Solved: Upgrade Catalyst 9800

Maurice Ball · ‎03-23-2024

Could someone please help me out with this? Cisco wrote this so confusing I need some validation. I am planning on upgrading my Catalyst 9800-L to the recommended code version 17.9.4a. When I look at the APSP release notes it states that I need to install the SMU as well as the APSP. I see the install files for the APSP for the code version 17.9.4a installation but when I check for the SMU package. I only see a SMU package for 17.9.4. Do I need to install the SMU for 17.9.4 also or only the APSP for the WLC software version 17.9.4a?

marce1000 · ‎03-23-2024

- I would advise to go direct to 17.9.5 , as far as I am 'aware off internally...' it is planned to become an advisory (and then you have the SMU stuff already) ; no further worries about SMU.

Appendix : also after upgrades for instance , it remains useful to check the controller again using
the CLI command show tech wireless and feed the output to : Wireless Config Analyzer

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

View solution in original post

Leo Laohoo · ‎03-23-2024

Apply the SMU on 17.9.4 to fix the security vulnerability. 17.9.4 with the SMU is exactly the same as 17.9.4a.

Maurice Ball · ‎03-23-2024

I should apply that same SMU to code version 17.9.4a?

Maurice Ball · ‎03-23-2024

The following is stated on the software page:

Dear Cisco Customer, If you are not using APSP in 17.9.4, please use 17.9.4a, to obtain fix for CSCwh87343, Cisco IOS XE Software Web UI Privilege Escalation Vulnerability, CVE-2023-20273. In case of SMU/APSP installed, please wait until SMU for CSCwh87343 is available for 17.9.4

Which makes me think the fix for the SMU is included in the code version 17.9.4a.

Leo Laohoo · ‎03-23-2024

@Maurice Ball wrote:
I should apply that same SMU to code version 17.9.4a?

Might as well go straight to 17.9.5 and start testing.

17.9.5 APSP 1 is already out and APSP 1 Release Notes can be found HERE.

marce1000 · ‎03-23-2024

- I would advise to go direct to 17.9.5 , as far as I am 'aware off internally...' it is planned to become an advisory (and then you have the SMU stuff already) ; no further worries about SMU.

Appendix : also after upgrades for instance , it remains useful to check the controller again using
the CLI command show tech wireless and feed the output to : Wireless Config Analyzer

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Maurice Ball · ‎03-25-2024

ok thanks for the help.

marce1000 · ‎03-25-2024

- No problem , in between Leo mentioned an SMU/APSP for 17.9.5 ; my take on that is : For the time being stick to native 17.9.5 only , review the content of the SMU/APSP and only use it when you see a specific item mentioned in the problem list (that you might experience) . It makes things simpler for upgrading and avoids conflicts and problems when going to the next version ,

M,

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Leo Laohoo · ‎03-25-2024

Today, I upgraded a pair of 9800-80 (VSS) to 17.12.3 manually. No DNAC. No PI.

What is so unique about it? I unpacked the packages and set the controller to reboot 15 minutes later.

Maurice Ball · ‎03-27-2024

The controller was back operational within 15 minutes?

Leo Laohoo · ‎03-27-2024

@Maurice Ball wrote:
The controller was back operational within 15 minutes?

That is not what I meant.

I initiated the software install so the packages can be extracted, however, I did something to delay the automatic script from rebooting the controller for another 15 minutes.

And then the pair of 9800 rebooted.