Wireless Access

 i am seeing "unspecified failure" on my laptop when we built a cluster in AOS8.4

once we built the cluster and my client moved i would get deauthed from the first controller and would not reauth. We were told to use VRRP addresses for the 2 controller cluster. do the VRRP addresses do anything on the radius server? We don't see the VRRP address in the syslog and only see the deauth coming from the controller IP address. Should the VRRP cluster addresses be added to the radius server list? 

thank you 

Is your cluster layer 2 connected?

what is the output of "show lc-cluster vlan-probe status"

In a cluster, the access point should not send deauths to clients.

VRRP addresses for the controller cluster is ONLY if you are using COA (most people do not), OR it gives the administrator a single ip address to point APs that boot up during discovery.

Deauths are layer 2 and should not come from an ip address.

the cluster is layer 2. we took down the cluster to fix the issue with the deauth of the test laptop and not reauthenticating and as soon as the cluster was removed test laptops reconnected. this happened on 2 test laptops. we use a VRRP between the controllers for AP connection during boot and use one VRRP per controller in the cluster. attached is the lc-cluster that was requested. 

thank you 

What is the output of "show lc-cluster exclude-vlan"

vlans 9x is guest 

vlans 10xx is corporate 

Why do you have those VLANs excluded?  

It is quite possible the issue you have is that all of the controllers in your cluster are not trunked for all the VLANs you need.  VLAN probing would reveal that.  VLAN exclusion sidesteps the probes for those VLANs, but does not alert you when your VLANs are not all trunked between switches and controllers.  You should remove the exclusions for the VLANs that you are having problems with.

the setup now has:

VLAN 1166 is a management VLAN on a access port 0/0/0

the other VLANs are trunked on a 10gig port 0/0/2

description "GE0/0/0"
trusted
trusted vlan 1-4094
no poe
switchport access vlan 1166
no spanning-tree

interface gigabitethernet 0/0/2
description "Trunk VLAN"
trusted
trusted vlan 1002-1005,1007-1013
no poe
switchport mode trunk
switchport trunk allowed vlan 1002-1005,1007-1013
no spanning-tree

When we remove the trunked corp vlans the Cluster switches to a L3 connection. 

attached is a screen shot after REMOVING vlan 1013 from the excluded list 

thank you 

just a thought as i think about this issue. 

i assume that the corporate VLANs on the controllers would require IP addresses to connect L2. as of now the only IP'd VLAN is management.

so, would we need to address all VLANs that would perform 802.1x authentication and make sure they are removed from the cluster excluded vlan list?

thank you  

That is because there is no connectivity between the controllers layer 2 on that VLAN.  That must be resolved.  Give each controller an ip address on that VLAN and see if they can ping each other, and the gateway on that vlan.  Make sure that vlan is allowed on the swich side of the trunk, as well.