Wireless Access

Reply
Frequent Contributor II

Client State Synchronization on a HA Fast Failover fails

Hello 

I'm building a HA scenario using HA and VRRP but I'm not able to see the user-table on the standby controller. I also testing to reboot the master controller and I'm losing the connectivity from the clients, I odn't even see the SSID during the reboot. I run 6.5.0.3. Can I get some direction from the community to look into to narrow down the issue?

Here you have some outputs from the Active and Standby:

Active
(EU-WLAN03) # show ha group-profile HA-MM
HA group information "HA-MM"
----------------------------
Parameter Value
--------- -----
Preemption Enabled
Over-subscription Disabled
State Synchronization Enabled
Pre-shared Key ********
Inter Controller heartbeat Enabled
Heartbeat Threshold 5
Heartbeat Interval 100
HA group-member IP address 172.20.9.214 dual
HA group-member IP address 172.20.9.215 dual
HA group-member IPv6 address N/A

(EU-WLAN03) #show vrrp


Virtual Router 20:
Description MASTER-VRRP
Admin State UP, VR State MASTER
IP Address 172.20.9.213, MAC Address 00:00:5e:00:01:14, vlan 298
Priority 255, Advertisement 1 sec, Preemption Disable Delay 0
Auth type PASSWORD, Auth data: ********
tracking is not enabled


Standby
(EU-WLAN04) #show ha ap table

HA AP Table
-----------
AP IP-Address MAC-Address AP-flags HA-flags
-- ---------- ----------- -------- --------
18:64:XX:XX:XX:XX 172.20.216.51 18:64:XX:XX:XX:XX SLU H

 

 

Guru Elite

Re: Client State Synchronization on a HA Fast Failover fails

Client State synchronization refers to the PMK cache entries that are synchronized from the active to the standby controller for 802.1x clients.  When 802.1x clients fail over, they will just do a 4-way handshake instead of a full radius reauthentication, which saves quite a bit of time and considerably reduces the hit that a radius server would take during a failover.  The user table is NOT synchronized to the standby controller.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: Client State Synchronization on a HA Fast Failover fails

Thanks for the clarification. So then, that is not the reason of my problem during the failover which is not working.

During the reboot of the Activate controller the AP is not connected on the Standby controller

(EU-WLAN04) #show ha ap table

HA AP Table
-----------
AP  IP-Address  MAC-Address  AP-flags  HA-flags
--  ----------  -----------  --------  --------

Total Num APs::0
Active APs::0
Standby APs::0
AP Flags: R=RAP; S=Standby; s=Bridge Split VAP L=Licensed; M=Mesh, U=Up
HA Flags: S=Standby, C=Standby connected, L=LMS, F=Sent Failover Request to AP, H=AP flaged for Inter Controller Heartbeat

 

As soon as the primary is up, I can see the AP on both controllers. By the way, on the ap system-profile I don't have any LMS and BKUP ip address, if I add this setup, the AP is shown on the controllers as "dirty"

Thanks

Frequent Contributor II

Re: Client State Synchronization on a HA Fast Failover fails

I make some progress wiping my test AP and configuring option 43 pointing to the VRRP IP via DHCP and adding the lms ans bckp-lms IP on the AP system profile but the scenario is still unpredictable and it doesn't work after rebooting the master controller. The standby tunnel from the AP on the second control becomes active and takes over the traffic but after the primary master controller is available again and the AP tunnel returns to this controller , the standby AP tunnel disappear. I see some bugs even on the early code 6.5.1.
Frequent Contributor II

Re: Client State Synchronization on a HA Fast Failover fails

I've been running 6.5.1 on HA in a production enviroment and so far has been stable wihout anyproblems. Standby controller has kept the AP tunnels all the time. Looking at the 6.5.1 Release Notes , I can see the two bugs 129692 138741 describing the issue Ive been facing.

I always use GA versions but in my enviroment I have several 7210 controllers so I might need to jump to ED instead.

Occasional Contributor I

Re: Client State Synchronization on a HA Fast Failover fails

I have a similar problem and would like to read the bug reports you mention in your post. Where can I view these?

I running version 6.5.1.6 FIPS.  When the Backup controller become active the APs show active in the database and the SSID is broadcast, however the client drop their connection and when trying to re-connect they get invaild PSK. Enter the correct PSK and still cannot connect. 

Guru Elite

Re: Client State Synchronization on a HA Fast Failover fails

That sounds like your configurations are not in sync.  Do you have the second controller configured as a backup master or a local?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Client State Synchronization on a HA Fast Failover fails

Second controller is configured as a local. Prior to fail-over I check the database sync and it was fine.


IMPORTANT NOTICE: This message may contain privileged and confidential information and is intended only for the individual(s) named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission.
Guru Elite

Re: Client State Synchronization on a HA Fast Failover fails

"show switches" on the master would tell you if the configuration has synchronized between the two devices.  The database sync does not come into play with regards to configuration synchronization.

 

If a SSID is up on an AP but it rejects the psk, then the configurations are not the same.  If the PSK is accepted but the client does not get an ip address, you need to make sure that on the local controller the vlans are defined and connected to subnets that provide ip addresses.

 

I would make the backup controller the LMS-ip to test to make sure the APs can even come up on the backup controller successfully before trying to implement HA.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Client State Synchronization on a HA Fast Failover fails

I though the database and configuration were the same. I did the 'show switches" and yes the configuration are in sync.


(xxxxxxx) #show switches

All Switches
------------
IP Address Name Location Type Model Version Status Configuration State Config Sync Time (sec) Config ID
---------- ---- -------- ---- ----- ------- ------ ------------------- ---------------------- ---------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx master Aruba7210 6.5.1.6-FIPS_60229 up UPDATE SUCCESSFUL 0 2
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx standby Aruba7210 6.5.1.6-FIPS_60229 up UPDATE SUCCESSFUL 9


I try the fail-over test on another set of controller and got the same result. I guess it is time to open a TAC case.

IMPORTANT NOTICE: This message may contain privileged and confidential information and is intended only for the individual(s) named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: