Client State Sync with AP Fast Failover

By ckokstar posted Sep 17, 2014 04:23 PM


Client State Sync with AP Fast Failover



The Aruba AP Fast Failover feature, introduced in Aruba OS (AOS) 6.3, minimizes the failover time in the event of a controller failure.  All controllers in the same redundancy domain need to share the same HA-Group profile.  
AP licenses, controller capacity, configuration synchronization between controllers, physical locations and type of networks connection of the controllers, licenses and etc should be considered in designing the HA group membership.
The HA roles supported are active, standby and dual. The solution template will build one HA group for a set of controllers deployed in an active / active model
New features introduce in Aruba OS 6.4
Client State Synchronization
State synchronization improves failover performance by synchronizing client authentication state information from the active controller to the standby controller, allowing clients to authenticate on the standby controller without repeating the complete 802.1X authentication process.This feature requires you to configure the high availability group profile with a pre-shared key. The controllers use this key to establish the IPSEC tunnels through which they send state synchronization information.
High Availability Inter-controller Heartbeats
The high availability inter-controller heartbeat feature allows faster AP failover from an active controller to a standby controller, especially in situations where the active controller reboots or loses connectivity to the network.


Configuration Notes

  • The design of master redundancy is independent of AP fast failover. Master redundancy needs to be configured to ensure the AP will be able to contact the Master controller upon reboot. Another option would be to configure VRRP between the master-local pairs to provide master redundancy.
  • When the HA roles of the controllers are set to dual, the active controller will be determined by the LMS-IP setting in the AP system profile and the standby controller will be selected from the list of controllers listed in the HA group in the round-robin fashion.
  • Multiple HA Groups can be defined but each controller can only be assigned to a single HA group.
  • The controller IP or switch IP of the controller must be used when defining the controller in the HA group profile.
  • The "ha group-membership" is a local command and needs to be executed on each local controller.
  • HA group membership is independent of the controller role. For example, AP Fast Failover could be setup between two masters, but the administrator needs to make sure that the configuration and relevant network configurations are similar between the two controllers.
  • The AP fast failover feature supports APs in campus mode using tunnel or decrypt-tunnel forwarding modes, but does not support campus APs in bridge mode. This feature is not supported on remote APs and mesh APs in any mode.  Legacy AP‑60 series and AP‑70series APs also do not support this feature.

  • Client state sync is only supported on a pair of controllers in a HA group.

Sample Lab Topology


Platform Tested

Aruba Mobility Controller 3600-US running AOS version



AP license



[1] Aruba OS 6.3 User Guide

1 view


Oct 27, 2015 05:06 AM

Will Client-state sync work with captive-portal authenticated users(open SSID)? 

Jul 07, 2015 05:42 AM

Is this feature only available on local controller in a Master/local setup?

or is it possible to implement it on master controller in an all-master deployment?