Hello All. Looking for some helpful info on this one. I have a strange case where I have 2 pairs of clustered controllers, acting as the headend for RAPs. As for the configs, as much as I can tell, everything is working just fine. Pair 1's configs are setup virtually identically to the way my Pair 2 is setup (obviously IPs, vrrp id, etc are different).
The basic layout of the inside network is: Firewall a/b - Switch a/b - Controller a/b. A side is connected to A side, B side to B side.
The firewall(s) has(haave) an ACL allowing udp/4500 in and the controller(s) it/they sits in front of, is all layer 3.
If I point a RAP to the external IP of A, it connects. If I point the rap to the "B" side external IP, it connects. If I connect the RAP to the VRRP address, running "Master/Backup" between the 2 RAP controllers, it sits and spins.
On the controller side doing a show lc-cluster group-membership/vlan probe, it shows l2 (woo hoo) with it's leader and member; vlan probe shows L2 with 0 fails. I have checked that the cluster is config'd so it shows that it's internal (controller-ip) and external ip is mapped correctly.
controller A and controller B can source ping it's external default gateway - which is an HSRP address on the uplink switch. Because of the security policy I have on the externa; interface of the controllers, I can't ping from the uplink switch to the controllers (although I guess I could remove it to see).
On my external interfaces of my controllers, I do have a session security policy created, to allow the vrrp multicast address between them, ltp2 allowed, and everything else denied. This same policy I have applied in over 20 controllers globally, so I know it's not the policy (just adding for reference).
My routing is fine (from what I can tell) - I can reach these controllers from internal sources, and like I said before, my RAP can connect to the controllers if I use the external IP of the controller (just not vrrp). IP route shows I'm directly connected to my external subnet and has a default route, as well as, default gateway.
I'm kind of stumped. Looking for additional things to look for. By all accounts, this pair should be working by way of vrrp. I even went as far as making sure the vrrp address isn't outside of the subnet range.
Code Im running is 8.7.1.2
Anyone have any ideas on what I could check next?
Many thanks