Controller Based WLANs

Controller WAN Uplink Redundancy Using Health Check Manager (HCM) ArubaOS 6.4.3 and above

Requirement:

In order to achieve WAN Uplink Redundancy on the controller deployment we have new feature called Health Check Manager (HCM), and this would help in typically WAN controller deployment  for a seamless connectivity 

 

Starting from AOS 6.4.3, we have a new module called Health Check Manager. This will monitor the reachability to master controller from different WAN uplinks of your branch office controller. HCM ensures seamless connectivity to HQ by sending periodic ping probes on each WAN uplink. HCM also measures the latency of each uplink. As of now, we are using this data for diagnostics only.

 

A maximum of 4 uplinks will be supported. Now prior to AOS 6.4.3, we used to monitor the physical link status of the uplink, but in case of an issue in the ISP network or Internet, this will never impact the physical link status. So now we are addressing this by HCM.

 

 

 



Solution:

AOS 6.4.3, we have a new feature called Health Check Manager. This will monitor the reachability to master controller from different WAN uplinks of your branch office controller. HCM ensures seamless connectivity to HQ by sending periodic ping probes on each WAN uplink. HCM also measures the latency of each uplink. As of now, we are using this data for diagnostics only.

 

A maximum of 4 uplinks will be supported. Now prior to AOS 6.4.3, we used to monitor the physical link status of the uplink, but in case of an issue in the ISP network or Internet, this will never impact the physical link status. So now we are addressing this by HCM.



Configuration:

UI configuration;m

Click on the Configuration tab; under Branch section, select the Smart Config, create a Branch Config Group (select 7010-B1 in this case), and then select the WAN tab. You’ll find the WAN Health-Check system, which is HCM. Select the probe mode as “ping”. And the probe interval is measured in seconds; the value is 10. The number of packet bursts per probe or ICMP packets sent per probe is 5; and the number of retry counts is 5. 
 
Let’s say there’s a failure on your primary uplink. HCM will send 5 ICMP requests, every 10 seconds, and repeat it for 5 times. If no ICMP replies are received in this interval then the primary uplink will be declared a failure.

 

HCM configuration:

 

 

To configure wired uplinks.

After selecting your Branch Config group, click on the Networking tab. You have the Uplink VLAN section. In this slide I have two uplink VLANs—4094 and 200—with the priority 200 and 150, respectively. And both are type DHCP client

 

CLI Configuring Wired uplinks

(Aruba7220) (branch-group-7005-B1)#uplink wired vlan 100 priority 110

(Aruba7220) (branch-group-7005-B1)#uplink wired vlan 200 priority 150

(Aruba7220) (branch-group-7005-B1)# interface vlan 100

(Aruba7220) (branch-config-group-subif)# ip address dhcp-client

(Aruba7220) (branch-group-7005-B1)#interface  vlan 200

(Aruba7220) (branch-config-group-subif)#ip address dhcp-client

 

Configuring Ping probes

(Aruba7220) (branch-config-group-ip-probe)#?

burst-size              Configure Number of probes to send per interval

frequency               Configure probe frequency

retries                 Configure probe retries

 

HCM interacts with Uplink Manager, IKE, and FPAPPS. The Uplink Manager initially scans for all the available uplinks and informs the HCM. HCM will send continuous ping probes to Master controller through each of the uplinks and will publish its results to Uplink Manager and FPAPPS. So, in the event of a failure update from HCM on primary uplink, the Uplink Manager will select the next high priority healthy uplink as active and then informs IKE. The IKE will re-establish the new IPsec tunnel over the new active uplink and tears down the old tunnel. FPAPPS will delete the previous default route and add a new one pointing to default gateway address of the new active uplink. So the same mechanism gets followed in case the primary uplink recovers 

 

Test Topology:

 

 

 

 



Verification

Viewing uplinks via BoC GUI 

The following example shows two wired uplink VLANs—4090 and VLAN 200. VLAN 4094 has got the highest priority. Its state is “Connected”. Its status is “Active”. And the secondary uplink VLAN 200—its state is “Standby” and the status is “Ready”. And you can see the same details from CLI using the “show uplink” command.

