Thanks guys - I tried to use backup LMS method but for some reason APs cannot connect to the VMC. I setup the following:
"Prod" AP group - Master LMS=MC, Backup LMS=VMC
"Lab" AP group - Master LMS=VMC, Backup LMS=MC
The AP in the Lab AP group does not come up at all, and the Prod APs do not fail over if I kill the power to the MC.
Checking logs on the VMC, I see errors about IPSEC, another thread suggested enabling self-signed cert but that did not seem to help. Any ideas?
Jun 3 20:27:31 isakmpd[5482]: <103103> <5482> <WARN> |ike| 172.16.0.24:4500-> IKE SA Deletion: IKE2_delSa peer:172.16.0.24:4500 id:3531498362 errcode:OK saflags:0x10000051 arflags:0x5
Jun 3 20:27:31 isakmpd[5482]: <103103> <5482> <WARN> |ike| 172.16.0.24:4500-> IPSec SA Deletion: IPSEC_delSa SPI:24365900 OppSPI:178ef900 Dst:172.16.0.24 Src:172.16.0.112 flags:1001 dstPort:0 srcPort:0
Jun 3 20:27:35 sapd[2628]: <311002> <WARN> |AP Attic-215-ex2200@172.16.0.24 sapd| Rebooting: Unable to set up IPSec tunnel to saved lms, Error:RC_ERROR_ISAKMP_N_CERT_ROOTCA_VERIFY_FAILED