Question: What do I need to do when a standalone master controller is RMAed in ArubaOS 5.0?
Product and Software: This article applies to all Aruba controllers and ArubaOS 5.0 or later.
When CPSec is turned on in ArubaOS 5.0, the master controller is the trust anchor for the hierarchy.
To rebuild the CPSec-enabled network if the standalone master has to be RMAed, follow these steps:
1) Install and configure the replacement master controller.
2) Connect the master to the network so that the locals can reach it.
3) If necessary, reconfigure the local controllers (masterip).
4) Reboot the local controllers (even if no configuration was changed). The reboot ensures that the locals get their new certificate from the new master.
5) The APs now have certificates with the old (RMAed) master as the trust anchor, so they will not be able to set up IPsec with controllers (local or master). These APs must be reapproved so that they can be recertified under the hierarchy of the new master.
6) To reapprove all the APs, locals must be rebooted (in step 4) first.
7) The master is new, so it will not have the whitelist and it must learn the whitelist from the locals. Therefore, pick any local controller and put all the APs in that are in "certified" state in "approved" state. This is not same as turning auto-cert-prov ON. If all APs do not come up after this action, check the whitelist status for that entry. They should be "approved" for them to get recertified.
8) If this master has no local controllers, you must make the master relearn the APs and recertify them. To do this, either turn auto-cert-prov ON for a while or manually enter the whitelist entries.