrading from WISM to 5508. I was just configuring HA between two 5508  but after enabling SSO and reboot, The HA is not working. My secondary box went into maintence mode and primary controller stuck in l2 mode. It seems  the redundant commands are missing in the primary controller as well. I checked the network reachablity to gateway is available from the controller and the redundancy ports are wired as well. Could you thro some light ? Couldn't find any good troubleshooting doc.

Madhuri C Thu, 03/21/2013 - 10:45


There are few scenarios where the Standby WLC may go into Maintenance Mode and not be able to communicate with the network and peer:

  • Non reachability to Gateway via Redundant Management Interface
  • WLC with HA SKU which had never discovered peer
  • Redundant Port is down
  • Software version mismatch (WLC which boots up first goes into active mode and the other WLC in Maintenance Mode)

The WLC should be rebooted in order to bring it out of Maintenance Mode. Only the Console and Service Port is active in Maintenance Mode.

You can collect 'show redundancy summary' and  'show redundancy statistics' from both WLCs. This will show state of wlc, perr wlc state and reason for maintenance mode. We can take it up further based on the reason of maintenance mode.

Console logs saved will also help in identifying as to which step is failing.

If the redundancy commands are missing on primary, you need to reconfigure them. Else pairing will fail.

Please make sure you have following conditions met :

- Minimum 50 AP count license on secondary WLC. 'Show license summary' output from WLCs.

- Both WLCs running same version.

- WLCs in same subnet.

- Enable admin mode of ports. Show port summary will show the state.

Feel free to log a ticket with Cisco TAC. We can setup WebEx and assist you in troubleshooting the issue.



asafayan Thu, 03/21/2013 - 15:39

Hi Madhuri,

You have helped me numerous times on my WLC adventures and I wanted to thank you, thank you, thank you!  You always go above and beyond the call of duty!



Madhuri C Thu, 03/21/2013 - 18:11

I'm really happy to hear that. Thanks for all the appreciation Amir



janesh_abey Thu, 03/21/2013 - 18:20

Hi Maduri,

Say we have a VSS based setup with  WISM2s and  assume we also purchase HA-SKU for the WISM2.

Let me expalin the scenario.

If  we  loose power to one VSS chassis will cause  the APs to  failover to the standby  WLCs. Now when power resumes, the previous active WLCs will  not become active but the standby will continue to be the active WLC servicing the APs. My understanding is that with HA SKU  arrangement ,still the  AP licenses are bounded with the  previous active WLC.if this is the case can we continue  using the current active WLC (former standby WLC)  although  we do not have valid AP licenses?  Do we need to doa manual failover at some point of timein the future to rectify this?

Other side question is that in this setup (where we had a single failover) suppose  we want to add  more AP licenses in the future,what is the process to add them and to which WLC?

Also I think the results of the failover scenario  presented in  row 9 of the the table "Network issue"  is incorrect.can you confirm pls?

Thanks in advance.


Madhuri C Thu, 03/21/2013 - 21:44

Hi Janesh,

Great question.

If you lose power on one chassis then APs will failover to Secondary. Standby will continue to serve till a manual failover is initiated as you have rightly mentioned.

Regarding the license, there is no need to manually move the license. Once the HA pairing is done, standby WLC will inherit the license from primary wlc on its own and it will be ready to takeover APs in the event of primary wlc failure.

So if you have 300 license on primary, secondary will also show the same 300 count after it inherits from primary.

You can definitely continue to use the current active or previous standby even after fialover. Only thing is after 90-days, it starts nagging messages stating it has been more than 90 days since primary WLC failed. Thiis is indication to net admin so that they fix the issue with primary WLC. 

Even after 90 days, APs will be connected fine to currnet active/previous standby. It is just message traps.

You can add new AP license to primary and there is no need to add license on secondary. It is recommended to bring up your primary as HA SKU is not designed to allow new AP licenses.

Even if secondary is active (single failover), as per design license cannot be added to active HA SKU.

When you try adding to active HA SKU, you get a message like :

!!!! Blocked: Changing License configurations on Secondary unit is blocked !!!!

Yes, Row 9 is incorrect. I will file a documention bug to fix this.

