Why CPSEC whitelist entry to HA standby controller goes to unapproved state?

MVP Expert
MVP Expert
Problem:

 

Network setup:

 

Master <---> set of local controllers as HA Active/Standby

 

With CPSEC enabled, AP would not form its HA standby tunnel with HA standby controller. In errorlog, we would see XAUTH failed due to AP not found in whitelist DB.

 



Diagnostics:

 

With Auto-provisioning enabled, when AP talks to the controller first, a CPSEC entry is created on that controller with "approved-ready-for-cert" state. If the AP does not come up on that same controller within 2 hours then the CPSEC entry would move to unapproved state.

 

Check if AP's MAC address is present in whitelist entry of Master and HA controllers.

 

(HA-standby) #show whitelist-db cpsec


Control-Plane Security Whitelist-entry Details
----------------------------------------------
MAC-Address  AP-Group  AP-Name  Enable  State  Cert-Type  Description  Revoke Text  Last Updated
-----------  --------  -------  ------  -----  ---------  -----------  -----------  ------------

Total Entries: 0

 

(HA-standby) #show ap database

AP Database
-----------
Name  Group  AP Type  IP Address     Status  Flags  Switch IP     Standby IP
----  -----  -------  ----------     ------  -----  ---------     ----------
AP2   test   365      10.29.165.245  Down    2      10.29.164.30  0.0.0.0

(HA-standby) #show log errorlog 10

Aug 20 12:20:50 <isakmpd 103067>  <3994> <ERRS> |ike|  IKE XAuth failed as the AP 44:48:c1:ca:66:ec is not in whitelist
Aug 20 12:20:53 <localdb 133006>  <4176> <ERRS> |localdb|  User 44:48:c1:ca:66:ec Failed Authentication
Aug 20 12:20:53 <authmgr 522275>  <4137> <ERRS> |authmgr|  User Authentication failed. username=44:48:c1:ca:66:ec userip=10.29.165.245 usermac=44:48:c1:ca:66:ec authmethod=TRANSPORT-VPN servername=Internal serverip=10.29.164.10 apname=N/A bssid=00:00:00:00:00:00

 



Solution

 

We can manually add the AP in whitelist entry on HA standby controller as below;

 

(HA-standby) #whitelist-db  cpsec add mac-address 44:48:c1:ca:66:ec ap-group test ap-name AP2

(HA-standby) #show whitelist-db  cpsec


Control-Plane Security Whitelist-entry Details
----------------------------------------------
MAC-Address        AP-Group  AP-Name  Enable   State                    Cert-Type    Description  Revoke Text  Last Updated
-----------        --------  -------  ------   -----                    ---------    -----------  -----------  ------------
44:48:c1:ca:66:ec  test      AP2      Enabled  approved-ready-for-cert  switch-cert                            Tue Aug 21 10:29:24 2018

Total Entries: 1

 

(HA-standby) #show ap database

AP Database
-----------
Name  Group  AP Type  IP Address     Status     Flags  Switch IP     Standby IP
----  -----  -------  ----------     ------     -----  ---------     ----------
AP2   test   365      10.29.165.245  Up 2m:16s  2S     10.29.164.20  10.29.164.30

 

If we check CPSEC, it is enabled and Auto cert provisioning and allow all were enabled. So, our expectation is Whitelist DB should be synced between controllers.

 

(HA-standby) #show control-plane-security 

Control Plane Security Profile
------------------------------
Parameter                    Value
---------                    -----
Control Plane Security       Enabled
Auto Cert Provisioning       Enabled
Auto Cert Allow All          Enabled
Auto Cert Allowed Addresses  N/A

 

However, if we check in Master controller, we see Whitelist DB sync was disabled.

 

(Master) #show whitelist-db cpsec-status 


My Mac-Address                00:1a:1e:03:d1:c8
My IP-Address                 10.29.164.10
Master IP-Address             10.29.164.10
Switch-Role                   Master
Whitelist-sync is disabled

 

So, with whitelist DB sync disabled and HA Active/Standby setup; whitelist entry on HA active controller is added automatically once the AP talks to that controller. But, if the controller is in standby role, the entry is not added in controller automatically. Hence, the AP fails to come up on HA standby controller when whitelist DB sync is disabled on Master controller and entry is not added manually on HA standby controller.

Version history
Revision #:
2 of 2
Last update:
‎02-26-2019 11:13 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: