Wireless Access

Hello 

I'm building a HA scenario using HA and VRRP but I'm not able to see the user-table on the standby controller. I also testing to reboot the master controller and I'm losing the connectivity from the clients, I odn't even see the SSID during the reboot. I run 6.5.0.3. Can I get some direction from the community to look into to narrow down the issue?

Here you have some outputs from the Active and Standby:

Active
(EU-WLAN03) # show ha group-profile HA-MM
HA group information "HA-MM"
----------------------------
Parameter Value
--------- -----
Preemption Enabled
Over-subscription Disabled
State Synchronization Enabled
Pre-shared Key ********
Inter Controller heartbeat Enabled
Heartbeat Threshold 5
Heartbeat Interval 100
HA group-member IP address 172.20.9.214 dual
HA group-member IP address 172.20.9.215 dual
HA group-member IPv6 address N/A

(EU-WLAN03) #show vrrp

Virtual Router 20:
Description MASTER-VRRP
Admin State UP, VR State MASTER
IP Address 172.20.9.213, MAC Address 00:00:5e:00:01:14, vlan 298
Priority 255, Advertisement 1 sec, Preemption Disable Delay 0
Auth type PASSWORD, Auth data: ********
tracking is not enabled

Standby
(EU-WLAN04) #show ha ap table

HA AP Table
-----------
AP IP-Address MAC-Address AP-flags HA-flags
-- ---------- ----------- -------- --------
18:64:XX:XX:XX:XX 172.20.216.51 18:64:XX:XX:XX:XX SLU H

 

 

Client State synchronization refers to the PMK cache entries that are synchronized from the active to the standby controller for 802.1x clients.  When 802.1x clients fail over, they will just do a 4-way handshake instead of a full radius reauthentication, which saves quite a bit of time and considerably reduces the hit that a radius server would take during a failover.  The user table is NOT synchronized to the standby controller.

Thanks for the clarification. So then, that is not the reason of my problem during the failover which is not working.

During the reboot of the Activate controller the AP is not connected on the Standby controller

(EU-WLAN04) #show ha ap table

HA AP Table
-----------
AP  IP-Address  MAC-Address  AP-flags  HA-flags
--  ----------  -----------  --------  --------

Total Num APs::0
Active APs::0
Standby APs::0
AP Flags: R=RAP; S=Standby; s=Bridge Split VAP L=Licensed; M=Mesh, U=Up
HA Flags: S=Standby, C=Standby connected, L=LMS, F=Sent Failover Request to AP, H=AP flaged for Inter Controller Heartbeat

 

As soon as the primary is up, I can see the AP on both controllers. By the way, on the ap system-profile I don't have any LMS and BKUP ip address, if I add this setup, the AP is shown on the controllers as "dirty"

Thanks

I make some progress wiping my test AP and configuring option 43 pointing to the VRRP IP via DHCP and adding the lms ans bckp-lms IP on the AP system profile but the scenario is still unpredictable and it doesn't work after rebooting the master controller. The standby tunnel from the AP on the second control becomes active and takes over the traffic but after the primary master controller is available again and the AP tunnel returns to this controller , the standby AP tunnel disappear. I see some bugs even on the early code 6.5.1.

I've been running 6.5.1 on HA in a production enviroment and so far has been stable wihout anyproblems. Standby controller has kept the AP tunnels all the time. Looking at the 6.5.1 Release Notes , I can see the two bugs 129692 138741 describing the issue Ive been facing.

I always use GA versions but in my enviroment I have several 7210 controllers so I might need to jump to ED instead.

I have a similar problem and would like to read the bug reports you mention in your post. Where can I view these?

I running version 6.5.1.6 FIPS.  When the Backup controller become active the APs show active in the database and the SSID is broadcast, however the client drop their connection and when trying to re-connect they get invaild PSK. Enter the correct PSK and still cannot connect. 

That sounds like your configurations are not in sync.  Do you have the second controller configured as a backup master or a local?

Second controller is configured as a local. Prior to fail-over I check the database sync and it was fine.


IMPORTANT NOTICE: This message may contain privileged and confidential information and is intended only for the individual(s) named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission.

"show switches" on the master would tell you if the configuration has synchronized between the two devices.  The database sync does not come into play with regards to configuration synchronization.

 

If a SSID is up on an AP but it rejects the psk, then the configurations are not the same.  If the PSK is accepted but the client does not get an ip address, you need to make sure that on the local controller the vlans are defined and connected to subnets that provide ip addresses.

 

I would make the backup controller the LMS-ip to test to make sure the APs can even come up on the backup controller successfully before trying to implement HA.

I though the database and configuration were the same. I did the 'show switches" and yes the configuration are in sync.


(xxxxxxx) #show switches

All Switches
------------
IP Address Name Location Type Model Version Status Configuration State Config Sync Time (sec) Config ID
---------- ---- -------- ---- ----- ------- ------ ------------------- ---------------------- ---------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx master Aruba7210 6.5.1.6-FIPS_60229 up UPDATE SUCCESSFUL 0 2
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx standby Aruba7210 6.5.1.6-FIPS_60229 up UPDATE SUCCESSFUL 9


I try the fail-over test on another set of controller and got the same result. I guess it is time to open a TAC case.

IMPORTANT NOTICE: This message may contain privileged and confidential information and is intended only for the individual(s) named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission.

Did you try to enable debugging for any of the users on the second controller to see what was wrong?  Did you also type "show ap active" on the second controller to see if the access points are active on that controller?

 

config t

logging level debugging user

 

[failover]

 

Show log user 50

Is it normal WiFi device get 4 packets lost when master controller reboot?

 

Thanks

 

Master Controller

My config

master-redundancy
  master-vrrp 1
  peer-ip-address 172.16.200.22 ipsec
!
vrrp 1

  authentication
  priority 110
  ip address 172.16.200.20
  vlan 1
  no shutdown

!

 

ha group-profile "HA"
   preemption
   state-sync
   pre-shared-key
   heartbeat
   controller 172.16.200.21 role dual
   controller 172.16.200.22 role dual
!

 

ap system-profile "default"
   lms-ip 172.16.200.21
   bkup-lms-ip 172.16.200.22

!

 

Standy Controller

master-redundancy
  master-vrrp 1
  peer-ip-address 172.16.200.21 ipsec
!
vrrp 1
  authentication
  ip address 172.16.200.20
  vlan 1
  no shutdown
!

You should not have HA configured on top of Master Redundancy.  Please remove the HA configuration.  Why?  The backup controller will not allow you to terminate APs on it, unless it is in control of the VRRP.  HA uses a different mechanism (heartbeats)  and conflicts with master redundancy.

 

IP helper address was missing on the VLAN interface. We recent change the DHCP IP address, the helper was added to the master controller and not the standby. Fail-Over works fine now.


Thanks for you assistance.

IMPORTANT NOTICE: This message may contain privileged and confidential information and is intended only for the individual(s) named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission.