Wireless Access

Hi Airheads,

when configuring master VRRP redundancy

it's seems that on 6.4.3.4 when using IPSEC key that master redundancy dosent work as needed (Controllers cant ping each other) but when changing to certificate + MAC everything working like charm.

 

*How do u know the VRRP redundancy didnt work = ping dosent work,when deleting the master redundancy - ping working.

IPSEC key not working no pings between controllers ,certificate pings working and the two controller can see each other and able to communcte each other as needed.

 

anyone else encounter this issue on 6.4.3.4?

 

Please advise.

 

Thanks.

 

Me

kdisc98,

 

Are you saying that just setting up VRRP does not work?  Master redundancy relies on VRRP being setup first.  After that, you setup master redundancy, and it depends on VRRP to work properly.  What is your VRRP setup in both scenarios?  You should rely on "show switches" from the master to determine if master redundancy is working or not.

 

That the wired part - vrrp setting working like charm ,But when adding Master red option in both controllers based on the above vid and with ipsec key... suddenly no icmp...changing it to MAC+cert and it working like charm

VRRP working..
THE MASTER REDUDANCY not working with ipsec key...causing no icmp/traffic between controllers..but when changing it to CERT+MAC the Master redundancy working and everything is working as needed

Why did you configure cert+mac and did you configure that first?

Nope,First i established the VRRP (VID 216) and then after seeing that this is working as needed (FLOATING ADDRESS and everything) i configure the master red based on IPSEC key as always , and i notice that suddenly i don't have connectivity between the controllers so i double/triple checked the key with same results..changing it to CERT + MAC solved the issue and everything worked back again.

Changing to cert+mac requires additional setup of the certs.  Did you do all of that?  Nobody really uses cert+mac.  Did you do a "show crypto ipsec sa" or "show switches" and see that it was working with cert+mac?  Just pinging is not necessarily a way to detect that it is working.

factory cert dosent need any extra config (Between controllers)
and on show switches i can see both of them with update successful ... + ICMP is working + all traffic is working.

im not on site right now,But here is a screenshot

 

After choosing work with CERT+MAC and not with IPSEC on the master redundancy

I would do this on both sides:

 

config t
logging level debugging security subcat ike
logging level debugging security process aaa
logging level debugging security process authmgr
logging level debugging security subcat l2tp
logging level debugging security subcat vpn

Then setup master redundancy with PSK.  Then type "show log security 50" to see why it says it does not come up.

 

Will do it , in my next visit on site (4-11-2015) , i will keep this post updated. Thanks for the support so far (Love u :) )

It should work with either configuration.  I am not sure where it is failing, but logging the crypto would give us a clue what is happening.

 

I Know...it's not the first VRRP (Master-Master Standby) deployment im doing..Usully IPSEC + KEY doing the job..something strange happning in this case.

As i wrote before,I will be on site agian in a couple of days and i will debug the cyrpto stuff and share the info with u guys.

 

thanks.

 

I am facing a similar issue that may or may not be related.  In my case we see the ipsec come up and then a few hours later it stops working.  Rebooting the master fixes.  Removing and readding the master-redundancy config on the master fixes as well sometimes.

 

Seems like the master just stops responding to the backup after an hour or two, which we see in packet captures.

 

TAC have said that there was a bug relating to master-local ipsec that exhibited the same symptoms and was fixed in 6.4.4.1.  The customer said that it was not working again, but couldn't confirm if is was immediately after the upgrade.  I have just removed/readded the master-redundancy config on the master and it is now back up, so let's see how it is tomorrow.

 

kdisc98, your thread is interesting because now I am thinking we should try to see if it is stable with a certificate. 

 

:-)

Michael_Clarke,

 

Kdisc98 says it is not working period.

? ?

 

Just tomorrow i will be again on site.. i will be able to confirm if so far the certificate is stable , and i will also debug and check the ipsec+key thing.

 

 

Kdisc98 says that using just the preshared key for Master redundancy is not working at all.  Michael_Clarke says it is working, but after a while it does not work.  For now those should be treated as two separate things.

True, they are separate, beit with some similarities.  Curious to know how you get on tomorrow kdisc98.

Sure i will keep u guys updated.

I have just one thing to add , before leaving my LAB i per-configure the VRRP master red based on IPSEC + KEY and it's worked...

But when powered it back on on the installation site..it's seems only CERT+MAC made the Master VRRP redundancy to work. (Dosent matter how much times i entered the same KEY in both controllers)

kdisc98, how did it go when you went back to site?

So i been on-site , and the site already pass to production with the deployment.

the VRRP master redundancy still configured and working with certificate . client didn't let me to test if IPSEC will work....

So.. Sorry no relevant update.