Wireless Access

Hi,

We have a strage behaviour on our 7210 controllers.

We try to set a local master/standby config :

- local IP config on each controller

- create a dedicated admin VLAN 75

- VRRP config on VLAN 75

Local IP and VIP can be "pinged" from other networks.

However, whe trying to configure redundancy, it failed : controllers cannot ping each others on VLAN 75 whereas they are on the same brodcast domain.

How could it be possible ? What could block a ping on a layer 2 network ?

Regards,

I have to say that a show arp command shows that each controller can see the other one's mac adress on the right vlan.

If a controller is setup to be a local to a master, all of their traffic must go through the ipsec tunnel between them.  If the ipsec tunnel is not up, pings will not work.

Type "show ipsec sa" to see if the tunnel is up between the two controllers.

Hi,

Tunnel is not set.

I tried with shared key and cert but no way.

What shoud be wrong ? How could we debug this ipsec tunnel problem ?

Regards,

You either need to re-enter the key on the local or the master to make sure they match.  OR:

On the master You can type "encrypt disable" and then type:

show running-config |  include localip

..to see the master's key to ensure you are entering it correctly on the local

Hi,

I tried to re-type key and it seems to be ok.

show running-config | include localip

doesn't return any output.

Config seems to be ok (see screen capture), and a show ip route gives

Gateway of last resort is 192.168.230.78 to network 0.0.0.0 at cost 1
S* 0.0.0.0/0 [0/1] via 192.168.230.78*
C 172.16.0.0/24 is directly connected, VLAN1
C 192.168.230.64/28 is directly connected, VLAN75
C 192.168.230.76/32 is an ipsec map default-psk-redundant-master-ipsecmap

whereas ipsec does'nt seem to be up

(controleur-1) [mynode] #show crypto ipsec sa

% No active IPSEC SA

We miss something but it is quite nebulous.

Your ipsec connection says redundant master.  What is the relationship between that controller and the master?

Screen capture of config

Okay.  You have master redundancy setup, which is different from master/local.

Do you have a VRRP setup, as well?  The instance of the master redundancy depends on the status of a VRRP.

Yes i have.

VRRP works well.

Virtual Router 1:
Description VRRP Master
Admin State UP, VR State MASTER
IP Address 192.168.230.77, MAC Address 00:00:5e:00:01:01, vlan 75
Priority 200, Advertisement 1 sec, Preemption Enable Delay 5
Auth type PASSWORD, Auth data: ********
tracking is not enabled

Virtual Router 1:
Description VRRP Slave
Admin State UP, VR State BACKUP
IP Address 192.168.230.77, MAC Address 00:00:5e:00:01:01, vlan 75
Priority 100, Advertisement 1 sec, Preemption Enable Delay 5
Auth type PASSWORD, Auth data: ********
tracking is not enabled

Failover test from an external ping work fine too.

Hi,

I finally found what was wrong : i set up a new vlan but ipsec nego was using the legacy first IP defined on switch, but not the new vlan one.

I changed configuration > system > controller ip address to use the vlan IP that is used for vrrp

Now master redundancy works and database sync is ok.

Thanks for your time.

Regards,