I've just done my first firmware upgrade on our SR ZD3000's with Secure AP Image Upgrade enabled and after over an hour less than a third of the ~200 AP's had upgraded. All the rest were reporting upgrade failures and retrying. After that I turned Secure upgrade off and all the rest upgraded almost instantly (less than 5 mins).
Is enabling Secure Upgrade supposed to cripple the speed and reliability of AP upgrades? I'm assuming the ZD3000 simply doesn't have the power to upgrade many AP's at once when using this method but I'd love some guidance here. If it really can't handle this process why was it bought to the ZD platform?
I took a stroll thru Engineering and asked the DE manager about expected upgrade results. The ZD3000 doesn't throttle upgrade requests, so not limited to 25 at a time or anything, and they didn't expect the HTTPS overhead to have such effect, but AP deployment does factor in, ie. if your APs are all remote and then encyrption tunnels might have played a part. Is there any network point that could be a bottleneck, that might have hit interface capacity? Could you share your ZD debug logs with Tech Support, to look a little deeper?
The AP's are all "remote" in the sense they are on the other end of WAN tunnels, but almost all our sites have 1Gb fibre MPLS links and those that don't have 100Mb. The source sites have 1 or 2Gb connections so I doubt it was link congestion. If it was that it would continue to be a problem when the secure upgrade option was turned off I would expect and like I said, once I disabled that all the remaining AP's upgraded in about 5-10 mins.
Technically it's not a function I need so I'll just leave it off in future, after having gone through all the certificate update trouble though I thought it'd be good to have the extra protection.