05-18-2011 07:08 AM
While the Secondary controller was in control, I looked at monitor->access points->IPsec down. All of the RAPS had the IP address of the Master controller listed as their "Switch IP" rather than the VRRP address. When we moved them back over to the original Primary, they came back up with the VRRP address listed (correctly) as their "Switch IP".
Our initial set up for a rap is to give it a public address to connect to, x.x.0.1 which has a static route set up on our PIX that points to the VRRP private address of the controllers:
static (inside,outside) x.x.0.1 172.30.161.3 netmask 255.255.255.255.
172.30.161.3 is our VRRP address, 172.30.161.1 is our primary and 172.30.161.2 is our secondary.
I can't figure out why, when the secondary controller takes over the RAPS are still looking for 172.30.161.1, considering we've never told them to use that address, we've used the vrrp address for everything.
05-18-2011 07:29 AM
05-18-2011 11:13 AM
05-18-2011 12:29 PM
the VRRP will NOT survive a translation through a firewall (if that is what you have). What you can do:
Create a 1:1 translation for the loopback or literal address of the primary controller. Create a 1:1 translation for the loopback or literal address of the secondary controller. Create a DNS a-record that has two addresses externally (the two external addresses for the translations you just created). Provision the RAP to the dns a-record and it will try the first, then the second if the first is down.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base