Controller Based WLANs

 View Only
last person joined: one year ago 

APs, Controllers, VIA
Back to Library

What are the pre-requisites to enable state sync in HA failover? 

Mar 07, 2016 05:50 PM

Q:

1. How to configure the HA state sync?

2. Do controllers communicate to each other when HA state sync is enabled?

3.  What traffic types should be allowed between the controllers to enable state sync?

 

 



A:

 

Configuration:

On the master controller, we must configure HA profile. We must specify:

 

1. HA group members.

2. HA member roles.

3. Configure a pre shared key.

4. Enable state sync.

 

(Master) #configure t
(Master) (config) #ha group-profile "new"
(Master) (HA group information "new") #   controller 10.1.1.5 role dual
(Master) (HA group information "new") #   controller 10.1.1.3 role dual(Master) (HA group information "new") #pre-shared-key aruba123
(Master) (HA group information "new") #state-sync

 

 

Let us verify the HA profile:

 

(Master) #show ha group-profile new

HA group information "new"
--------------------------
Parameter                     Value
---------                     -----
Preemption                    Enabled
Over-subscription             Disabled
State Synchronization         Enabled
Pre-shared Key                ********
Inter Controller heartbeat    Disabled
Heartbeat Threshold           5
Heartbeat Interval            100
HA group-member IP address    10.1.1.5 dual
HA group-member IP address    10.1.1.3 dual
HA group-member IPv6 address  N/A

 

Now we will start seeing the member controller talk to each other syncing client PMK, key cache values. Preshared key will be used for secure communication between the controllers.

 

We can see the member controllers communicate to each other over ESP, IP sec and TAP ports above 1024.

 

(local-5) (config) #show controller-ip

Switch IP Address: 10.1.1.5


(local-5) (config) #show datapath session table 10.1.1.3

Datapath Session Table Entries
------------------------------

Source IP       Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
10.1.1.3        10.1.1.5        50   0     0      0/0     0    0   0   1/0         b    4          352        FC
10.1.1.5        10.1.1.3        50   0     0      0/0     0    0   0   1/0         b    0          0          FY

10.1.1.5        10.1.1.3        17   500   500    0/0     0    0   1   1/0         34   1          104        F
10.1.1.3        10.1.1.5        17   500   500    1/4100  0    0   1   1/0         34   1          104        FC

10.1.1.5        10.1.1.3        6    55798 9199   0/0     0    0   2   local       123  17         1016       C
10.1.1.3        10.1.1.5        6    48771 9199   0/0     0    0   2   tunnel 17   120  17         1008       C
10.1.1.5        10.1.1.3        6    9199  48771  0/0     0    0   2   tunnel 17   120  15         904
10.1.1.3        10.1.1.5        6    9199  55798  0/0     0    0   2   local       124  14         852

 

Thus for successful state sync to work, we must configure the intermediate firewall to allow any traffic between the controller.

 

 

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.