Wireless Access

last person joined: 4 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Master, stand by config on Aruba OS 8

Jump to Best Answer
  • 1.  Master, stand by config on Aruba OS 8

    Posted Jan 28, 2020 03:22 PM

    Hello

    Does anyone has  a config example of this scanario where you dont have MM?

     

    im not sure wherei should configure the VRRP

    i should configure it on the folder?

    redundacy1.JPG

     

    Should i confiigure it in the same controller??

    redundacy2.JPG

    which actually let me put which is the other controller which he is communicating with just like with the 6.5 or 6.4

     

    Also i guess i need to click here to synch the config  but thats on the folder 

    redundacy3.JPG

     

    Any ideas? 

    Thank you

     

     



  • 2.  RE: Master, stand by config on Aruba OS 8

    Posted Jan 28, 2020 05:27 PM

    See the CLI script below. Be sure your Master is having de highest priority and been the VRRP master before enable database synchronisation. VRRP should be configured at your VM1 level.

     

    #vrrp 100
    #ip address 172.16.100.200
    #description Primary-MM1
    #authentication ###key###
    #preempt delay 60
    #priority 120
    #advertise 5
    #vlan 100
    #no shut
    #show configuration pending

     



  • 3.  RE: Master, stand by config on Aruba OS 8

    Posted Jan 29, 2020 03:36 PM

    Here is the config i got so far but didnt work

    on VM1

     

    database synchronize period 1

     

    vrrp 150
    priority 120
    authentication aruba123
    ip address 172.16.150.252
    description "MASTER"
    vlan 150
    preempt delay 60
    advertise 5
    no shutdown

     

     

     

     

    On VM2

    database synchronize period 1

     

    vrrp 150
    authentication aruba123
    ip address 172.16.150.252
    description "Standby"
    vlan 150
    preempt delay 60
    advertise 5
    no shutdown

     

     

    I am missing something?

    I can ping  172.16.150.252 which is the virtual IP

    In the beggining was getting an odd error which said that the vlan didnt exist but it existed, i had promiscuide mode on the VM so it was not that... so i just ignored it.

     

    i cannot see that the  information of the controller VM1 is on controller VM2 for example the AP groups and that kind of stuff.   it does not syncronice anything at all.

     

    hope you can help!

     

    i can see that the VRRP is as master on the principal controller which is good and the backup controller  as stand by.  That part works fine.

     

    Cheers

    Carlos



  • 4.  RE: Master, stand by config on Aruba OS 8

    Posted Jan 29, 2020 04:28 PM

    You also need to also allow forged transmits on the VM.  I would review the Virtual Appliance Installation guide here:  https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=36988

    and see if you missed anything.



  • 5.  RE: Master, stand by config on Aruba OS 8

    Posted Jan 29, 2020 04:52 PM

    I will try to check that but i got in my config that you said

     

    vm.JPG



  • 6.  RE: Master, stand by config on Aruba OS 8

    Posted Jan 29, 2020 05:08 PM

    If the VRRP works (you can see one controller as master and the other one as backup), you need to configure master redundancy.



  • 7.  RE: Master, stand by config on Aruba OS 8

    Posted Jan 29, 2020 05:09 PM

    Some suggestions maybe can help.

     

    You install two VMC in standalone mode right?

     

    # show vrrp
    # show vrrp stats all
    # show vlan status
    # show log all | include vrrp

     step 1.JPGstep2.JPG

     



  • 8.  RE: Master, stand by config on Aruba OS 8

    Posted Jan 31, 2020 02:03 PM

    hello Marcel

     

    Thank you very much for your support in this

    Yes i got 2 VMS

    both are Stand Alone controllers

     

    it seems i get it to work

    Look

     

    Redancia  4.JPG

    i can see both controllers now!!

     

    If click on VM2 Which is my standby  i get this error but i guess its correct

    redundacy5.JPG

     

     

    On the deployment i need to do Ill configure one controller which will be the VM1 and i wll have another controller which will be the VM2

     

    In my lab i configured the like this

    1- VRRP ONLY in my VM1 which is the one that has the config

    2- VRRP ONLY in my VM2 which only had a few configuration to access it and to do the VRRP(VLANS, pont configuration, default route and that kind of thing)

    3-Configured master redundancy shared key here

    redundacy6.JPG

     

    then on the folder level on VM1 configured the database syncronization

    redundacy7.JPG

     

    Then i went to the VM2 and configured at controller level redundacy8.JPG

     

    After that they seems that they syncronized as i didnt need to configure the database syncronization config on VM2(guess you just need to enable this :

    redundacy7.JPG

    On the one that have all the config right??

