Why CPSEC whitelist entry to HA standby controller goes to unapproved state?



Network setup:


Master <---> set of local controllers as HA Active/Standby


With CPSEC enabled, AP would not form its HA standby tunnel with HA standby controller. In errorlog, we would see XAUTH failed due to AP not found in whitelist DB.




With Auto-provisioning enabled, when AP talks to the controller first, a CPSEC entry is created on that controller with "approved-ready-for-cert" state. If the AP does not come up on that same controller within 2 hours then the CPSEC entry would move to unapproved state.


Check if AP's MAC address is present in whitelist entry of Master and HA controllers.


(HA-standby) #show whitelist-db cpsec

Control-Plane Security Whitelist-entry Details
MAC-Address  AP-Group  AP-Name  Enable  State  Cert-Type  Description  Revoke Text  Last Updated
-----------  --------  -------  ------  -----  ---------  -----------  -----------  ------------

Total Entries: 0


(HA-standby) #show ap database

AP Database
Name  Group  AP Type  IP Address     Status  Flags  Switch IP     Standby IP
----  -----  -------  ----------     ------  -----  ---------     ----------
AP2   test   365  Down    2

(HA-standby) #show log errorlog 10

Aug 20 12:20:50 <isakmpd 103067>  <3994> <ERRS> |ike|  IKE XAuth failed as the AP 44:48:c1:ca:66:ec is not in whitelist
Aug 20 12:20:53 <localdb 133006>  <4176> <ERRS> |localdb|  User 44:48:c1:ca:66:ec Failed Authentication
Aug 20 12:20:53 <authmgr 522275>  <4137> <ERRS> |authmgr|  User Authentication failed. username=44:48:c1:ca:66:ec userip= usermac=44:48:c1:ca:66:ec authmethod=TRANSPORT-VPN servername=Internal serverip= apname=N/A bssid=00:00:00:00:00:00




We can manually add the AP in whitelist entry on HA standby controller as below;


(HA-standby) #whitelist-db  cpsec add mac-address 44:48:c1:ca:66:ec ap-group test ap-name AP2

(HA-standby) #show whitelist-db  cpsec

Control-Plane Security Whitelist-entry Details
MAC-Address        AP-Group  AP-Name  Enable   State                    Cert-Type    Description  Revoke Text  Last Updated
-----------        --------  -------  ------   -----                    ---------    -----------  -----------  ------------
44:48:c1:ca:66:ec  test      AP2      Enabled  approved-ready-for-cert  switch-cert                            Tue Aug 21 10:29:24 2018

Total Entries: 1


(HA-standby) #show ap database

AP Database
Name  Group  AP Type  IP Address     Status     Flags  Switch IP     Standby IP
----  -----  -------  ----------     ------     -----  ---------     ----------
AP2   test   365  Up 2m:16s  2S


If we check CPSEC, it is enabled and Auto cert provisioning and allow all were enabled. So, our expectation is Whitelist DB should be synced between controllers.


(HA-standby) #show control-plane-security 

Control Plane Security Profile
Parameter                    Value
---------                    -----
Control Plane Security       Enabled
Auto Cert Provisioning       Enabled
Auto Cert Allow All          Enabled
Auto Cert Allowed Addresses  N/A


However, if we check in Master controller, we see Whitelist DB sync was disabled.


(Master) #show whitelist-db cpsec-status 

My Mac-Address                00:1a:1e:03:d1:c8
My IP-Address       
Master IP-Address   
Switch-Role                   Master
Whitelist-sync is disabled


So, with whitelist DB sync disabled and HA Active/Standby setup; whitelist entry on HA active controller is added automatically once the AP talks to that controller. But, if the controller is in standby role, the entry is not added in controller automatically. Hence, the AP fails to come up on HA standby controller when whitelist DB sync is disabled on Master controller and entry is not added manually on HA standby controller.

Version history
Revision #:
2 of 2
Last update:
‎02-26-2019 11:13 PM
Updated by:
Labels (1)