Wireless Access

last person joined: an hour ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

L3 redundancy Secondary MM config difference GUI-CLI

Jump to Best Answer
  • 1.  L3 redundancy Secondary MM config difference GUI-CLI

    Posted Oct 22, 2020 08:40 AM

    Hi,

     

    for a customer I need to migrate their MM's to a different subnet. To limit risk of loosing configuration I set up a L3 redundant set of MM's

     

    Primary MM (and it's vrrp peer) are using RADIUS mgmt authentication using Clearpass. I forced database sync to the secondary MM's

     

    When I tried login in to the secondary MM with a RADIUS account, I noticed a login failed with no record in the Clearpass Access Tracker.

     

    After logging in with the local admin account I noticed the GUI was sync'd. All login configuration is the same as primary. In the cli of the secondary the config settings are not the same .

     

    show database sync does not show any errors

     

    Attached pictures show the authentication servers. Notice the CPPM nodes are missing in the CLI

     

    Current version is 8.5.0.3 Upgrade to latest will be done after some network changes are done.

     

    Any solution how to fix this in 8.5.03? 

     

    Thanks, Erik

     



  • 2.  RE: L3 redundancy Secondary MM config difference GUI-CLI

    Posted Oct 22, 2020 08:52 AM
    Did you add the L3 MM mgmt IP in ClearPass?
    Can you take a look in the ClearPass event viewer to see if there’s any errors related to the RADIUS authentication request coming from the L3 MM?



    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 3.  RE: L3 redundancy Secondary MM config difference GUI-CLI

    Posted Oct 22, 2020 09:18 AM

    Hi Victor,

     

    yes I did and no, there's nothing coming up in the access tracker.

    Check out the pictures. In the GUI the CPPM radius server entries are there, in the CLI only the default authentication server (internal) is there. Both Clearpass entries are missing.

     

    Edit 23/10. In some documentation I found the command master-l3redundancy config-sync. This command is not known in 8.5.0.3 or might be hidden? In the same document I found some debug commands related to config-sync. I found a lot of config node not found errors in de secondary primary MM. I checked and rechecked IPSEC shared secrets and they are all fine.

     

    Guess an upgrade is in order

     

    rgds,

    Erik



  • 4.  RE: L3 redundancy Secondary MM config difference GUI-CLI
    Best Answer

    Posted 30 days ago

    MM upgrade to 8.7.0.1 fixed the issue.