     

    Im asking this because it seems it worked in my lab in the order i did, and i didnt mess up deleting the config of the controller i wanted to be the master.

     

    i got 3 questions for you

    1-How can i be sure that im making the correct controller that has all the config the master and stay with all the config?  it is the controller that i click Database syncronization? that will be the one that is picked up as the one that got all the config and will replicate it to the other one?

    2-If  i install the license on VM1 which is the Master which is acting as the active controller and that one goes down, what happens to the other controller, where do i activate the centralized licensing for this like in the 6.5?

    3-Should i configure everything on folder level(except for the configuration i had to do in the begginng to create the VRRP and the redundancy? it just that i didnt create a configuration on folder level for the ports and i don tknow if i should go in there and configure it on the folder for the ports



  • 9.  RE: Master, stand by config on Aruba OS 8
    Best Answer

    Posted Jan 31, 2020 02:47 PM

    Hi Cdelarosa,

     

    Your configuration looks fine to me.

     

    Q1. When create the VRRP ensure that your master controller has the highest VRRP priority to become the VRRP MASTER. Always check this from the CLI with "show vrrp" to be very sure. The VRRP MASTER will be the primary database. Be carefull! if your standby has the vrrp master role then it synced the database in the wrong direction.

     

    Q2. License server synchronsation takes automaticly place when you enable database sync. When the master fails you can use the licenses on the standby for 30 days.

     

    Q3. Make configuration from the device level of the master controller only (VM1). Indeed except of the IP interface, VLANs and VRRP sizzle.



  • 10.  RE: Master, stand by config on Aruba OS 8

    Posted Feb 04, 2020 12:48 PM

    cdelarosa, thanks for sharing your experiencing.

    I am doing a lab like you, but using a 7005 instead of two VMCs. I am not able to have the data base synchronization working. I am on version ArubaOS 8.3.0.9, and getting error about CPSEC in the show log errorlog all, the error persist even if I disable CPSEc on both ends, unfortunately.  

     

    What ArubaOS version is your lab in ?

    Thanks.



  • 11.  RE: Master, stand by config on Aruba OS 8

    Posted Feb 04, 2020 12:52 PM

    8.5.0.5 is the version im using.

     

     



  • 12.  RE: Master, stand by config on Aruba OS 8

    Posted Feb 04, 2020 12:56 PM

    i also got the cpsec on like this

     

    redundacy9.JPG



  • 13.  RE: Master, stand by config on Aruba OS 8

    Posted Feb 04, 2020 01:23 PM

    CPSEC is used between AP and Controllers, not between Controllers and Controllers. It have nothing to do with database synchronisation what is uses IPSEC.

     

    Check both controllers to see if the tunnel is established and traffic is send:

    #show crypto ipsec sa

    #show datapath session table | include 4500 (IPSEC port)

     

    See also the thread.

    https://community.arubanetworks.com/t5/Wireless-Access/CPSec-and-master-local-controllers/td-p/294887

     

    First check your VRRP is working correcty, see your Master device is the VRRP Master

     

    Second:

    Device Level MC01 > Master Redundancy > Database synchronisation > check the settings and PSK

    Device Level MC02 > Master Redundancy > Database synchronisation > check the settings and PSK

     

    Third:

    Master > Master Redundancy > Database synchronisation > enable

     

    In my HomeLAB i run 8.6.0.2 but in production i recomend 8.5.0.5 at this moment, but i dont have any issues with this setup in 8.3.0.x as well.



  • 14.  RE: Master, stand by config on Aruba OS 8

    Posted Feb 04, 2020 01:35 PM

    Hi Mkk, thanks for the tip.
    I am not sure why CPSEC is been a problem here for this kind of configuration. But sure, as the log shows It is needed for the synchronization to happen.

     

    (Aruba-MC-VA) [mynode] #show database synchronize

     

    Last L2 synchronization time: Fri Jan 31 14:48:29 2020

    Last L3 synchronization time: Secondary not synchronized since last reboot

    To Master Switch at 172.16.1.139: *** FAILED ***

    WMS Database backup file size: 40266 bytes

    Local User Database backup file size: 41649 bytes

    Global AP Database backup file size: 23061 bytes

    IAP Database backup file size: 3760 bytes

    Airgroup Database backup file size: 3062 bytes

    License Database backup file size: 5323 bytes

    CPSec Database backup file size: 3224 bytes

    L2 Synchronization took 11 second

    L3 Synchronization took less than one second

    Last failure cause: Standby switch did not acknowledge the CPSec database transfer

     

    WLC-7005) [mynode] # show log errorlog all

    (...)

