03-17-2018 02:49 PM - edited 03-17-2018 02:52 PM
Recently I have configured Master Redundancy + HA Failover with CPSec turned on. VRRP and Master Redundancy was OK: show vrrp and show master-redundancy displayed correct states (UP) and roles for both master controllers (Master/Backup).
HA verified with show ha ap table and show ap database displayed APs with correct flags (LU/SLU and -/S respectively).
show license server-redundancy showed central licensing was ok.
I have discovered, that with CPSec enabled a HA failover did not work, due to problem with Clustering configuration. Disabling CPSec makes it work ok.
But while controllers were in Master-Redundancy, I was not able to correct CPSec Cluster configuration on Backup. So I disabled master-redundancy, rebooted Backup master so it could became standalone master and reconfigured CPSec Cluster as follows:
1. I have configured both controllers with respecitve Cluster roles:
- on Root (Preferred-Master/Active) cluster-member-factory-cert member-mac <member-mac>
- on Member (Backup-Master/Standby) cluster-root-ip <root-ip> ipsec-factory-cert root-mac <root-mac>
MAC addresses were taken from show inventory output of each respective wlc.
2. show cluster-config and show cluster-switches showed correct output for each controller.
3.Then I enabled again Master-Redundancy, but after a while I have noticed that Cluster configuration in show run on Backup-Master was overwritten with command from Active-Master. I expected to see in Backup-Master's config cluster-root-ip <root-ip> ipsec-factory-cert root-mac <root-mac> command, but instead there was cluster-member-factory-cert member-mac <member-mac> only!
Of course, output from show cluster-switches on both controllers was empty because CPSec Cluster was no longer working and HA could not work properly.
There is an AMP configured on both controllers, but they are in Monitor Mode.
What did I do wrong? How to prevent Master from overwritting CPSec Cluster config on Backup?
Solved! Go to Solution.
03-17-2018 03:32 PM
1. If two controllers have a master/backup master relationship or a master/local relationship, you do not need cluster commands. Cluster commands are only if you want to share cpsec environment among two different masters. Lose the cluster commands; cpsec is shared between controllers that have a master/backup or master/local relationship.
2. You should not configure HA with master/backup master. Just point the APs at the VRRP and that's it. The VRRP determines who is the master and who is not the master in a master/backup scenario and the APs should not be allowed to choose: Point the LMS-IP at the VRRP between the master/backup master and let the VRRP determine what controller they connect to.
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.