Hello Friends,
Recently I have configured Master Redundancy + HA Failover with CPSec turned on. VRRP and Master Redundancy was OK: show vrrp and show master-redundancy displayed correct states (UP) and roles for both master controllers (Master/Backup).
HA verified with show ha ap table and show ap database displayed APs with correct flags (LU/SLU and -/S respectively).
show license server-redundancy showed central licensing was ok.
I have discovered, that with CPSec enabled a HA failover did not work, due to problem with Clustering configuration. Disabling CPSec makes it work ok.
But while controllers were in Master-Redundancy, I was not able to correct CPSec Cluster configuration on Backup. So I disabled master-redundancy, rebooted Backup master so it could became standalone master and reconfigured CPSec Cluster as follows:
1. I have configured both controllers with respecitve Cluster roles:
- on Root (Preferred-Master/Active) cluster-member-factory-cert member-mac <member-mac>
- on Member (Backup-Master/Standby) cluster-root-ip <root-ip> ipsec-factory-cert root-mac <root-mac>
MAC addresses were taken from show inventory output of each respective wlc.
2. show cluster-config and show cluster-switches showed correct output for each controller.
3.Then I enabled again Master-Redundancy, but after a while I have noticed that Cluster configuration in show run on Backup-Master was overwritten with command from Active-Master. I expected to see in Backup-Master's config cluster-root-ip <root-ip> ipsec-factory-cert root-mac <root-mac> command, but instead there was cluster-member-factory-cert member-mac <member-mac> only!
Of course, output from show cluster-switches on both controllers was empty because CPSec Cluster was no longer working and HA could not work properly.
There is an AMP configured on both controllers, but they are in Monitor Mode.
What did I do wrong? How to prevent Master from overwritting CPSec Cluster config on Backup?
#6.5