Wireless Access

Hi all,

We have a problem on aruba OS version 8.4.0.4

we change lots of cisco WiFi controler and AP with Aruba controlers and AP.

We do not have MM juste Two 7205 and about 100+ AP on each place.

We try to make a"Standalone MC with Master Redundancy"  https://community.arubanetworks.com/t5/Controller-Based-WLANs/ArubaOS-8-Fundamentals-Guide/ta-p/428914 ( page 197 )

We make the configuration (vrrp , master redundancy, database synchro , HA group) and then configure AP group with LMS ip address ( master) and backup ip address (standby) (+ 4 SSID)

but after provisionning a AP :

on master :

(EUR0100CW001-1) [mynode] #show ap database status up

AP Database
-----------
Name          Group    AP Type  IP Address   Status         Flags  Switch IP    Standby IP
----          -----    -------  ----------   ------         -----  ---------    ----------
EUR1009AP081  default  345      10.16.4.179  Up 3h:41m:11s  2      10.16.1.251  0.0.0.0

(EUR0100CW001-1) [mynode] #show datapath tunnel

+----+-------+-----------------------------------------------------+
|SUM/|       |                                   |                 |
|CPU |  Addr | Description                                   Value |
+----+-------+-----------------------------------------------------+
|    |       |                                                     |
| G  | [000] | Current Entries                                  21 |
| G  | [002] | High Water Mark                                  23 |
| G  | [003] | Maximum Entries                               12288 |
| G  | [004] | Total Entries                                    47 |
| G  | [007] | Max link length                                   1 |
+----+-------+-----------------------------------------------------+

Datapath Tunnel Table Entries
-----------------------------

Flags: E - Ether encap,  I - Wi-Fi encap,  R - Wired tunnel,  F - IP fragment OK
       W - WEP,  K - TKIP,  A - AESCCM,  G - AESGCM,  M - no mcast src filtering
       S - Single encrypt,  U - Untagged,  X - Tunneled node,  1(cert-id) - 802.1X Term-PEAP
       2(cert-id) - 802.1X Term-TLS,  T - Trusted,  L - No looping, d - Drop Bcast/Unknown Mcast,
       D - Decrypt tunnel,  a - Reduce ARP packets in the air, e - EAPOL only
       C - Prohibit new calls, P - Permanent, m - Convert multicast, B - Bgw peer uplink tunnel
       n - Convert RAs to unicast(VLAN Pooling/L3 Mobility enabled), s - Split tunnel
       V - enforce user vlan(open clients only), x - Striping IP, z - Datazone
       H - Standby (HA-Lite), u - Cluster UAC tunnel, b - Active AAC tunnel, t - Cluster s-AAC tunnel
       c - IP Compression, g - PAN GlobalProtect Tunnel, w - Tunneled Node Heartbeat
       B - Cluster A-SAC Mcast, G - Cluster S-SAC Mcast, l - Tunneled Node user tunnel
       f - Static GRE Tunnels, k- keepalive enabled, Y - Convert BC/MC to Unicast

