Controllerless Networks

Reply
Occasional Contributor II

Re: how can i get the IPsec preshared key of the master controller

there is no connectivity right now between the two controllers because i keep entring the wrong key :
Jan 14 12:42:31 fpcli: USER:admin@192.168.18.173 COMMAND:<master-redundancy peer-ip-address 192.168.1.148 ipsec "west1234" > -- command execution failed
Jan 14 12:43:30 fpcli: USER:admin@192.168.18.173 COMMAND:<master-redundancy peer-ip-address 192.168.1.148 ipsec "west1234" > -- command execution failed

 

thats why i asked the question on first place so i can achieve connectivity between the controller ,now even the ping fails because of the wrong preshared key so of course it won`t be any local controllers on the show switch output .

thank you 

 

 

MVP Guru

Re: how can i get the IPsec preshared key of the master controller

The command in the last post shows you trying to set up/change the Master Redundancy PSK, not the Local PSK used for local controllers. These are two different things. 

 

You can have a PSK for Master Redundancy and you can have another PSK for Master Local operations.

 

The command is failing because of another reason (no VRRP for example or device isn't a Master) not because the PSK is wrong.

 

Have you followed the guides to set up Master-Master Backup and also Master-Local? You might find it easier to simply overwrite the existing keys with new keys based on what you are trying to achieve. 

 

Do you want to provide the previously suggested commands on from each controller?

 

#show roleinfo
#show vrrp

ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
Occasional Contributor II

Re: how can i get the IPsec preshared key of the master controller

Hi Zalion,

My mistake i didn`t explain the situation well ,or maybe i`m confused between master/local redundancy and vrrp redundancy 

here is the situation anyway : we have a running master controller (which also have a vrrp configuration on it )

I have a second controller whcih is on factory default state so i need to configure it then set up redanduncy .

i still on the basic setup ,still didn`t configure vrrp on local controller when i set the second controller as local ,i enter the master ip(as master ip address) address but for authentication ,i need to entern the IPsec key so it can connect to the master .

i don`t have that key and that`s what i need to know .

or let me ask the question differently :when i do the basic config ,when i need to enter the master ip address and then the ipsec key ,which key i need to use ,is it the vrrp authentication key ,is it the site to site vpn preshared key ?

Thank you 

MVP Guru

Re: how can i get the IPsec preshared key of the master controller

If you have no Local controllers already configured, there will be no Master-Local PSK set so this is why you cannot find one :)

 

To set up a Master-Local for example: 

 

 

On the Master :

(host) (config) #localip 0.0.0.0 ipsec gw1234567
On the Local:

(host) (config) #masterip 10.1.1.250 ipsec gw1234567

Might be worth reading the VRD for WLAN Redundancy as this explains it far better then me. In short, these are different.

 

 

A IPSEC tunnel is used for Master-Local communications.

A IPSEC tunnel is used for Master-Master Backup communications (which also uses VRRP).

A IPSEC tunnel can also be used to establish a traditional tunnel between controllers. 

 

Master-Master Backup needs to be in the same L2 broadcast domain due to using VRRP.

Master-Local can be L2/L3 separated as no VRRP is required.


ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
Occasional Contributor II

Re: how can i get the IPsec preshared key of the master controller

hi Zalion ,

Thank you for your help .

so as you recomended,this is what i did :

on the master controller :

localip 0.0.0.0 ipsec *******

on the local :

masterip 192.168.1.148 ipsec*******

>>everything works fine and connectivity between controller is working and on show switches i can see both the master and the local

(WW-CTRLR-BCKUP) #show switches

All Switches
------------
IP Address Name Location Type Model Version D
---------- ---- -------- ---- ----- ------- -
192.168.1.148 WW-CTRLR-BCKUP Building1.floor1 master OAW-4450 6.5.4.9_67122
192.168.1.149 OAW-4450-local Building1.floor1 local OAW-4450 6.5.4.9_67122

 

however when i start configuring  vrrp ,issues  start happening :(

so can you please help me understanding the below:

- after setting up master-local ,can i set up vrrp because i think vrrp can only be used with master-master setup?if i can`t use vrrp ,then does the setup i made ,the master-local setup will be enough to acheive redundancy or in other word does redundancy achieved by vrrp or by master-local setup ?thank you so much

 

MVP Guru

Re: how can i get the IPsec preshared key of the master controller

You can set up VRRP between a Master-Local providing they are in the same L2. What type of redundancy are you looking to use? AP, controller, interface etc? Each of these have different options based on your network design.


ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
Occasional Contributor II

Re: how can i get the IPsec preshared key of the master controller

HI Zalion,

first of all ,thank you for all the help and i`m sorry for all the questions 

i need to steup redundancy between the two controllers(the master and the local ) so when the master fails ,the standby controller can take over and the APs connecting to the master can switchover to the standbye .

i have this config on the master :

 

master-redundancy
master-vrrp 150
peer-ip-address 192.168.1.149 
!
vrrp 150
priority 110
authentication west1234
ip address 192.168.1.150
description "Preferred-Standby"
vlan 1
tracking master-up-time 30 add 20
no shutdown
!

then when i try configuring redundancy on the local controller ,when i type :

`master-redundancy` i got an error`Error: Master IP 192.168.1.148 is configured`  so i just ignore that command and enter the below :

vrrp 150
priority 110
authentication west1234
ip address 192.168.1.150
description "Preferred-Standby"
vlan 1
tracking master-up-time 30 add 20
no shutdown 

then the ping times out between the controller and i can`t change the master ip on the local controller to the virtual ip >

in the guide you sent me its mentioned that we can use vrrp either with master-master setup or local-local steup

thank you in advance

MVP Guru

Re: how can i get the IPsec preshared key of the master controller

If you have configured this as Master-Local you cannot configure Master-Master redundancy as well, these are different controller roles. You're best bet is to configure a VRRP for AP Discovery and use HA Groups for AP redundancy. These are detailed in the VRD's.

 

Do you have an Aruba partner you can work with? 


ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
Highlighted
Occasional Contributor II

Re: how can i get the IPsec preshared key of the master controller

hi Zalion,

Thank you for your answer and honestly don`t know about aruba partner because i`m new at the company and need to check that .

i have a last question if you don`t mind .

right now i have master-local setup working fine and i have all the AP connected to the master controller 

if i go to the LMS  AP and do the following :

LMS ip= ip add of the master 

Backup LMS IP=ip add of the local 

does that mean if the master fails ,the APs will reboot and switchover to the local controller ?thank you so much

MVP Guru

Re: how can i get the IPsec preshared key of the master controller

It will do, however if you look at the HA Fast Failover options the AP will
built a standby tunnel to the secondary controller and not require a reboot
during failover.

ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: