Wireless Access

Reply
Contributor II
Posts: 64
Registered: ‎07-23-2014

Is it normal that the local controllers cannot reach the standby master?

Hi,

I have a setup with a master-standby redundancy and several pairs of active-active local controllers.

The local controllers can reach the active master (physical and VRRP address), but not the standby master controller, even if they are in the same VLAN.

The standby master can reach the active master (physical and vrrp) and all other devices in the VLAN of the local controlelrs, except the local controllers themselves. I've done a Wireshark trace and the standby master controller isn't sending out any packet while pinging the locals.

VRRP failover works fine and at the moment of failover the new active master can reach all locals. At that moment the new standby master (previous active master) stops being able to reach the locals and vice-versa.

Is this normal behaviour?

 

Thx

Aruba Employee
Posts: 159
Registered: ‎02-14-2013

Re: Is it normal that the local controllers cannot reach the standby master?

Yes, that is normal and expected. There are no issues in your setup. 

 

Thanks, 

Rajaguru Vincent 

Thanks,
Rajaguru Vincent
CWNA | CWSP | CWAP | CWDP | ACMP
Contributor II
Posts: 64
Registered: ‎07-23-2014

Re: Is it normal that the local controllers cannot reach the standby master?

What could be the reason behind this? 

I see that there are IPSEC routes on the standby without an IPSEC tunnel, so that makes sense. However, TAC seems to disagree with the fact that it is normal behaviour.

Aruba Employee
Posts: 159
Registered: ‎02-14-2013

Re: Is it normal that the local controllers cannot reach the standby master?

Hi Peter,

 

You are correct. Here is the explanation,

 

(Master) #show ip route

C 192.168.2.6/32 is an ipsec map default-local-master-ipsecmap192.168.2.6
C 192.168.2.3/32 is an ipsec map default-psk-redundant-master-ipsecmap


(Standby) #show ip route

C 192.168.2.6/32 is an ipsec map default-local-master-ipsecmap192.168.2.6
C 192.168.2.4/32 is an ipsec map default-psk-redundant-master-ipsecmap


(Local) #show ip route

C 192.168.2.0/27 is directly connected, VLAN49
C 192.168.2.4/32 is an ipsec map default-local-master-ipsecmap


On Master, there is an ipsec map to local, "default-local-master-ipsecmap192.168.2.6". On Local, there is an ipsec map to Master, "default-local-master-ipsecmap".

 

On Standby, there is an ipsec map to local, "default-local-master-ipsecmap192.168.2.6". Note the ipsec map name. On Local, there is NO ipsec map to Standby. Local controller will have an ipsec map only to the Master, not to the standby.

 

On the Local controller, the ipsec map is created only to the Master. Not to the Standby.
The ipsec tunnel is in fact made to the VRRP IP (192.168.2.10) between the Master and Standby when you configured the Local.


When you ping from Local,
The traffic may go out, since it would take the directly connected route.

 

The return traffic from Standby,
This should take the ipsec map as per the routing table. This is only a map on the routing table of Standby, but the local controller doesn't have an ipsec map for standby. This means there is NO ipsec tunnel to the Local controller. So, the traffic will be dropped since the route entry is not valid. The ipsec map on the Standby will take effect when the Standby controller takes the Master role.

 

(Local) #show datapath session table | include 4500
192.168.2.6 192.168.2.10 17 4500 4500 0/0 0 0 255 0/0/0 2862 0 0 F
192.168.2.10 192.168.2.6 17 4500 4500 0/0 0 0 0 0/0/0 2862 0 0 FC


This explanation is based on my understanding and not from any official Aruba documents.


Thanks,
Rajaguru Vincent

Thanks,
Rajaguru Vincent
CWNA | CWSP | CWAP | CWDP | ACMP
Aruba Employee
Posts: 3
Registered: ‎08-05-2015

Re: Is it normal that the local controllers cannot reach the standby master?

I agree with Raj, here is how I found out:

Ping from Local to Standby - Local will send ICMP traffic to Standby via default gateway/static route configured, the return traffic from standby will never reach local because there is ipsec route in routing table and it tries to send through the ipsec but the tunnel is down, so the traffic goes nowhere.

That is the reason the ping is not successful.

 

Attaching the screenshot for reference: Ping from Local Controller

Datapath from standby.JPGLocal.JPGMaster.JPGStandby.JPG

Regards,

Deepak Balachandran


rvincent wrote:

Hi Peter,

 

You are correct. Here is the explanation,

 

(Master) #show ip route

C 192.168.2.6/32 is an ipsec map default-local-master-ipsecmap192.168.2.6
C 192.168.2.3/32 is an ipsec map default-psk-redundant-master-ipsecmap


(Standby) #show ip route

C 192.168.2.6/32 is an ipsec map default-local-master-ipsecmap192.168.2.6
C 192.168.2.4/32 is an ipsec map default-psk-redundant-master-ipsecmap


(Local) #show ip route

C 192.168.2.0/27 is directly connected, VLAN49
C 192.168.2.4/32 is an ipsec map default-local-master-ipsecmap


On Master, there is an ipsec map to local, "default-local-master-ipsecmap192.168.2.6". On Local, there is an ipsec map to Master, "default-local-master-ipsecmap".

 

On Standby, there is an ipsec map to local, "default-local-master-ipsecmap192.168.2.6". Note the ipsec map name. On Local, there is NO ipsec map to Standby. Local controller will have an ipsec map only to the Master, not to the standby.

 

On the Local controller, the ipsec map is created only to the Master. Not to the Standby.
The ipsec tunnel is in fact made to the VRRP IP (192.168.2.10) between the Master and Standby when you configured the Local.


When you ping from Local,
The traffic may go out, since it would take the directly connected route.

 

The return traffic from Standby,
This should take the ipsec map as per the routing table. This is only a map on the routing table of Standby, but the local controller doesn't have an ipsec map for standby. This means there is NO ipsec tunnel to the Local controller. So, the traffic will be dropped since the route entry is not valid. The ipsec map on the Standby will take effect when the Standby controller takes the Master role.

 

(Local) #show datapath session table | include 4500
192.168.2.6 192.168.2.10 17 4500 4500 0/0 0 0 255 0/0/0 2862 0 0 F
192.168.2.10 192.168.2.6 17 4500 4500 0/0 0 0 0 0/0/0 2862 0 0 FC


This explanation is based on my understanding and not from any official Aruba documents.


Thanks,
Rajaguru Vincent


 

Search Airheads
Showing results for 
Search instead for 
Did you mean: