Security

Hi,

We have 2 controllers 7210 model and we configure it as active/standby using vrrp. OS version running in both controller is 6.4.2.4. The problem is the vrrp status in the master controller it says the vrrp VR state is Master for a specific vlan on the backup the status is also Master. So it quite confusing because backup should be in backup state. Then with this status when will do ping test for both SVI of the 2 controller we cannot able to ping. We check the ip interface and all looks good and UP. Below is the status of the VRRP of both master and backup.

Controller VRRP status:

Virtual Router 102:
    Description
    Admin State UP, VR State MASTER
    IP Address 10.208.2.5, MAC Address 00:00:5e:00:01:66, vlan 102
    Priority 110, Advertisement 1 sec, Preemption Enable Delay 30
    Auth type PASSWORD, Auth data: ********
    tracking type is master-up-time, duration 30 minutes, value 20
    tracked priority 130

Controller 2 VRRP status:

Virtual Router 102:
    Description
    Admin State UP, VR State MASTER
    IP Address 10.208.2.5, MAC Address 00:00:5e:00:01:66, vlan 102
    Priority 100, Advertisement 1 sec, Preemption Enable Delay 30
    Auth type PASSWORD, Auth data: ********
    tracking type is master-up-time, duration 30 minutes, value 20
    tracked priority 120

So the controllers cannot ping each other on this VLAN? Are you sure your upstream switch is correctly configured? If you plug a cable directly between the controllers on this VLAN/port does the VRRP work correctly?

VRRP required L2 connectivty between the two hosts on each VLAN you want to have a virtual IP in. In they controllers cannot see each other on that VLAN, they wont be able to work with VRRP correctly.

Can you see arp entries in controller 1 for the IP on controller 2?

Check your upstream swtich to ensure the packets are allowed between the controllers, or test with a directly connected cable to ensure the interface is working in that case.

_ELiasz

yes tried to connect the controller directly to the back controller and got same results. VIP was already correctly configured in both controllers. Uplinks has same configuration and also on the core switcg. Then during your test we notice that on both controllers the user affair and we notice that from the master controller the user got the right role and authenticated but on the backup controller user got initial role and not authenticated so now when the user browse to the internet it keeps redirecting to the CP page.

Yes I can see arp entries in both controllers and it looks good.

Yes all has same vrrp password

If you run the show switches command what do you see?

Also can you post the result of show master-redundancy.

Cheers

James

Having the same issue.  Please post if you find the fix.  I will do the same.  I can only ping the SVI interfaces of controller 2 if I power off controller 1 and 2 becomes the active.  Like you some of my interfaces on coontroller 2 are active and some are in backup.  On controller 1 they are all active.

ascott,

Can you ping the management addresses of both controllers from a third wired location?

Here are the results for the "show switches and show master-redundancy"

Master controller:

All Switches
------------
IP Address     Name                Location                 Type     Model      Version        Status  Configuration State  Config Sync Time (sec)  Config ID
----------     ----                --------                 ----     -----      -------        ------  -------------------  ----------------------  ---------
10.x.x.192  Aruba7210-01             US                     master   Aruba7210  6.4.2.4_48122  up      UPDATE SUCCESSFUL    0                       2
10.x.x.193   Aruba7210-02           Building1.floor1         standby  Aruba7210  6.4.2.4_48122  up      UPDATE SUCCESSFUL    16                      2

Master redundancy configuration:
    VRRP Id 10 current state is MASTER
    Peer's IP Address is 10.x.x.193
    Peer's IPSEC Key is ********

Backup Controller:

All Switches
------------
IP Address     Name                Location          Type     Model      Version        Status  Configuration State  Config Sync Time (sec)  Config ID
----------     ----                --------          ----     -----      -------        ------  -------------------  ----------------------  ---------
10.x.x.193  Aruba7210-02         Building1.floor1  standby  Aruba7210  6.4.2.4_48122  up      UPDATE SUCCESSFUL    0                       2

Master redundancy configuration:
    VRRP Id 10 current state is BACKUP
    Peer's IP Address is 10.x.x.192
    Peer's IPSEC Key is ********

Joe1979,

Don't mean to hi-jack your post but my issue seems very very close to yours and with the help of Harri from support we were able to figure out my issue.  In my case it turned out to be an issue with the vlans no defined on the core switch.I had some vlans defined and some not but all trunked to the controllers.  The ones that were defined on the switch I was able to ping the VRRP IP and two SVI IPs and the VRP was in the correct state.  The ones that were not defined VRRP was master on both controllers and I could not ping the SVI IPs on the backup controller.

This was discoved bty looking at the switch and we noticed the vlans that were not working had a different root bridge.  Just added the command "VLAN x" to the switch for each vlan and everything started working as expected.

Also just in case this helps others my interfaces are untrusted.  So I also needed to add an ACL to the initial login role to allow the VRRP protocol "112"