Q: 1. How to configure the HA state sync?
2. Do controllers communicate to each other when HA state sync is enabled?
3. What traffic types should be allowed between the controllers to enable state sync?
A:
Configuration:
On the master controller, we must configure HA profile. We must specify:
1. HA group members.
2. HA member roles.
3. Configure a pre shared key.
4. Enable state sync.
(Master) #configure t
(Master) (config) #ha group-profile "new"
(Master) (HA group information "new") # controller 10.1.1.5 role dual
(Master) (HA group information "new") # controller 10.1.1.3 role dual(Master) (HA group information "new") #pre-shared-key aruba123
(Master) (HA group information "new") #state-sync
Let us verify the HA profile:
(Master) #show ha group-profile new
HA group information "new"
--------------------------
Parameter Value
--------- -----
Preemption Enabled
Over-subscription Disabled
State Synchronization Enabled
Pre-shared Key ********
Inter Controller heartbeat Disabled
Heartbeat Threshold 5
Heartbeat Interval 100
HA group-member IP address 10.1.1.5 dual
HA group-member IP address 10.1.1.3 dual
HA group-member IPv6 address N/A
Now we will start seeing the member controller talk to each other syncing client PMK, key cache values. Preshared key will be used for secure communication between the controllers.
We can see the member controllers communicate to each other over ESP, IP sec and TAP ports above 1024.
(local-5) (config) #show controller-ip
Switch IP Address: 10.1.1.5
(local-5) (config) #show datapath session table 10.1.1.3
Datapath Session Table Entries
------------------------------
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- --------- --------- ---------------
10.1.1.3 10.1.1.5 50 0 0 0/0 0 0 0 1/0 b 4 352 FC
10.1.1.5 10.1.1.3 50 0 0 0/0 0 0 0 1/0 b 0 0 FY
10.1.1.5 10.1.1.3 17 500 500 0/0 0 0 1 1/0 34 1 104 F
10.1.1.3 10.1.1.5 17 500 500 1/4100 0 0 1 1/0 34 1 104 FC
10.1.1.5 10.1.1.3 6 55798 9199 0/0 0 0 2 local 123 17 1016 C
10.1.1.3 10.1.1.5 6 48771 9199 0/0 0 0 2 tunnel 17 120 17 1008 C
10.1.1.5 10.1.1.3 6 9199 48771 0/0 0 0 2 tunnel 17 120 15 904
10.1.1.3 10.1.1.5 6 9199 55798 0/0 0 0 2 local 124 14 852
Thus for successful state sync to work, we must configure the intermediate firewall to allow any traffic between the controller.