 #          Source       Destination    Prt  Type  MTU   VLAN       Acls                    BSSID          Decaps     Encaps   Heartbeats Flags            EncapKBytes  DecapKBytes
------  --------------  --------------  ---  ----  ----  ---- -----------------------  ----------------- ---------- ---------- ---------- --------------- ------------- -----------
20      10.16.5.251     10.16.4.179     47   8230  1500  349  0   0    2    0    0     48:4a:e9:c1:e8:73          0          0          0 IMASPab 
18      10.16.5.251     10.16.4.179     47   8210  1500  321  0   0    2    0    0     48:4a:e9:c1:e8:71          0          0          0 IMASPab 
22      SPIC1024800 in  10.16.1.251     50   IPSE  1500  0    routeDest 0067     0                             2708          0            Tc                0           0
19      10.16.5.251     10.16.4.179     47   8220  1500  306  0   0    2    0    0     48:4a:e9:c1:e8:72          0          0          0 IMASPab 
17      10.16.5.251     10.16.4.179     47   8200  1500  200  0   0    12   0    0     48:4a:e9:c1:e8:70          0          0          0 IMSPab 
14      SPICF8AC000out  10.16.4.179     50   IPSE  1500  0    routeDest 0067     0                                0        456                              0           0
15      SPI897A8100out  10.16.1.252     50   IPSE  1500  0    routeDest 0064     0                                0       2674            Tc                0           0
11      10.16.5.251     10.16.4.179     47   8320  1500  306  0   0    2    0    0     48:4a:e9:c1:e8:62          0          0          0 IMASPab 
21      10.16.5.251     10.16.4.179     47   8300  1500  200  0   0    12   0    0     48:4a:e9:c1:e8:60          0          0          0 IMSPab 
23      SPI006DF300 in  10.16.5.251     50   IPSE  1500  0    routeDest 0000     0                             1790          0                              0           0
13      10.16.5.251     10.16.4.179     47   8330  1500  349  0   0    2    0    0     48:4a:e9:c1:e8:63          0          0          0 IMASPab 
12      10.16.5.251     10.16.4.179     47   8310  1500  321  0   0    2    0    0     48:4a:e9:c1:e8:61          0          0          0 IMASPab 
16      10.16.5.251     10.16.4.179     47   9000  1500  0    0   0    0    0    0     48:4a:e9:c4:1e:86      10069          0       9901 TES 
(EUR0100CW001-1) [mynode] #

( 9 tunnels  : 4 ssid x2 + 1 management) ==> seem ok

on Standby :

(EUR0100CW001-2) [mynode] #show ap database

AP Database
-----------
Name  Group  AP Type  IP Address  Status  Flags  Switch IP  Standby IP
----  -----  -------  ----------  ------  -----  ---------  ----------

Flags: 1 = 802.1x authenticated AP use EAP-PEAP; 1+ = 802.1x use EST; 1- = 802.1x use factory cert; 2 = Using IKE version 2
       B = Built-in AP; C = Cellular RAP; D = Dirty or no config
       E = Regulatory Domain Mismatch; F = AP failed 802.1x authentication
       G = No such group; I = Inactive; J = USB cert at AP; L = Unlicensed
       M = Mesh node
       N = Duplicate name; P = PPPoe AP; R = Remote AP; R- = Remote AP requires Auth;
       S = Standby-mode AP; U = Unprovisioned; X = Maintenance Mode
       Y = Mesh Recovery
       c = CERT-based RAP; e = Custom EST cert; f = No Spectrum FFT support
       i = Indoor; o = Outdoor; s = LACP striping; u = Custom-Cert RAP; z = Datazone AP
       p = In deep-sleep status

Total APs:0
(EUR0100CW001-2) [mynode] #show datapath tunnel
tunnel                  Datapath tunnel table
tunnel-group            Datapath tunnel-group

(EUR0100CW001-2) [mynode] #show datapath tunnel
counters                Datapath tunnel statistics
encaps                  Datapath encapsulation statistics verbose
heartbeat               Datapath heartbeat tunnel only
ipv4                    Datapath IPv4 tunnel entries
ipv6                    Datapath IPv6 tunnel entries
station-list            Datapath list of stations on tunnel
table                   Datapath tunnel entries
tunnel-id               Datapath tunnel FIB for given tunnel index
verbose                 Datapath tunnel internal detail
|                       Output Modifiers
<cr>

(EUR0100CW001-2) [mynode] #show datapath tunnel

+----+-------+-----------------------------------------------------+
|SUM/|       |                                   |                 |
|CPU |  Addr | Description                                   Value |
+----+-------+-----------------------------------------------------+
|    |       |                                                     |
| G  | [000] | Current Entries                                  10 |
| G  | [002] | High Water Mark                                  21 |
| G  | [003] | Maximum Entries                               12288 |
| G  | [004] | Total Entries                                    27 |
| G  | [007] | Max link length                                   1 |
+----+-------+-----------------------------------------------------+

