07-15-2014 07:37 AM
I have been testing the following scenario.
Primary site has a master+standby pair. The backup site has 2xlocals (with a local vrrp). There is a routed WAN between sites. All controllers are communicating between each other fine. They are running 184.108.40.206. We can't upgrade, as all later versions have bugs that would affect the setup (same if we downgrade). Control plane is on, and both the RAP and CAP whitelists appear sync'd correctly on all controllers.
CAP failover tests work just fine. RAP tests seem to struggle.
RAPs come in via two public IPs translated by perimeter firewalls to the controller private addresses. Both ways in work in isolation. The RAP system profiles are set with appropriate LMS and backup-LMS addresses.
If you failover a RAP from a local to master, it works fine. If you failover a RAP from the master to the local, the RAP never makes it into the AP table in an "up" state. It does however, show in the local controllers datapath session table. This test was performed by shutting the VRRP on the standby+master in that order. The locals are pointing at that VRRP as the "master".
I suspect something to do with the RAP whitelist function, as CAPs do failover ok. Interestingly, as soon as you enable the master VRRP again, even though the RAP is still targeting the local, it gets in ok (to the local AP table "up"). This makes me think perhaps the local is trying to check the RAP whitelist on the master during the failover? I'm not aware of any configurations you can do against this. I was of the mind it should just work? I.e. the local should look at it's own table if it can't check against the master. Am I wrong about this?
If it is supposed to work as I understand, can anybody suggest some relevant debugging logging levels or troubleshooting commands that might help please?
Solved! Go to Solution.
07-15-2014 07:39 AM - edited 07-15-2014 07:41 AM
EDIT: We need a diagram to understand what is going on here. You are speaking in general, but we would need specifics to explain your issue.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
07-15-2014 08:34 AM
If the master is not reachable by the local in your failover situation then the local still looks to the master to authenticate the RAPs and fails. In this scenario you need to tell the local to use its own copy of the RAP whitelist, run this on the local -
aaa authentication-server internal use-local-switch