We are planning to enable CPSec for a customer, they have a VRRP Master pair and 2 local controllers running HA Fast-failover.
Currently their LMS profile and site DHCP Option 43 are pointing to the nearest local controller.
Will the APs ever need to talk to the Master controllers when we enable CPSec?
Also, is there any benefit to using factory certificates for Master->Local IPSec rather than a PSK? Would changing this across the environment require a reboot of any of the controllers and affect client traffic?