    Jan 31 14:48:29 <dbsync 307335> <3834> <ERRS> |dbsync| dbsync: Can not receive file on backup Master Switch: (SYNC_WAIT_BOCMGR_DB)

     

    (Aruba-MC-VA) [mynode] # show log errorlog all

    (…)

    Jan 31 14:48:29 <dbsync 307398> <5520> <ERRS> |dbsync| dbsync: failed to receive CPSEC db sync on standby (handle_send_cpsec_db_ack)



  • 15.  RE: Master, stand by config on Aruba OS 8

    Posted Feb 04, 2020 03:44 PM

    Hello Marcell

    Today i was doing a test for this.   If i disconnect the primary controller which is active, the AP never comes back again.

     

    The database syncronization is working

     

    (VM1) [mynode] #show database synchronize 
    
    Last L2 synchronization time: Tue Feb  4 15:20:04 2020
    Last L3 synchronization time: Secondary not synchronized since last reboot
    To Master Switch at 172.16.150.251:  succeeded
    WMS Database backup file size: 47515 bytes
    Upgrademgr Database backup file size: 3381 bytes
    Local User Database backup file size: 41648 bytes
    Global AP Database backup file size: 23313 bytes
    IAP Database backup file size: 3750 bytes
    Airgroup Database backup file size: 3052 bytes
    License Database backup file size: 5661 bytes
    CPSec Database backup file size: 3224 bytes
    L2 Synchronization took 2 second
    L3 Synchronization took less than one second

    The VRRP is working

    (VM1) [mynode] #show vrrp
    
    
    Virtual Router 150:
        Description MASTER
        Admin State UP, VR State MASTER
        IP Address 172.16.150.252, MAC Address 00:00:5e:00:01:96, vlan 150
        Priority 120, Advertisement 5 sec, Preemption Enable Delay 60
        Auth type PASSWORD, Auth data: ********
        tracking is not enabled
    (VM1) [mynode] #
    (VM2) [mynode] #show vrrp
    
    
    Virtual Router 150:
        Description Standby
        Admin State UP, VR State BACKUP
        IP Address 172.16.150.252, MAC Address 00:00:5e:00:01:96, vlan 150
        Priority 100, Advertisement 5 sec, Preemption Enable Delay 60
        Auth type PASSWORD, Auth data: ********
        tracking is not enabled
    (VM2) [mynode] #

    When i console the AP i get this error when the Principal controller which is down

     

    AP rebooted Wed Dec 31 16:01:50 PST 1969; Unable to set up IPSec tunnel to saved lms, Error:RC_ERROR_ISAKMP_N_CERT_SELFSIGNED_VERIFY_FAILED
    shutting down watchdog process (nanny will restart it)...

    The AP is pointing to the virtual IP which is the  172.16.150.252

    VM1 principal controller  is 172.16.150.250

    VM2 backup controller is 172.16.150.251

     

    In summery the ap works fine when the VM1 is up, if i disconnect VM1 the AP never goes up, and i see that error i showed you.

     

    Also the VM2 takes the 172.16.150.252 IP like it shoud so the VRRP is working and it seems i can do changes too as its the new master now the VM1 is down.

     

    Any ideas what i could be missing?

     

    Cheers

    Carlos



  • 16.  RE: Master, stand by config on Aruba OS 8

    Posted Feb 04, 2020 04:18 PM

    ---edit by mkk--- See answer Collin below

     

    You need to configure HA Groups under Mobility Controller > Configuration > Redundancy (HA controller role=dual and put both controllers in the group.

     

    After that bound the created group to MC01 > Configuration > Service > HA Member

     

    The second MC02 you need to do from the CLI :

    (MC02) [mynode] # configure terminal
    (MC02) [mynode] (config) # ha group-membership "Group-Name"
    (MC02) [mynode] (config) # exit
    (MC02) [mynode] # write memory

     

    Under Mobility Controller >  Configuration > AP-Groups put the primary LMS IP and Backup LMS IP addresses in de AP Sytem profile. (this are the controller addresses to.



  • 17.  RE: Master, stand by config on Aruba OS 8

    Posted Feb 04, 2020 04:29 PM

    Hello Marcel

    Thanks for your support again.

