Controller Based WLANs

How to troubleshoot whitelist DB sync and what are its limitations?

by on ‎07-17-2014 07:22 AM

Introduction : As of ArubaOS6.3 in addition to the campus AP whitelist sync, RAP Whitelist will now be synced across all controllers in a deployment; each controller will have a RAP entry for every RAP in the system regardless of where it is terminating currently.

 

Environment : This article applies to Aruba Mobility Controllers running ArubaOS version 6.3.0.0.

 

Troubleshooting :

On occasion when we suspect issues with Whitelist DB sync, 
 

  -Look for the Total Entries in Campus AP and RAP Whitelist database using the following command 

       (Aruba7200) #show whitelist-db cpsec-status

        Entries in Whitelist database

          Total entries:                        2
 

        (Aruba7200) #show whitelist-db rap-status
 
         Entries in Whitelist database

           Total entries:                        3
 

    The total entries should be same across all the controllers

 

   -Look at the Current Sequence Number on each controller and make sure they are of same value

         (Aruba7200) #show whitelist-db seq

          Sequence Number Details

           -----------------------

            Table Name       Current Seq Number     Last Updated

           ----------         ------------------           ------------

           cpsec_whitelist         4                       Mon Aug 19 03:24:18 2013

           rap_whitelist               3                       Mon Aug 19 04:08:22 2013

 

Each controller compares its Campus AP and RAP whitelist against whitelists on other controllers every two minutes. If a controller detects a difference, it will send its changes to the other controllers on the network. If all other controllers on the network have successfully received and acknowledged all whitelist changes made on this controller, every entry in the sequence number column in the controller whitelist will have the same value as the number displayed in the Sequence Number Details table. If a controller in the master or local controller whitelist has a lower sequence number, that controller may still be waiting to complete its update, or its update acknowledgement may not have yet been received.
 

If there is any mismatch on the Total entries and Current Sequence Number, then enable debug for the logs that are related to Whitelist sync (CAP and RAP).

logging level debugging security subcat wl-sync
 

For logging of cpsec and local db:

logging level debugging security subcat cpsec

logging level debugging security subcat db

 

After enabling and running the Debug for a while send the Tech-Support logs to the Technical Support for further analysis

 

There are few limitations regarding Whitelist DB

 

  - Previous version of backup database file should not be used to import database in 6.3

 

  - Backup of database file from 6.3 should not be used to import database in pre 6.3 versions

 

  - The whitelist rap database (created using local-userdb-ap  in pre6.3 version) is automatically copied to the new version during the upgrade. Before upgrading the
     controller from pre-6.3 version to 6.3 take a backup of the whitelist database using ‘export’. This will be useful if there is a need to downgrade the controller to
     pre-6.3 version in future.

 

  - If there is a need to downgrade the controller from 6.3 to pre-6.3 version, then take a backup of the whitelist database using ‘export’ before downgrading.


Any failures during Whitelist DB upgrade can be verified from  the appropriate log messages 

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.