I have M3 local controllers with L2 failover (ie all VLANs available at backup controller).
With CPsec disabled, I simulated a local controller failure. The service interruption times seen by a wireless station were 10 seconds for failover and about 30-60 seconds for restore. The AP radio remains on during the failover process so the wireless station remains associated.
With CPsec enabled, I simulated a local controller failure. The service interruption times seen by a wireless station were 80-90 seconds for failover and about 60 seconds for restore. Furthermore, the AP radios were turned off by the controller during this process so the wireless stations lost association. They had to auto reassociate using cached credentials when the radios came back up. It appears that the controller disables the AP until it checks the certificate even during a failover.
The only difference between the above scenarios is that in the second, CPsec is enabled and the APs are loaded with a switch cert using the Whitelisting features. Is the above CPsec performance reasonable or is there something else I can do to improve performance?
Thanks.