     

    redundacy10.JPG

     

    Should i leave all that without anything_ i mean  no preention no state of syncronization no heartbeat no preshared key? or should i fill all that ?

    Also guess both members are the real IPs of the controllers right?

     

    Cheers

    Carlos



  • 18.  RE: Master, stand by config on Aruba OS 8

    Posted Feb 04, 2020 04:46 PM

    Enable "State Synchronisation and enter the PSK (that key is uses between te controllers when bound them). The PSK key is mandatory.

     

    I enable "Pre-emption" at one of my customers without any issues and good failover test senario's. But later one i dont really like pre-emption in any way because when you have flapping links it will negative impact the database synchronisation i believe. So i dont user pre-emption anymore in my configs, also not for the VRRP itself.

     



  • 19.  RE: Master, stand by config on Aruba OS 8

    Posted Feb 05, 2020 08:46 AM

    Hello Marcel

    Thank you very much for your help! im sure this will be really helpful for other users in the future as there is no much info on how to do this on a stand alone mode.

     

    Just to let you know, on the version 8.5.0.5 i ddint have to do this

     

    The second MC02 you need to do from the CLI :
    
    (MC02) [mynode] # configure terminal
    (MC02) [mynode] (config) # ha group-membership "Group-Name"
    (MC02) [mynode] (config) # exit
    (MC02) [mynode] # write memory

    it seems taht after is syncronized you dont have to do this or is not required anymore...

    I was getting an error that the ha group-membership didnt exist in that controller. 

    I changed the lms to  172.16.150.250 Which is the real ip of VM1 and for the secondary lms 172.16.150.251 which is the real ip of the VM2

     

    The APS points to 172.16.150.252 which is the virtual IP.

     

    I did the test  after this

     

    I simulate a faiure of the VM1 and the AP Took a while but he came up again and i was able to connect to the SSID

     

    Is there anything i can do to reduce that time of downtime?

     

    Cheers

    Carlos



  • 20.  RE: Master, stand by config on Aruba OS 8

    Posted Feb 05, 2020 03:24 PM

    If you like a seemless failover from AP, Controller or User perspective i recommend a Mobility Master with a Cluster configuration, way more easy to configured and manage.



  • 21.  RE: Master, stand by config on Aruba OS 8

    Posted Feb 05, 2020 03:34 PM

    I configured the HA on Controller level.  The HA does not appear at folder level.

     

    After i see both Controllers up i can no longer see the HA config on the secondary controller.

     

    Should i configure this  Before making it look like a master and stand by? i mean the HA config?  if i do that i should be able to configure it as it willl be as a stand alone. and not syncronized.

     

    But before that, yes it does a full reboot.   Let me check the config

     

    Cheers

    Carlos



  • 22.  RE: Master, stand by config on Aruba OS 8

    Posted Feb 05, 2020 04:50 PM

    okay i actually find out that it didnt do a full reboot, it just stay there on access denied for like 3 mins and 30 seconds  and the ap came back again.  

    Question

    Is this the downtime you get of your AP in this HA mode stand alone stand alone? or your AP with SSIDS goes up faster than mine that takes 3 mins 30 seconds?

     

    Cheers

    Carlos



  • 23.  RE: Master, stand by config on Aruba OS 8

    Posted Feb 05, 2020 05:16 PM

    If you are using master redundancy, you should just point the LMS-IP at the VRRP.  HA configuration is not supported in combination with master redundancy:  https://www.arubanetworks.com/techdocs/ArubaOS_86_Web_Help/Content/arubaos-solutions/vrrp/migr-vrrp-bku-lmred.htm

    Screenshot 2020-02-05 at 16.14.57.png



  • 24.  RE: Master, stand by config on Aruba OS 8

    Posted Feb 06, 2020 01:48 PM

    Thanks Colin!

     

    I did a quicktest in my HomeLAB and your right....as always ;) I just configure the VRRP VIP as the primairy LMS IP in the AP system profile and in my DHCP43 options for ap provisioning.

     

    • When i hard shutdown my MC01 the AP will re-built the GRE tunnels to the second controller within a couple off seconds.

    Capture.JPG



  • 25.  RE: Master, stand by config on Aruba OS 8

    Posted Feb 06, 2020 02:54 PM

    I am not right.  That is what the user guide says...



  • 26.  RE: Master, stand by config on Aruba OS 8

    Posted Feb 06, 2020 04:14 PM

    User Guide 8.6.0.0, link. (start at page 764)

     

    Test1: Dont use HA and only VRRP with LMS-IP=VRRP VIP address.

    - hard shut MC01, two AP failover with 10 seconds

    - restore MC01 and MC02, MC02=Master (no pre-eemtion)

    - had shut MC02, two AP dont failback to MC01 and do a full reboot, not good ;).

    - AP serial says: Unable to set up IPSec tunnel, Error:RC_ERROR_IKE_XAUTH_AUTHORIZATION_FAILED

     

    Test2: Create a HA-GROUP both MC01/MC02 in dual-mode, change the LMSIP=MC01 LMS_BKP=MC02

    - After create the HA group i bound it to MC01, it was not possible to bound it to MC02, also not from the MC02 CLI.

    - (TEST-MC01) [mynode] (config) #ha group-membership "HA" says no supported on this node.

    - Failover test fails again, AP reboots.

     

    While MC02 was the Master controller i was able (GUI and CLI) to create the HA group the same way as i did on MC01.

    - hard shut MC01, 1 ping lost, AP stay UP

    - restore MC01 and MC02, MC02=Master (no pre-eemtion)

    - hard shut MC02, 1 ping lost, AP stay UP

    - test it four three times again, same result.

     

    Tested with version: 8.6.0.2 two VMC in standalone mode en-rolled.

     



  • 27.  RE: Master, stand by config on Aruba OS 8

    Posted Feb 06, 2020 07:56 PM

    To be clear, if you are using master/standby, you MUST connect access points to the VRRP for proper redundancy.  You CANNOT use HA.  Why?  Because the VRRP determines what controller is the master and can actually serve access points.  The other controller will not accept access points.  If you configure ha and access points fail over to a controller that doesn't have control of the VRRP, the access points will not function.

     

    Again, DO NOT use HA when pointing APs to master redundant controllers.  Point the APS at the VRRP between them.



  • 28.  RE: Master, stand by config on Aruba OS 8

    Posted Feb 07, 2020 08:55 AM

    There is something wrong in my config...

    It rebuild the tunnel yes, the AP does not go down, because im connected by console and it does never goes down.  But it takes a minute and 30 seconds to build up again the tunnel.(i took the time ), it much better than before but is not as good as yours marcel which you said it was just a few seconds...

    My AP is a AP 215 i dont know if this is this make a difference somehow? or all the AP should build the tunnel again in a few seconds?



  • 29.  RE: Master, stand by config on Aruba OS 8

    Posted Feb 07, 2020 01:45 PM

    Okay

    I found out what was the problem, it was something in my config like you said marcel, i had in one controller the preempt and on the other controller id idnt have the preempt, that makes it take 1 minutes and 30 seconds.  As soon as i disable the preempt on both sides now it takes 10 seconds.    On a client perspective he looses like 4 pings thats really good.

     

    Thanks Collin, Marcell for your support!

     

    Cheers

    Carlos



  • 30.  RE: Master, stand by config on Aruba OS 8

    Posted Feb 07, 2020 03:15 PM
      |   view attached

    @Carlos Glad to hear that it works for you.

     

    @Collin Thanks for your feedback, good to learn from each other, really appreciated that. So your answer is clear, stay away from HA in a master-standby configuration and use the VRRP VIP in the primairy LMS-IP. In the attachment i create a A-Z configuration video. Could you please review it for me so i get a good understanding of it and do it in the right way this time? ps. the database sync 1 set to every minute to speed things up, but what is the default in a production deployment? 10min?.

     

     

    Attachment(s)

    zip
    Master-Standby 3.0.zip   36.46 MB 1 version


  • 31.  RE: Master, stand by config on Aruba OS 8

    Posted Feb 04, 2020 04:34 PM
      |   view attached

    Hi rfRocha,

     

    See attachment an video how i enable database sync from a clean configuration.

    Note in my video i put the database sync at 1min. to speed things up but that isnt a production setting ;).

    Attachment(s)

    zip
    ArubaOS8 database sync.zip   44.44 MB 1 version


  • 32.  RE: Master, stand by config on Aruba OS 8

    Posted Feb 04, 2020 04:38 PM

    I see in th post that there is a attachment on the tittle but i cannot see it on the post for some reason! :( 

    Can you just put the link  like a copy and paste! ? thanks ;) 



  • 33.  RE: Master, stand by config on Aruba OS 8

    Posted Feb 04, 2020 04:43 PM

    i can see it now, for some reason it took a while....

     

    Cheers

    Carlos