Introduction : As of ArubaOS6.3 in addition to the campus AP whitelist sync, RAP Whitelist will now be synced across all controllers in a deployment; each controller will have a RAP entry for every RAP in the system regardless of where it is terminating currently.
Environment : This article applies to Aruba Mobility Controllers running ArubaOS version 126.96.36.199.
On occasion when we suspect issues with Whitelist DB sync,
-Look for the Total Entries in Campus AP and RAP Whitelist database using the following command
(Aruba7200) #show whitelist-db cpsec-status
Entries in Whitelist database
Total entries: 2
(Aruba7200) #show whitelist-db rap-status
Entries in Whitelist database
Total entries: 3
The total entries should be same across all the controllers
-Look at the Current Sequence Number on each controller and make sure they are of same value
(Aruba7200) #show whitelist-db seq
Sequence Number Details
Table Name Current Seq Number Last Updated
---------- ------------------ ------------
cpsec_whitelist 4 Mon Aug 19 03:24:18 2013
rap_whitelist 3 Mon Aug 19 04:08:22 2013
Each controller compares its Campus AP and RAP whitelist against whitelists on other controllers every two minutes. If a controller detects a difference, it will send its changes to the other controllers on the network. If all other controllers on the network have successfully received and acknowledged all whitelist changes made on this controller, every entry in the sequence number column in the controller whitelist will have the same value as the number displayed in the Sequence Number Details table. If a controller in the master or local controller whitelist has a lower sequence number, that controller may still be waiting to complete its update, or its update acknowledgement may not have yet been received.
If there is any mismatch on the Total entries and Current Sequence Number, then enable debug for the logs that are related to Whitelist sync (CAP and RAP).
logging level debugging security subcat wl-sync
For logging of cpsec and local db:
logging level debugging security subcat cpsec
logging level debugging security subcat db
After enabling and running the Debug for a while send the Tech-Support logs to the Technical Support for further analysis
There are few limitations regarding Whitelist DB
- Previous version of backup database file should not be used to import database in 6.3
- Backup of database file from 6.3 should not be used to import database in pre 6.3 versions
- The whitelist rap database (created using local-userdb-ap in pre6.3 version) is automatically copied to the new version during the upgrade. Before upgrading the
controller from pre-6.3 version to 6.3 take a backup of the whitelist database using ‘export’. This will be useful if there is a need to downgrade the controller to
pre-6.3 version in future.
- If there is a need to downgrade the controller from 6.3 to pre-6.3 version, then take a backup of the whitelist database using ‘export’ before downgrading.
Any failures during Whitelist DB upgrade can be verified from the appropriate log messages