Row 9 paramaters are same as Row 1 and the result mentioned in Row 1 is correct. So it should be :

Network Issues
RP Port StatusPeer Reachable via Redundant ManagementGateway Reachable from ActiveGateway Reachable from StandbySwitchoverResults
UpYesYesYesNoNo Action



janesh_abey Thu, 03/21/2013 - 22:59

Hi Madhuri,

Thanks very much for your reply.I do have one final question.

Does the standby WLC check the network connectivity (ICMP to GW ) in parallel  with  exchanging keepalives with Active WLC? To me the algorithm indicates that the icmp  kicks in only when the keepalive fails.



Madhuri C Thu, 03/21/2013 - 23:51

Hi Janesh,

Both the WLCs in HA setup keep track of gateway reachability. The Active WLC sends an Internet Control Message Protocol (ICMP) ping to the gateway using the Management IP address as the source, and the Standby WLC sends an ICMP ping to the gateway using the Redundancy Management IP address. Both the WLCs send an ICMP ping to the gateway at a one-second interval.

Standby by default will be exchanging keepalives with primary and also parallely checking gateway reachability. Gateway reachablility check if for network related issues and keepalives for box failure issues.

The above algorithm will slightly change in event of failure. That is, it introduces additional ICMP to active WLC (not gateway) if keepalive is unanswered.

This is new ICMP to active WLC and gateway reachability check from standby will run parallel asusual.

Lets run through the algorithm for box failure from doc :

  • The Standby WLC sends keep alive to the Active WLC and expects and acknowledgment within 100 msec as per the default timer. This can be configured in range from 100-400 msec.
  • If there is no acknowledgment of keep alive within 100 msec, the Standby WLC immediately sends an ICMP message to the Active WLC via the redundant management interface in order to check if it is a box failover or some issue with Redundant Port connection.
  • If there is no response to the ICMP message, the Standby WLC gets aggressive and immediately sends another keep alive message to the Standby WLC and expects an acknowledgment in 25% less time (that is, 75 msec or 25% less of 100 msec).
  • If there is no acknowledgment of keep alive within 75 msec, the Standby WLC immediately sends another ICMP message to the Active WLC via the redundant management interface.
  • Again, if there is no response for the second ICMP message, the Standby WLC gets more aggressive and immediately sends another keep alive message to the Standby WLC and expects an acknowledgment in time further 25% of actual timer less from last keep alive timer (that is, 50 msec or last keep alive timer of 75 msec - 25% less of 100 msec).
  • If there is no acknowledgment of the third keep alive packet within 50 msec, the Standby WLC immediately sends another ICMP message to the Active WLC via the redundant management interface.
  • Finally, if there is no response from the third ICMP packet, the Standby WLC declares the Active WLC is dead and assumes the role of the Active WLC.

Network Failover

In the case of a Network Failover (that is, the Active WLC cannot reach its gateway for some reason), it may take 3-4 seconds for a complete switchover depending on the number of APs in the network.

You can find stats using command :

show redundancy statistics 

        Redundancy Manager Statistics

        Keep Alive Request Send Counter          : 16
        Keep Alive Response Receive Counter      : 16

        Keep Alive Request Receive Counter       : 500322
        Keep Alive Response Send Counter         : 500322

        Ping Request to Default GW Counter       : 63360
        Ping Response from Default GW Counter    : 63360

        Ping Request to Peer Counter             : 12
        Ping Response from Peer Counter          : 3

        Keep Alive Loss Counter                  : 0
        Default GW Loss Counter                  : 0

        Local Physical Ports 1...8               : 10000000
        Peer  Physical Ports 1...8               : 10000000

Let me know if this answered your question.



janesh_abey Fri, 03/22/2013 - 00:06

Hi Madhuri,

Thanks for taking time to answer our queries.

It is all clear  to to me now.

Keep up the good work.



Madhuri C Fri, 03/22/2013 - 00:53

Glad to hear that. Thanks Janesh Fri, 03/22/2013 - 09:16

Hi Madhuri,

We are looking at deploying two 5508 in HA (Active/Active), is there a document or design blue print that would help us with the basic deployment and configuration of the units. Those two units would be homed in on two HA 6509E switches interconnected to each other using etherchannel trunks and running HSRP between them.

We are also looking at deploying two 5760 units in the exact same scenario as above. Your feedback would be much appreciated.


Samer Khalil


Login or Register to take actions

This Discussion

Posted March 8, 2013 at 4:23 PM
Replies:48 Avg. Rating:4.85714
Views:22870 Votes:1

Related Content

Discussions Leaderboard