Wireless Access

Reply
Occasional Contributor II
Posts: 21
Registered: ‎09-27-2010

VRRP Working But Backup Controller is not reflecting RAP Devices, when primary down

Dear Team,

 

I have two 3400 mobility controller on a HA Mode. and VRRP is working fine but when my primary controller goes down the secondary controller is not reflecting the AP which were there on primary controller.

 

Also I have noticed the secondary controller is able to reflect the local controller RAP devices. but only primary controller RAP missing..

 

Controller OS :- 5.0.4.3

Model :- 3400

Local controller:- 650

License:-both controller is having enough license.

 

(XXXXXXXXX_01 ) #show vrrp


Virtual Router 1:
    Description Primary-Master
    Admin State UP, VR State MASTER
    IP Address 10.10.10.1, MAC Address 00:00:5e:00:21:21, vlan 1
    Priority 200, Advertisement 1 sec, Preemption Enable
    Auth type NONE
    tracking type is master-up-time, duration 30 minutes, value 20
    tracked priority 220

 

Alex George

 

 

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: VRRP Working But Backup Controller is not reflecting RAP Devices, when primary down

Unless the APs are pointing to the VRRP using the VRRP address, this will not happen, for Campus APs.

 

If these are RAPs, VRRP will not work behind a firewall.  You should try making it so that APs use DNS to find the controllers and DNS is populated wth both public addresses.

 

More details, please.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 21
Registered: ‎09-27-2010

Re: VRRP Working But Backup Controller is not reflecting RAP Devices, when primary down

Dear Joseph,

 

Thanks a lot for sending the reply.

 

I will explain how my controller is placed. what I have is all RAP devices, and All my RAP devices are configured with VRRP virtual IP Address.

 

remote location>>>>> fw>>>dmz>>> controller..

 

when I reboot primary and when I try to access the portal with VRRP IP , the traffic is moved to secondary ip , but the RAP is not reflected..

 

Pls advise..

 

 

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: VRRP Working But Backup Controller is not reflecting RAP Devices, when primary down

[ Edited ]

Both controllers NEED a public ip address; that can be accomplished either through NAT or a physical interface on the controller.  RAPs would NEED to point to an external dns url like rap.yourcompany.com on the public side which has the two public addresses in it.  When the RAP is booted, it will get both addresses from DNS, and then try one controller, and then the other.

 

This is because VRRP does not work behind a firewall for devices that need to access it from the other side.  You CANNOT use VRRP in this scenario.  VRRP is not firewall-friendly.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 21
Registered: ‎09-27-2010

Re: VRRP Working But Backup Controller is not reflecting RAP Devices, when primary down

 

Dear Joseph,

 

Thanks a lot for the reply,

 

presently my LMS IP  is a public IP, which is NATed on the VRRP IP address of the device (example. private ip , physical 10.1.1.2 and 10.1.1.3 and virtual 10.1.1.1 NATed with 1.1.1.1 ), My RAP devices are working with master controller static IP address , as I have manually configured the RAP provision. and DNS does not work for me with RAP device. ( I have presently having only RAP device,).

 

The RAP devices are connecting over the internet with IP 1.1.1.1 and also with10.1.1.1 over MPLS too.. but when the primary goes down, the secondary does not show RAPs.

 

also I cannot change this setup from the firewall DMZ side, any way to work VRRP for the RAP devices..

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: VRRP Working But Backup Controller is not reflecting RAP Devices, when primary down

Alex,

 

I'm sorry that I don't have an answer for you in that situation.  Maybe someone can post something useful.  The difficulty is VRRP and the firewall.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee
Posts: 63
Registered: ‎10-12-2010

Re: VRRP Working But Backup Controller is not reflecting RAP Devices, when primary down

I am assuming your NAT device is also a Firewall and you have only one firewall and not two in HA.

see if you have turned on Antispoofing on the firewall and see if you can turn it off for that interface.

also some of the firewalls have proxy ARP settings, if you have this configured, then it should be the VRRP MAC address.

 

regards

Ariya

Occasional Contributor II
Posts: 21
Registered: ‎09-27-2010

Re: VRRP Working But Backup Controller is not reflecting RAP Devices, when primary down

 

Dear Team,

 

I will give my exact scenario,

 

I have two controller 3400 on HA mode on behind firewall. my firewall is checkpoint on HA mode.

 

my AP profile configuration is having , LMS IP as controller's Private  IP Address VRRP IP (10.10.80.140). and Backup LMS as public IP Address (NATed of the VRRP IP ), when the WAN link goes down the RAPs are able to reach on backup LMS IP too.

 

But this is happen, when the primary controller goes down, the VRRP change to secondary device, but the RAP devices which are connected is not reflecting.

 

I can  get a ping to 10.10.80.140 and even to backup LMS IP too.

But only the RAP devices are not reflecting on secondary controller.

 

Occasional Contributor II
Posts: 21
Registered: ‎09-27-2010

Re: VRRP Working But Backup Controller is not reflecting RAP Devices, when primary down

Hello,

 

Pls find my attached deployment scenario given, pls advise what could be the best solution...

 

 

Alex

Occasional Contributor II
Posts: 21
Registered: ‎09-27-2010

Re: VRRP Working But Backup Controller is not reflecting RAP Devices, when primary down

dear Team,

 

Any one can pls advise me why VRRP will not properly on DMZ network. what is the reason for the same..

Search Airheads
Showing results for 
Search instead for 
Did you mean: