02-23-2021 08:21 AM
I want to upgrade our 5.1.2 2xvSZ+2xvDP to 5.2.1 latest.
But I found from SZ-5.2.1-UpgradeGuide-RevA-20200731.pdf on page 23 this note:
"For remote APs connected over a VPN, the tunnel MTU must be reduced to 1400 (acceptable range is: 850 through 1500) to allow the configuration after upgrade. If there are many WLANs defined the MTU should be reduced further."
I checked quickly that our IPSEC tunnels for remote locations have MTU 1422 in the central VPN device and that this can't be changed with the current software version. There are reasons why the upgrade of the VPN-device wouldn't be a good idea at the moment. It has the latest software in its line so it isn't any ancient device though. Also, I didn't see such a note in the upgrade guide for 5.1.2 so this is a new note not just a general suggestion.
02-23-2021 08:22 AM
(I can't post normally for some unknown reason so I had to cut the text and now I add the rest as a separate post.)
My question is: has anyone really upgraded the controller (vSZ+vDP) having AP's behind IPSEC-tunnels? Has this MTU really been an issue? I am surprised for such requirement about MTU. Since I want to test the upgrade with a test controller and one AP connected to it, the testing environment would go much more complex than just trying this with a test-AP that is not behind an IPSEC tunnel. Also, we don't have only one type of VPN-firewalls at locations which further makes the testing difficult (one test-AP needed for each different VPN-firewall's tunnel...).
02-24-2021 03:11 AM
I just saw that yesterday 5.2.2 became available and when going to the release notes (SZ-5.2.2-UpgradeGuide-RevA-20210215.pdf) to the very same place on page 23, this note has been removed. I can't find mtu being mentioned in this file elsewhere too by using text search. So maybe when going to 5.2.2 this is actually not a possible problem anymore.
02-25-2021 01:01 PM
This is not a defect or problem but a requirement in some networks, where APs can't reach controller with default 1500 MTU. Due to path MTU issues over the VPN, AP firmware upgrade or configuration update may get failed, hence MTU changes may be required.
02-26-2021 06:02 AM
Hello! Can you please specify if this is really a change since 5.1.2? Because 5.1.2 was our initial setup and it all worked over those VPN channels and is currently in use. Our system has over 100 AP-s and that would be a disaster if the upgrade won't work.