Wireless Access

last person joined: 23 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Local-Local active active - User DB sync

Jump to Best Answer
  • 1.  Local-Local active active - User DB sync

    Posted Oct 29, 2015 02:31 PM



    I have deployed 2 aruba 7210 controllers in active-active mode ( local controllers). The control plane traffic is handled by the master controller sitting across a WAN. I have created 2 AP groups in the master with the LMS IP and BackUP LMS IP pointing to the VIP1 and VIP2 of both the local controllers..

    Initially, I placed all APs in a building randomly in the 2 AP groups and roaming was very flaky and connections were dropping off. I then moved all the APs in a single floor into 1 AP group and roaming got better, but is there a way we can sync user DB between the 2 local controllers so that authenticated clients can roam ?  

    if it's same VLAN and subnet on two different controllers, the original AP is tunneling all traffic to the controller from the client. If a client roams to another AP connected to a another controller, does the new AP then know to tunnel that client's traffic back to the original controller? 

  • 2.  RE: Local-Local active active - User DB sync

    Posted Oct 29, 2015 02:46 PM

    If both controllers are connecting into the same back end VLAN then roaming should not be an issue. If you roam between controllers the ARP table on the switch should just update that you are now behind the second controller. I'm not sure if they would share firewall sessions for users so your l3 traffic might reconnect? 


    Do you have PMK and OKC enabled on your SSID? This might assist with the roaming if it is not already enabled. 


    I am not sure if OKC is supported between multiple local controllers? According to this document from 2007, it is coming in a future release. I hope 7 years is enough time :)





  • 3.  RE: Local-Local active active - User DB sync

    Posted Oct 29, 2015 02:56 PM

    OKC is enabled on each SSID. It was an Aruba Se's recommendation that I do so. That did not help wth the roaming issue though. The APs are roughly 50 ft apart and -65 RSSI.

  • 4.  RE: Local-Local active active - User DB sync
    Best Answer

    Posted Oct 29, 2015 02:48 PM

    You should make sure that all access points in the same building are on the same controller.  There is no state synchronization, so if the user started a session on one controller and roams to another controller, that old session will be lost and have to be re-established.  You want APs in the same building on the same controller, because you don't want users to have to re-establish their sessions when they roam between controllers on the same floor.  It is entirely possible to configure l3 mobility so traffic tunnels back to the original controller, but it can make troubleshooting difficult.



  • 5.  RE: Local-Local active active - User DB sync

    Posted Oct 29, 2015 02:53 PM

    Thank you for that. I know best practise guide states to keep all APs in same building in same AP group. In my case, it is a single building with 4 floors and 2 local controllers, so I split them half way. The floors have L3 between them, so I was wondering if there was a command I could use to sync databases periodically between the 2 controllers. If I were to configure L3 mobility, would I have to do it on both controllers so that traffic from either controller tunnels back to the original ?

  • 6.  RE: Local-Local active active - User DB sync

    Posted Oct 29, 2015 02:57 PM

    Just curious what your reasoning was to split between controllers? Is it a load balancing issue? You could eliminate the issues by setting it up as active/passive wtih fast failover for the APs. This was you have no outage if a controller fails, but you maintain state of you clients sessions. (4 floors does not sound like a large enough number of APs to me to saturate a controller, but I guess depends how large your floors are)

    yes you'd configured L3 mobility for both controllers. Then whereever a user connects for the first time would be considered their 'Home' controller and their traffic would always tunnel to that controller even after they roam to the second device. 

  • 7.  RE: Local-Local active active - User DB sync

    Posted Oct 29, 2015 02:59 PM

    It was for load balancing. We wanted half the APs to terminate on one controller and half to terminate on another and we set up VRRP between them. We are waiting for the 6.4.3 code release in GA so we can upgrade the controllers and convert to HA-Lite. 

  • 8.  RE: Local-Local active active - User DB sync

    Posted Oct 29, 2015 03:03 PM

    You should really put all of your access points on one controller and have the backup LMS be the second, OR put a VRRP between them and make the LMS-IP the VRRP, so that all the APs will end up on the controller that is in control of the VRRP.  Roaming between controllers makes user troubleshooting more complex and should be avoided.  It is also more deterministic to know that your access points should either be on one controller, or the other, rather than keep in your mind which controller which access points should be on.  The power of your access points is the main determining factor of how your clients roam, than anything else.  What is the output of "show ap radio-summary" on your controllers?


    OKC is on by default.