Tags

,

Typically you would not require to upgrade the ROMMON firmware of a Cisco WLC. In certain cases cisco release ROMMON firmware to fix certain issues. This document describes the process of upgrading Field Programmable Hardware Devices & lists issues resolved by those upgrades. Here are a few examples

[C9800-L] CSCvq88840 – Fan always runs at maximum speed
[C9800-L] CSCvr72052 – Default config register disables breaking into ROMMON, preventing password recovery
[C9800-80/40] CSCvp25150 -On 9800 platforms, Unable to boot higher-size images (more than 1GB) in Bundle mode.

When it comes to ROMMON upgrades you need to be careful to select the right image version. Also, follow Cisco documentation with care. When you read my post to the end, you will understand why I am saying that. Here are some general reasons
1. Cisco documentation update takes time (some information may not accurate 100%)
2. Certain BU updates ROMMON matrix regularly & some not
3. General recommendation is to upgrade to the latest, but you have to test it yourself.

Always good to get feedback from people who have performed it in a real environment. I had the luxury of reaching out to Leo Laohoo (CSC VIP Legend) who had documented a great deal of information in CSC forum when it comes to ISR & ASR upgrades including ROMMON. You can find that document here. When I checked with him about 9800, he had some bad experiences with ROMMON 17.4.1r on 9800s & worked with TAC. Finally, Cisco pull that ROMMON firmware out from CCO. He gave me the confidence to go ahead with 17.3.3r.

So here is the basic process if it is a standalone 9800 WLC.

Step 1: copy the ROMMON firmware to bootflash of WLC. You can use many different methods shown below to copy the file to 9800.
a. Administration > FileManagement > File Manager > {doubleclick on bootflash: } > Upload > {select downloaded file from PC on network}

b. If you have the image on USB stick, plug it onto the WLC USB port
Administration > Software Management > {Select Transport Type = Device } > {File System = USB } > Select the file name
or in CLI
copy usb0:C9800-80-rommon.173-3r.pkg bootflash:

c. Copy via HTTP/SCP/FTP/TFTP

Step 2: Initiate the ROMMON upgrade process by issuing the following CLI command

upgrade rom-monitor filename bootflash:C9800-80-rommon.173-3r.pkg chassis active r0

Step 3: Reload WLC. That will the resulting an upgrade taking place & it might take 10-15min of downtime

In my case, I had 9800-80 in SSO mode and wanted to do the ROMMON upgrade as it is never upgraded earlier. When I read Cisco document I saw notes like this for 9800-40 “If your ROMMON version is earlier than 17.7(3r) for the standalone, active, or standby controller, contact Cisco TAC.”

Regarding the downtime it specifies a possible 30min outage “During hw-programmables upgrade, the controller may reboot several times and it is not advisable to power cycle the device during this period as it may lead to device failure. Remember that a typical upgrade process would take about 30 minutes to complete the cycle.”

If you have pair of 9800s in SSO mode and still need to go through 30min downtime to do an upgrade, that seems not right. As per the instruction of the same document, in HA-SSO, you have to issue a “reload” command which will reload both units & cause an outage.

When I reached out to TAC to clarify that information, I got the same info listed in that document. I wanted to do the upgrade what I thought possible (do it one Unit at a time and use “redundancy force-switchover” instead of “reload“). I initially thought I should be able to do the upgrade on the standby unit, which is not the case. TAC engineer asked my query in CSC forum as well. You can see not many responses to it (hopefully this post will cover it all).

Here are the steps I followed and complete the ROMMON upgrade in HA-SSO without any service outage or downtime. You can follow the below process, but again always double-check with Cisco if that is an acceptable approach :-), for me “that is the way”.

Here you can see both of my 9800 Units got 16.10(6r)

WLC4#show rom-monitor chassis active r0
==========================================================
System Bootstrap, Version 16.10(6r), RELEASE SOFTWARE
Copyright (c) 1994-2018  by cisco Systems, Inc.

WLC4#show rom-monitor chassis standby r0
==========================================================
System Bootstrap, Version 16.10(6r), RELEASE SOFTWARE
Copyright (c) 1994-2018  by cisco Systems, Inc.

Once you copy the image to bootflash you can initiate the upgrade process on the active unit

WLC4#upgrade rom-monitor filename bootflash:C9800-80-rommon.173-3r.pkg chassis active r0
Verifying the code signature of the ROMMON package...
Chassis model C9800-80-K9 has a single rom-monitor.

Upgrade rom-monitor

Target copying rom-monitor image file

Secure update of the ROMMON image will occur after a reload.

131072+0 records in
131072+0 records out
131072 bytes (131 kB, 128 KiB) copied, 0.658038 s, 199 kB/s
Copying ROMMON environment
131072+0 records in
131072+0 records out
131072 bytes (131 kB, 128 KiB) copied, 0.974933 s, 134 kB/s
131072+0 records in
131072+0 records out
131072 bytes (131 kB, 128 KiB) copied, 0.981465 s, 134 kB/s
ROMMON upgrade complete.
To make the new ROMMON permanent, you must restart the RP.

Here is the “trick” of failing over (still resulting current active unit to reload & standby unit to takeover)

WLC4#redundancy force-switchover 
Proceed with switchover to standby RP? [confirm]

Here is the output while reloading the previous active unit. Note that ROMMON update is termed as “secure capsule” update a new term to remember :). Usually, this process takes around 10min.

You will notice further flash upgrades occur & it took between 5-10min to complete that step.

Once the above is completed, the Unit will be booting and you can see ROMMON is 17.3.(3r). This step roughly takes 5min to boot properly and be part of SSO.

When that Unit is up & joins the HA, you can see the standby Unit got ROMMON 17.3(3r) and the Active Unit still got 16.10(6r)

Now you have to follow the same process on the new active unit (running ROMMON 16.10.6r). It is exactly the same process. Once you do that you can confirm both units have upgraded ROMMON using CLI command “show rom-monitor chassis {active|standby} r0

Note: I haven’t tried the “reload” command & to see whether that will upgrade both units together with possible 20-30min downtime. In my view, it is not worth it as you can do it without downtime if you got a SSO pair.