Wireless Access

Reply
Occasional Contributor II
Posts: 29
Registered: ‎08-06-2013

VRRP Inquiry

Hi Community,

 

I just want to verify something about VRRP setup. I can say I am still new and learning on how vrrp and rap works. We are helping one of our clients who claimed that vrrp is not working. Upon checking the vrrp config for both wlcs, to me it looks ok and should work. Would you agree?

 

WLC - 1

master-redundancy
master-vrrp 12
peer-ip-address x.x.x.14 ipsec 0c6d2892bde201858aab1191c6dbf83c
!
vrrp 12
priority 110
ip address x.x.x.15
description "Preferred-Master"
vlan 12
preempt
tracking master-up-time 30 add 20
no shutdown
!
ip default-gateway 10.29.3.13

 

WLC 2

master-redundancy
master-vrrp 12
peer-ip-address x.x.x.13 ipsec cbc9eae6f32be827c74b0daee0a078cb
!
vrrp 12
ip address x.x.x.15
description "Backup-Master"
vlan 12
preempt
tracking master-up-time 30 add 20
no shutdown
!
ip default-gateway x.x.x.14

 


What I am thinking, the problem is that the backup-master (wlc 2) dhcp was not properly setup so when the preffered-master is down, the APs (configured as RAPs) cannot obtain ip addresses from the backup and most likely the scenario is that the APs are not broadcasting SSIDs. What do you think?

 

WLC1

ip local pool "AP-IP" x.x.x.1 x.x.x.200
vpdn group l2tp
client configuration dns x.x.x.x x.x.x.x
!

ip dhcp excluded-address x.x.x.x x.x.x.x
ip dhcp pool AP_MNGT
default-router x.x.x.13
network x.x.x.0 255.255.255.0
authoritative
!
service dhcp
ip dhcp default-pool private


WLC2

vpdn group l2tp
client configuration dns x.x.x.x x.x.x.x
!

ip dhcp pool ap_vlan
default-router x.x.x.14
lease 0 8 0
network x.x.x.0 255.255.255.0
authoritative
!

ip dhcp default-pool private


Also the "no database synchronize" command on both WLCs is telling me that master is not pushing the updates to the backup and thus causing this issue?

 

Thanks for any information.

 

Oliver

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: VRRP Inquiry

Are your RAPs pointing to a Public VRRP address?  The flavor of VRRP that the controller uses will not work with a natted VRRP address on the controller.  That means the VRRP address on the controller(s) needs to be an actual public address, instead of one that is behind a NAT boundary to work.

 

For failover to work, with NAT, both controllers need to have a natted public address and you point your RAPs to an external DNS a-record which will supply both addresses, either in a round robin fashion, or both at a time to your RAP.  In the AP system profile for your RAPs, you can lower the IPSEC retries number so that your APs fail over more quickly.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: VRRP Inquiry

Without even considering the VRRP config:    The RAPs don't get an IP from DHCP, but rather from an L2TP pool.  From what you've shared of your config, WLC2 does not seem to have an L2TP pool setup.  WLC1 has:  ip local pool "AP-IP" x.x.x.1 x.x.x.200

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor II
Posts: 29
Registered: ‎08-06-2013

Re: VRRP Inquiry

Thanks for the response.

 

Yes the rap is pointed to the vrrp address.

 

On what I understand on the client\s setup, when a new AP is connected, it gets an IP address from the DHCP then they will configured it as RAP and gets the IP from the L2TP pool. This is happening on the WLC1. But if the WLC1 is down, what would be the scenario? Will these RAPs can still connect to WLC2 properly even the L2TP pool is not on the WLC2? It seems to me that they will have also trouble provisioning new APs when WLC1 is down.

 

Also, if client turn on the database synchronize on both WLCs, will all the setup/config from the preferred-master be transferred to the backup-master?

 

 

Thanks!

 

Oliver

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: VRRP Inquiry

1.  A separate VPN pool needs to be setup on the backup master (that is not synchronized)

2.  The RAP Whitelist is contained within the local database, so database synchronize must be configured and tested to make sure it has completed (show database synchronize).  The database syncronize period would only have to be as frequent as you add/remove the mac addresses of RAPs.  By default it is 30 minutes, which is normally good.  The global config itself is synchronized as soon as you setup a valid master/backup master pair, and remains sychronize everytime you do a "save config" or "write mem" on the master.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 29
Registered: ‎08-06-2013

Re: VRRP Inquiry

Thanks for all your reponses. At least I can highlight these configuration to our client and help them sorted their issues.

 

Oliver

 

Occasional Contributor II
Posts: 29
Registered: ‎08-06-2013

Re: VRRP Inquiry

Hi,

 

This is related to VRRP inquiry. 

 

I wonder why it only show the IP address of the backup-master if I run "show switches" on the backup but I can see both IP addresses (master and backup) if I run the command from master.

 

On what I understand on VRPP setup, both master and backup should be able to see their IP addresses to communicate.

 

 

Thanks

 

Oliver 

Search Airheads
Showing results for 
Search instead for 
Did you mean: