Problem:
NAS IP of cluster controller changes to MM IP while we have VRRP configured on cluster group profile
Diagnostics:Cluster configuration of the controllers,
Multiple VRRP instance been configured for management VLAN so that we can map the same in cluster config for COA to work along with redudancy
MM IP: 10.27.162.42
MD-1: 10.27.170.44
MD-2: 10.27.170.43
lc-cluster group-profile "CCH-Cluster"
controller 10.27.170.44 priority 128 mcast-vlan 0 vrrp-ip 10.27.170.99 vrrp-vlan 170 group 0 rap-public-ip 0.0.0.0
controller 10.27.170.43 priority 128 mcast-vlan 0 vrrp-ip 10.27.170.98 vrrp-vlan 170 group 0 rap-public-ip 0.0.0.0
!
On the first controller say MD-1 you would be able to see the configured VRRP being the nas-ip, similarly for controller-2
Controller-1
(MD-1) [MDC] #show ip radius nas-ip
RADIUS client NAS IP address = 10.27.170.98
RADIUS client NAS IPv6 address = ::1
Controller-2
(MD-2) [MDC] #show ip radius nas-ip
RADIUS client NAS IP address = 10.27.170.99
RADIUS client NAS IPv6 address = ::1
SolutionIn the above scenario, you can configure the VRRP IP as radius clients for authentication server so that COA and client redundancy for authentication would work in case of controller failure.
(MD-2) [MDC] #show lc-cluster group-membership
Cluster Enabled, Profile Name = "CCH-Cluster"
Redundancy Mode On
Active Client Rebalance Threshold = 20%
Standby Client Rebalance Threshold = 40%
Unbalance Threshold = 5%
AP Load Balancing: Enabled
Active AP Rebalance Threshold = 20%
Active AP Unbalance Threshold = 5%
Active AP Rebalance AP Count = 50
Active AP Rebalance Timer = 1 minutes
Cluster Info Table
------------------
Type IPv4 Address Priority Connection-Type STATUS
---- --------------- -------- --------------- ------
peer 10.27.170.43 128 L2-Connected CONNECTED (Member, last HBT_RSP 27ms ago, RTD = 0.000 ms)
self 10.27.170.44 128 N/A CONNECTED (Leader)
If administrator decides to add a VLAN on one of the controller and missed to update the excluded VLAN probe list then both the controllers in the cluster would move to L3-connected.
Example: in this scenario i missed to update vlan 890 in the excluded probe list and had the cluster from L2 to L3 connected,
(MD-2) [MDC] #show lc-cluster group-membership
Cluster Enabled, Profile Name = "CCH-Cluster"
Redundancy Mode On
Active Client Rebalance Threshold = 20%
Standby Client Rebalance Threshold = 40%
Unbalance Threshold = 5%
AP Load Balancing: Enabled
Active AP Rebalance Threshold = 20%
Active AP Unbalance Threshold = 5%
Active AP Rebalance AP Count = 50
Active AP Rebalance Timer = 1 minutes
Cluster Info Table
------------------
Type IPv4 Address Priority Connection-Type STATUS
---- --------------- -------- --------------- ------
peer 10.27.170.43 128 L3-Connected CONNECTED (Member, last HBT_RSP 39ms ago, RTD = 0.950 ms)
self 10.27.170.44 128 N/A CONNECTED (Leader)
(MD-2) [MDC] #show lc-cluster vlan-probe status
Cluster VLAN Probe Status
-------------------------
Type IPv4 Address REQ-SENT REQ-FAIL ACK-SENT ACK-FAIL REQ-RCVD ACK-RCVD VLAN_FAIL CONN-TYPE START/STOP
---- --------------- -------- -------- -------- -------- -------- -------- --------- --------- ----------
peer 10.27.170.43 18 0 5 0 5 2 890 L3 Conn 1/ 1
Then the NAS IP would be changing itself to MM's IP causing the radius authentication failed as only the VRRP IPs been added as radius client on the authentication server.
(MD-2) [MDC] #show ip radius nas-ip
RADIUS client NAS IP address = 10.27.162.42
RADIUS client NAS IPv6 address = ::1
Solution is to have the newly added controller specific vlan to the excluded vlan list (or) add the same vlan in all controllers that are part of the cluster to make it L2 CONNECTED, so that the NAS IP would be changed automatically to configured VRRP IP.
(config) #lc-cluster exclude-vlan 221,222,909,1,890
(config) #write memory
(MD-2) [MDC] #show lc-cluster group-membership
Cluster Enabled, Profile Name = "CCH-Cluster"
Redundancy Mode On
Active Client Rebalance Threshold = 20%
Standby Client Rebalance Threshold = 40%
Unbalance Threshold = 5%
AP Load Balancing: Enabled
Active AP Rebalance Threshold = 20%
Active AP Unbalance Threshold = 5%
Active AP Rebalance AP Count = 50
Active AP Rebalance Timer = 1 minutes
Cluster Info Table
------------------
Type IPv4 Address Priority Connection-Type STATUS
---- --------------- -------- --------------- ------
peer 10.27.170.43 128 L2-Connected CONNECTED (Member, last HBT_RSP 55ms ago, RTD = 1.043 ms)
self 10.27.170.44 128 N/A CONNECTED (Leader)
(MD-2) [MDC] #show ip radius nas-ip
RADIUS client NAS IP address = 10.27.170.99
RADIUS client NAS IPv6 address = ::1