Datapath Tunnel Table Entries
-----------------------------

Flags: E - Ether encap,  I - Wi-Fi encap,  R - Wired tunnel,  F - IP fragment OK
       W - WEP,  K - TKIP,  A - AESCCM,  G - AESGCM,  M - no mcast src filtering
       S - Single encrypt,  U - Untagged,  X - Tunneled node,  1(cert-id) - 802.1X Term-PEAP
       2(cert-id) - 802.1X Term-TLS,  T - Trusted,  L - No looping, d - Drop Bcast/Unknown Mcast,
       D - Decrypt tunnel,  a - Reduce ARP packets in the air, e - EAPOL only
       C - Prohibit new calls, P - Permanent, m - Convert multicast, B - Bgw peer uplink tunnel
       n - Convert RAs to unicast(VLAN Pooling/L3 Mobility enabled), s - Split tunnel
       V - enforce user vlan(open clients only), x - Striping IP, z - Datazone
       H - Standby (HA-Lite), u - Cluster UAC tunnel, b - Active AAC tunnel, t - Cluster s-AAC tunnel
       c - IP Compression, g - PAN GlobalProtect Tunnel, w - Tunneled Node Heartbeat
       B - Cluster A-SAC Mcast, G - Cluster S-SAC Mcast, l - Tunneled Node user tunnel
       f - Static GRE Tunnels, k- keepalive enabled, Y - Convert BC/MC to Unicast

 #          Source       Destination    Prt  Type  MTU   VLAN       Acls                    BSSID          Decaps     Encaps   Heartbeats Flags            EncapKBytes  DecapKBytes
------  --------------  --------------  ---  ----  ----  ---- -----------------------  ----------------- ---------- ---------- ---------- --------------- ------------- -----------
19      SPIC1024800out  10.16.1.251     50   IPSE  1500  0    routeDest 0064     0                                0       3227            Tc                0           0
11      SPI897A8100 in  10.16.1.252     50   IPSE  1500  0    routeDest 0067     0                             3181          0            Tc                0           0
(EUR0100CW001-2) [mynode] #

As you see we do not see the standby tunnel , only the tunnels between master and standby.

What we try to do is correct on 8.4 ?

Do you have an idea so tha stand-by tunnel will be up ?

Thanks in advance

You should not use FAST FAILOVER with a Master/Standby combination.  You should just point the LMS-IP at the VRRP between the controllers and do not configure fast failover.

Why should you not configure fast failover?  Because in a master/standby situation, the VRRP bwtween controllers determines when the standy server is active and can accept APS.

hi, thank you for reply. 

So what is the "good" way to do fast failover in our situation ?

if we test the fail-over in the configuration we use for now, we have this :

* stop the master : one minute before AP goes to the standby.

* boot the master : five minutes before AP change to the master (after reboot ends) 

we can have a "blackout" on the WiFi but no more than one/two minutes.

Regards 

- Remove the fast failover configuration

- Point the LMS-IP of that ap-group to the ip address of the VRRP.

It should not take a minute to fail over in the above scenario.

Here are a couple of recent posts that may help you understand the configuration better.

https://community.arubanetworks.com/t5/Wireless-Access/OS8-Standalone-7210-controllers/m-p/547886#M92908

https://community.arubanetworks.com/t5/Wireless-Access/Arubaos8-two-controllers-redundancy-scenario/m-p/547657#M92836

I hope this helps,

Hello,

Did you end up deploying this in production? If yes, have you seen any caveat with that ?

According to my test it works fine (without Fast Failover), but I want to make sure it's working as expected (Active/Standby with minute+ failover time) before suggesting this to customers with few APs and can't afford MM licenses.

Regards.