So I tried enabling whitelist sync using:
'no disable-whitelist-sync'
This seemed to have no effect. So I ran 'disable-whitelist-sync' (which had an effect even though the MM showed it as already disabled) and then ran 'no disable-whitelist-sync'. It now shows as enabled.
The sequence number now matches on all the MCs (apart from one - which is the cluster leader, is that relevant? It's actually showing a higher revision number than all, including the MM!).
But we are seeing a lot of this type of message in the controller logs (note - we were seeing these before I turned on sync, but I was hoping sync'ing would solve the issue). On each controller it seems to be a relatively small number of APs, and there's no sign that the AP operation is affected, but it seems odd and the messages are cluttering the logs. I did Google and there was some suggestion it might be APs trying to make S-AAC tunnels. If I look in the whitelist on the MM then the entry is certified-factory-cert as expected, but sure enough on the MC the whitelist entry shows as unapproved.
Oct 16 12:34:24 isakmpd[3612]: <103067> <3612> <ERRS> |ike| IKE XAuth failed as the AP xx:xx:xx:xx:xx:xx is not in whitelist
Oct 16 12:34:24 isakmpd[3612]: <103067> <3612> <ERRS> |ike| IKE XAuth failed as the AP xx:xx:xx:xx:xx:xx is not in whitelist
Oct 16 12:34:24 isakmpd[3612]: <103067> <3612> <ERRS> |ike| IKE XAuth failed as the AP xx:xx:xx:xx:xx:xx is not in whitelist
Oct 16 12:34:24 isakmpd[3612]: <103067> <3612> <ERRS> |ike| IKE XAuth failed as the AP xx:xx:xx:xx:xx:xx is not in whitelist
Oct 16 12:34:24 isakmpd[3612]: <103067> <3612> <ERRS> |ike| IKE XAuth failed as the AP xx:xx:xx:xx:xx:xx is not in whitelist
Oct 16 12:34:24 isakmpd[3612]: <103067> <3612> <ERRS> |ike| IKE XAuth failed as the AP xx:xx:xx:xx:xx:xx is not in whitelist
Oct 16 12:34:24 isakmpd[3612]: <103067> <3612> <ERRS> |ike| IKE XAuth failed as the AP xx:xx:xx:xx:xx:xx is not in whitelist
Oct 16 12:34:24 isakmpd[3612]: <103068> <3612> <ERRS> |ike| IKE XAuth failed as the AP xx:xx:xx:xx:xx:xx is not in approved-state in whitelist
Oct 16 12:34:24 isakmpd[3612]: <103068> <3612> <ERRS> |ike| IKE XAuth failed as the AP xx:xx:xx:xx:xx:xx is not in approved-state in whitelist
Oct 16 12:34:24 isakmpd[3612]: <103068> <3612> <ERRS> |ike| IKE XAuth failed as the AP xx:xx:xx:xx:xx:xx is not in approved-state in whitelist
Oct 16 12:34:24 isakmpd[3612]: <103068> <3612> <ERRS> |ike| IKE XAuth failed as the AP xx:xx:xx:xx:xx:xx is not in approved-state in whitelist
Oct 16 12:34:24 isakmpd[3612]: <103068> <3612> <ERRS> |ike| IKE XAuth failed as the AP xx:xx:xx:xx:xx:xx is not in approved-state in whitelist
Oct 16 12:34:24 isakmpd[3612]: <103068> <3612> <ERRS> |ike| IKE XAuth failed as the AP xx:xx:xx:xx:xx:xx is not in approved-state in whitelist
Oct 16 12:34:24 isakmpd[3612]: <103068> <3612> <ERRS> |ike| IKE XAuth failed as the AP xx:xx:xx:xx:xx:xx is not in approved-state in whitelist
Oct 16 12:34:24 isakmpd[3612]: <103103> <3612> <WARN> |ike| 172.xx.xx.118:4500-> IKE SA Deletion: IKE2_delSa peer:172.xx.xx.118:4500 id:2478864774 errcode:OK saflags:0x51 arflags:0xd
Oct 16 12:34:24 isakmpd[3612]: <103103> <3612> <WARN> |ike| 172.xx.xx.100:4500-> IKE SA Deletion: IKE2_delSa peer:172.xx.xx.100:4500 id:2478864771 errcode:OK saflags:0x51 arflags:0xd
Oct 16 12:34:24 isakmpd[3612]: <103103> <3612> <WARN> |ike| 172.xx.xx.27:4500-> IKE SA Deletion: IKE2_delSa peer:172.xx.xx.27:4500 id:2478864772 errcode:OK saflags:0x51 arflags:0xd
Oct 16 12:34:24 isakmpd[3612]: <103103> <3612> <WARN> |ike| 172.xx.xx.102:4500-> IKE SA Deletion: IKE2_delSa peer:172.xx.xx.102:4500 id:2478864770 errcode:OK saflags:0x51 arflags:0xd
Oct 16 12:34:24 isakmpd[3612]: <103103> <3612> <WARN> |ike| 172.xx.xx.126:4500-> IKE SA Deletion: IKE2_delSa peer:172.xx.xx.126:4500 id:2478864773 errcode:OK saflags:0x51 arflags:0xd
Oct 16 12:34:24 isakmpd[3612]: <103103> <3612> <WARN> |ike| 172.xx.xx.171:4500-> IKE SA Deletion: IKE2_delSa peer:172.xx.xx.171:4500 id:2478864775 errcode:OK saflags:0x51 arflags:0xd
Oct 16 12:34:24 isakmpd[3612]: <103103> <3612> <WARN> |ike| 172.xx.xx.172:4500-> IKE SA Deletion: IKE2_delSa peer:172.xx.xx.172:4500 id:2478864769 errcode:OK saflags:0x51 arflags:0xd
Can you shed any light?
Thank you,
Guy