Wireless Access

I'm setting up a proof of concept for a customer but I have a problem with the master-backup setup.

When I force a failover the AP rebootstraps. I assume this is normal behaevior. However the radio goes down for too long. The client disconnects from the ssid and even when the radio comes back up, the client stays disconnected for a while.

Is it possible to configure the radio to stay up when the master goes down? Or is there a possibility to keep the downtime of the radio to an minimum?

Information on the setup:
The AP's are configured with a static ip and connect to the controller using the vrrp ip address.

Settings of the VRRP:
Master:

interface vlan 1
ip address 10.1.11.50 255.0.0.0
!

master-redundancy
master-vrrp 4
peer-ip-address 10.1.11.49 ipsec dataunit
!
vrrp 4
priority 110
authentication dataunit
ip address 10.1.11.51
description "vrrp"
vlan 1
tracking master-up-time 30 add 20
no shutdown
!

Backup:

interface vlan 1
ip address 10.1.11.49 255.0.0.0
!

master-redundancy
master-vrrp 4
peer-ip-address 10.1.11.50 ipsec a40fa2b0c016337388d93e98742d638624f5a69beb6c8ef3
!
vrrp 4
authentication dataunit
ip address 10.1.11.51
description "vrrp"
vlan 1
tracking master-up-time 30 add 20
no shutdown
!

How do you have it setup ? VRRP ? LMS ?

Hope this helps :

I'm using VRRP since I'm in a master-backup redundancy scenario. 

I understand that it will take some time to fail-over. This isn't much of a concern.

However I don't like the fact that my client disconnects. 

Are you using the same IP segment / VLAN on the AP-group on the other controller ? Otherwise the user will experience a longer disruption ?

VRRP only works when both units are in the same L2 segment. 

Putting that aside I only have one vlan for this entire setup. Meaning the clients, contollers and AP's are all in the same vlan.

Now I can actually see the radio going down and after a few seconds I can see my client disconnecting.

Since it disconnects and can't immediatly reconnect, it drops the ssid from the table and won't reconnect to it until it discovers the ssid again.

It seems that it disconnects because the radio stays down for too long. Although it is only for about 20 seconds.

Do you have the following enabled ?

database synchronize period 30

yes

How many APs and clients do you have ?

I wonder if you having everything in the same VLAN / IP Space might be causing issues ?

Can you enable the following :

logging level debugging system process approc

logging level debugging ap-debug <ap-name>

Well i'm running a proof of concept. It is a completely standalone setup.
So 1 client and 1 ap.

I do have a third local controller that is setup to terminate a second AP. But i've disconnected it.

The ap that is connected now terminates on the vrrp ip of the master-backup setup.

Attached you'll find the log file taken from the backup controller during the failover.

The master is down during this failover so I cannot collect logs from that.

Attachment(s)

logAPdebug.txt   174 KB 1 version

Are these the logs when the APs failover to the backup ?

What version AOS you have installed ? What controller are you using ?

Yes they are.

7210 and 6.2.1.2

---

@DeKeuning wrote:

VRRP only works when both units are in the same L2 segment. 

 

Putting that aside I only have one vlan for this entire setup. Meaning the clients, contollers and AP's are all in the same vlan.

 

Now I can actually see the radio going down and after a few seconds I can see my client disconnecting.

Since it disconnects and can't immediatly reconnect, it drops the ssid from the table and won't reconnect to it until it discovers the ssid again.

 

It seems that it disconnects because the radio stays down for too long. Although it is only for about 20 seconds.

---

Here are the principles:

- The ip address that your access points use to discover the controller when they boot up (aruba-master, maybe?) MUST be the ip address of the VRRP.

- Secondly, the ip address in the LMS-IP if it exists of the AP System Profile of the AP-Group of all those access points also NEEDs to point to the VRRP between the master and backup master.  An access point can tell if it is pointed to a VRRP or a physical address of the controller

- The Backup Master needs to be able to support all of the access points that could fail over from a hardware and licensing perspective.

We have seen typical failover times of clients from steady state to steady state of 7 seconds with a hard controller failure using the principles above.

Either unplug or disable the VRRP instance while pinging the VRRP address to determine if the ip address of the VRRP is available 2 seconds from when it is distrupted to ensure you don't have a network problem...

Everything is configured on an IP base. So no DNS is used. 

I configured the VRRP IP when provisioning the AP and I placed this IP in the LMS IP just for a test.

I've noticed 2 things:

• The failover time is the fastest when you leave the setup active for a few minutes.
• It looks like the AP-92 APs take longer then 105's.

The setup is just one l3 routing switch so I don't assume that there is a network issue. There are no devices connected to the switch besides the controllers and the AP.

Based on you explanation I assume that this is normal behavior. The client might be a bit slow as well and might cause an extra delay.

I'm going to leave the setup as it is and test with the client equipment tomorrow. 

Thanks for the assistance.

Just following this thread and am wondering what significance your statement "An access point can tell if it is pointed to a VRRP or a physical address of the controller has" - does this affect the decisions the AP makes and are there any implications.

If an access point is connected to a VRRP, if there is some sort of disruption in service, it knows to quickly rebootstrap to the same address vs. entirely rebooting and causing a longer outage.  That is so that it can connect to the backup controller that is servicing the VRRP vs. entirely rebooting.

Is this the same for RAPs? - I was led to believe that even in "Always" mode the device will reboot once if it loses connection.

? That is not a parallel scenario.  RAPs use a different mechanism.

In what way? I know they are using IPsec instead of GRE, however they still use LMS and backup LMS which may may or may not be VRRP and can still failover.

RAPs use ipsec retries https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1346 to determine when to reboot.  Campus APs do not.

Thanks I would like to know if there is a difference in operation in the default behaviour if they are connected to a VRRP address or a static address on a device.

The difference is not significant.

I'm intereseted in the details and as I've not heard of this difference before is it documented anywhere.