 

Navigate to Monitoring->Ports->Uplink

 

  • Viewing uplinks via CLI

(Aruba7005) #show uplink

Uplink Manager: Enabled

Uplink Management Table

-----------------------

Id  Uplink Type  Properties  Priority  State      Status      Reachability

--  -----------  ----------  --------  -----      ------      ------------

1   Wired        vlan 4094    200       Connected  * Active *  Reachable

2   Wired        vlan 200      150       Standby        Ready       Reachable

 

Viewing Health-check Status

Health-check status, via our CLI, “show ip health-check”. Also we can disable or enable Health-check using “uplink health-check” to disable or enable via CLI.

 

(7005-B1) #show ip health-check

IP Health-check Entries

-----------------------

Probe IP     Src Interface  State  Probe-Profile  Avg RTT(in ms)

--------     -------------  -----  -------------  --------------

10.16.66.6   vlan 4094       Up     default        0

10.16.66.6   vlan  200        Up     default        0

192.168.3.1  --                     Up     default        0

192.168.2.1  --                     Up     default        0

Disable/Enable health-check

(Aruba7220) (branch-group-7005-B1)#uplink health-check ?

disable                 Disable uplink health-check

enable                  Enable uplink health-check

 

Verifying IPSec tunnel for active uplink

 

(Aruba7005-B1) (config) #show ip interface  brief

Interface                  IP Address / IP Netmask        Admin   Protocol

vlan 4094                192.168.3.254 / 255.255.255.0     up      up

vlan 200                  192.168.2.253 / 255.255.255.0     up      up

 

(Aruba7005-B1) (config) #show ip route

S*    0.0.0.0/0  [10/0] via 192.168.3.1* ==è default gw for uplink vlan 4094

 

(Aruba7005-B1) (config) #show crypto isakmp sa

Initiator IP     Responder IP   Flags       Start Time      Private IP

192.168.3.254    10.16.66.6     i-v2-c    Nov 12 22:07:52     -

 

(Aruba7005-B1) (config) #show crypto ipsec sa

Initiator IP     Responder IP     SPI(IN/OUT)        Flags Start Time        Inner IP

192.168.3.254    10.16.66.6       5efa8a00/d44c6600  UT2   Nov 12 22:07:53     

 

I.e trigger failure on active uplink and verify default route and tunnel status

•After uplink failure on vlan 4094 , vlan 200 is marked active

Id  Uplink Type  Properties  Priority  State         Status                     Reachability

1   Wired        vlan 4094        200       Initializing  Waiting for link  Unreachable

2   Wired        vlan 200          150       Connected  * Active *            Reachable

•Verify default route

S*    0.0.0.0/0  [10/0] via 192.168.2.1* ==è default gw for uplink vlan 200

 

ISAKMP SA Active Session Information

Initiator IP     Responder IP   Flags       Start Time      Private IP

192.168.2.253    10.16.66.6     i-v2-c    Nov 12 22:30:34     -

IPSEC SA (V2) Active Session Information

Initiator IP     Responder IP     SPI(IN/OUT)        Flags Start Time        Inner IP

192.168.2.253    10.16.66.6       760fd000/b8ccec00  UT2   Nov 12 22:30:34     -

 

  • (Aruba7005-B1) (config) #show log system 30 | include HCM

Nov 12 22:35:18 :353001:  <DBUG> |HCM|  hcm_nexthop_ref_add probeip 10.16.66.6 src_intf 4094

Nov 12 22:35:18 :353001:  <DBUG> |HCM|  hcm_add_probe_ip ip 192.168.3.1 ADD mode 0 src_intf 0

Nov 12 22:35:18 :353001:  <DBUG> |HCM|  hcm_add_nexthop ADD nhinfo destip 0.0.0.0 vlan 100 nhip 192.168.3.1

Nov 12 22:35:18 :353001:  <DBUG> |HCM|  hcm_icmp_response_handler out of order ping response for 192.168.3.1

Nov 12 22:36:39 :353001:  <DBUG> |HCM|  hcm_gsm_update_section_ip_state GSM update for ip 10.16.66.6 state 2

Nov 12 22:37:05 :337000:  <DBUG> |HCM|  mon_mgr_update_thread_main: updateq empty. into conditional wait...

 

 

 

Version history
Revision #:
3 of 3
Last update:
‎05-28-2016 01:48 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.