@Virgo 

YES . i have checked this post: https://community.tp-link.com/en/business/forum/topic/559150

IT did not work

ALso my https port in controller side ER7206 is open and working.

I disconnect/forget the eR 605 from controller and manually upgrade the device firmware and then reconnect it to controller.

BUT I cannot directly upgrade the firmware from controller.SO every time i have to disconnect and upgrade and reconnect . 

NOT good idea

Do i need static WAN IP on both side or only controller side??

Thanks virgo

  @Hank21 - Hello i am experiencing the same issue - in simplified terms - i have a site 2 site vpn via two er605 routers.  - everything* works except upgrading the remote router site B (the controller is at site A).  Cannot manually update it as well.  the router / equipment on the same side of the vpn upgrades fine.

  @atc I am running the software controller on a Windows VM and missed adding TCP port 8043 to the firewall rule on the VM.  Once I opened that port all was well.  Not sure how the hardware controller works but this is how my Windows firewall config looks now:

Any <> Any allowed

TCP Ports: 29811-29814, 8043

UDP Ports: 29810

  @kdurigan - no impact. issue still persists; enabled 8043 under transmission .... still cannot upgrade remote router.

Caption

always stalls at 99% and reports a failed upgrade - so presumably i do not have a connectivity issue.

  @mis203a - I am using the software controller which needs TCP 8043 for controller management.  I looked at the documentation again and the hardware controller and see the following:

For Omada Software Controller v5, the default port is TCP 8043,

For OC200/OC300 with built-in Controller v5, the default port is TCP 443.

Note: The port used for device upgrading will change as the setting of “HTTPS Ports for Controller Management” changes. For example, if you change the HTTPS Port for Controller Management from 8043 to 8000, the port used for device upgrading will also change from 8043 to 8000 accordingly.

So I doubt you need to define 443 in the firewall since that is likely open, but wonder if you changed the default port for controller management?  If you have not opened a ticket yet that would be a good place to start.  The TP-Link folks seem to be pretty helpful.  I may purchase a OC200/OC300 instead of using the software controller so this info will be useful to me eventually as well.

Good luck, and please post the answer if you find one.

  @kdurigan technically there is no firewall - as its a site to site vpn in this scenario, local subnets are trusted.  what i'm not clear on is if the remote router goes around the vpn (open internet) to communicate with the controller from the easy discovery url....

will do a test with nat forwarding of 443 to the oc200.

one would think this is possible...i dont have any non-standard configurations...

*update - doesn't work.

  @mis203a You are correct in that the VPN tunnel is not used for communication between the controller and the router.  It sure seems to me like the router cannot communicate to the controller for the upgrade process only.  To test this you may want to try installing a software controller, open the firewall ports as I mentioned in my earlier post on the VM hosting the software controller, and then adopt the router in the software controller and see if the upgrade is successful.  I realize that is probably painful, but I really needed the upgrade to the router to version 1.2.3.  The new version fixed an issue with a S2S Azure connection issue that caused disconnects that did not quickly reconnect (Teams calls would fail).  Fortunately my problem was resolved with the router firmware upgrade.  It may be worth the pain and suffering, or may at least point you to what the problem may be.