K

9 Messages

 • 

150 Points

Tue, Feb 23, 2021 4:21 PM

vSZ upgrade to 5.2 with AP's over tunnels

Hello!

I want to upgrade our 5.1.2 2xvSZ+2xvDP to 5.2.1 latest.

But I found from SZ-5.2.1-UpgradeGuide-RevA-20200731.pdf on page 23 this note:

"For remote APs connected over a VPN, the tunnel MTU must be reduced to 1400 (acceptable range is: 850 through 1500) to allow the configuration after upgrade. If there are many WLANs defined the MTU should be reduced further."

I checked quickly that our IPSEC tunnels for remote locations have MTU 1422 in the central VPN device and that this can't be changed with the current software version. There are reasons why the upgrade of the VPN-device wouldn't be a good idea at the moment. It has the latest software in its line so it isn't any ancient device though. Also, I didn't see such a note in the upgrade guide for 5.1.2 so this is a new note not just a general suggestion.

9 Messages

 • 

150 Points

8 m ago

(I can't post normally for some unknown reason so I had to cut the text and now I add the rest as a separate post.)

My question is: has anyone really upgraded the controller (vSZ+vDP) having AP's behind IPSEC-tunnels? Has this MTU really been an issue? I am surprised for such requirement about MTU. Since I want to test the upgrade with a test controller and one AP connected to it, the testing environment would go much more complex than just trying this with a test-AP that is not behind an IPSEC tunnel. Also, we don't have only one type of VPN-firewalls at locations which further makes the testing difficult (one test-AP needed for each different VPN-firewall's tunnel...).

9 Messages

 • 

150 Points

8 m ago

I just saw that yesterday 5.2.2 became available and when going to the release notes (SZ-5.2.2-UpgradeGuide-RevA-20210215.pdf) to the very same place on page 23, this note has been removed. I can't find mtu being mentioned in this file elsewhere too by using text search. So maybe when going to 5.2.2 this is actually not a possible problem anymore.

Official Rep

 • 

1.2K Messages

 • 

17K Points

8 m ago

Hi Kem,

This is not a defect or problem but a requirement in some networks, where APs can't reach controller with default 1500 MTU. Due to path MTU issues over the VPN, AP firmware upgrade or configuration update may get failed, hence MTU changes may be required.

9 Messages

 • 

150 Points

8 m ago

Hello! Can you please specify if this is really a change since 5.1.2? Because 5.1.2 was our initial setup and it all worked over those VPN channels and is currently in use. Our system has over 100 AP-s and that would be a disaster if the upgrade won't work.

Official Rep

 • 

1.2K Messages

 • 

17K Points

Hi Kem,

No, this is not a change with any specific version.

If default MTU is not supported by intermittent network nodes in the path of AP-Controller, you have to reduce the MTU size.

Regards,

Syamantak Omer

Official Rep | Staff TSE | CWNA | CCNA | RASZA | RICXI

Follow me on Linkedin

9 Messages

 • 

150 Points

OK, thank you very much, it is good to know. I was most worried about a possible change by controller part that the former setup wouldn't work anymore after upgrade while all the rest of the infrastructure is the same.

Important Announcement