Wireless Access

New Contributor

APs fail to reconnect to controller

We have an issue where APs which have lost connection to the controller for some reason will not reconnect. If the AP is rebooted (i.e. reset POE on the switchport) then it connects without issue but if for example the switch loses its uplink to the core (causing all attached APs to go down) and uplink is then re-established, the APs never return to UP state until they are fully rebooted.

This only occurs for APs that are connecting to the controller through the Fortigate firewall. I have tried permitting ALL traffic from the AP subnet to both controller IPs and the VRRP IP. Firewall logs report nothing blocked.

The 2 x 7205 controllers are configured in fast failover HA group and "show ap database" shows AP connections to both controllers.

Troubleshooting has determined that this only occurs when a Backup-LMS IP is set in the AP system profile. By removing the Backup-LMS this problem does not occur and APs are able to reconnect as expected, so in that sense the problem is solved however I am trying to understand why this is so.

I realise the Backup-LMS setting is not required for AP fast failover but have typically configured it anyway thinking it does no harm to have it there. I have done packet captures on the FW and can see the behaviour is different in each case but cannot discern the reason. Thanks!

New Contributor

Re: APs fail to reconnect to controller

After some more diggin I found this http://community.arubanetworks.com/t5/Wireless-Access/clarification-on-Master-Redundancy-and-Fast-Failover/td-p/201607

which describes a very similar situation, although in this case not involving a firewall.

The marked "Solution" confirms my findings, i.e. remove the Backup-LMS and it works, but doesn't say why and many other posts around this subject refer to including Backup-LMS in a HA fast Failover config in case of AP reboot whilst primary LMS is down. There does appear to be a great deal of confusion around choosing/combining VRRP, master/master redundancy, HA fast failover and LMS/Backup-LMS without much clarity and in some cases contradictory information.

FYI my controllers are running

Master Redundancy VRRP w/IPSec and HA Group with both controllers set as Dual.


As a final test I decided to try using the other controller as the LMS (and no Backup LMS set) and got the same result.. AP never comes up.


New Contributor

Re: APs fail to reconnect to controller

OK I figured it out...

The problem is to do with the limitations of Aruba’s different HA modes depending on the controller role. The site has two controllers configured as Master and Backup Master. In a large Aruba deployment there would also be a number of Local controllers each terminating a number of APs but in smaller deployments this is not required and so the Master and Backup Master also serve as Locals.

Here’s the problem… In a Master/Backup Master topology, only the Master can function as an Active Local (terminating APs) and the Backup Master can function as a Standby Local in an AP Fast Failover HA Group, even though both members of the HA group are configured as “Dual”.

This could be overcome by switching to a Master/Local redundancy topology but that would leave the Master role vulnerable to single controller failure so for small HA deployments (i.e. only two controllers) Master/Backup Master is recommended.

What is not clear in Aruba’s documentation is how this affects AP Fast Failover HA, and more to the point.. how to configure it correctly so it works!

The AP System Profile has entries for LMS (Local Controller) and Backup LMS. Backup LMS refers to an older legacy form of Local redundancy which has nothing to do with AP Fast Failover. For AP Fast Failover to work does not require Backup LMS to be set because the standby Local controller comes from the HA Group configuration and not from the Backup LMS setting. Backup LMS can still be set but here we run into conflicts. Remember that we have a Master/Backup Master topology in which the Backup Master cannot terminate active AP sessions.

So what happens if Backup LMS is set and the AP loses connectivity?

It takes this as a failure of the (Primary) LMS and attempts to reconnect an active session to the Backup LMS and can’t succeed because the Backup LMS only accepts standby sessions. The AP never tries to go back to the (Primary LMS) and never reconnects.


The correct configuration in this topology is to LEAVE BLANK the Backup LMS setting. 


Now in normal boot, the AP connects an active session to the (Primary) LMS and a standby session to the other LMS (as defined in the HA Group). A failure of the (Primary) LMS will initiate failover to the Standby. A loss of communication to BOTH controllers, e.g. switch loses uplink to core will not cause the AP to attempt active connection to an invalid controller but will simply reconnect to the configured LMS when connectivity is restored.



Search Airheads
Showing results for 
Search instead for 
Did you mean: