Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Is it normal that the local controllers cannot reach the standby master?

This thread has been viewed 7 times

  • 1.  Is it normal that the local controllers cannot reach the standby master?

    Posted Dec 07, 2015 12:31 PM

    Hi,

    I have a setup with a master-standby redundancy and several pairs of active-active local controllers.

    The local controllers can reach the active master (physical and VRRP address), but not the standby master controller, even if they are in the same VLAN.

    The standby master can reach the active master (physical and vrrp) and all other devices in the VLAN of the local controlelrs, except the local controllers themselves. I've done a Wireshark trace and the standby master controller isn't sending out any packet while pinging the locals.

    VRRP failover works fine and at the moment of failover the new active master can reach all locals. At that moment the new standby master (previous active master) stops being able to reach the locals and vice-versa.

    Is this normal behaviour?

     

    Thx



  • 2.  RE: Is it normal that the local controllers cannot reach the standby master?
    Best Answer

    EMPLOYEE
    Posted Dec 07, 2015 12:38 PM

    Yes, that is normal and expected. There are no issues in your setup. 

     

    Thanks, 

    Rajaguru Vincent 



  • 3.  RE: Is it normal that the local controllers cannot reach the standby master?

    Posted Dec 09, 2015 02:54 AM

    What could be the reason behind this? 

    I see that there are IPSEC routes on the standby without an IPSEC tunnel, so that makes sense. However, TAC seems to disagree with the fact that it is normal behaviour.



  • 4.  RE: Is it normal that the local controllers cannot reach the standby master?

    EMPLOYEE
    Posted Dec 09, 2015 06:14 PM

    Hi Peter,

     

    You are correct. Here is the explanation,

     

    (Master) #show ip route

    C 192.168.2.6/32 is an ipsec map default-local-master-ipsecmap192.168.2.6
    C 192.168.2.3/32 is an ipsec map default-psk-redundant-master-ipsecmap


    (Standby) #show ip route

    C 192.168.2.6/32 is an ipsec map default-local-master-ipsecmap192.168.2.6
    C 192.168.2.4/32 is an ipsec map default-psk-redundant-master-ipsecmap


    (Local) #show ip route

    C 192.168.2.0/27 is directly connected, VLAN49
    C 192.168.2.4/32 is an ipsec map default-local-master-ipsecmap


    On Master, there is an ipsec map to local, "default-local-master-ipsecmap192.168.2.6". On Local, there is an ipsec map to Master, "default-local-master-ipsecmap".

     

    On Standby, there is an ipsec map to local, "default-local-master-ipsecmap192.168.2.6". Note the ipsec map name. On Local, there is NO ipsec map to Standby. Local controller will have an ipsec map only to the Master, not to the standby.

     

    On the Local controller, the ipsec map is created only to the Master. Not to the Standby.
    The ipsec tunnel is in fact made to the VRRP IP (192.168.2.10) between the Master and Standby when you configured the Local.


    When you ping from Local,
    The traffic may go out, since it would take the directly connected route.

     

    The return traffic from Standby,
    This should take the ipsec map as per the routing table. This is only a map on the routing table of Standby, but the local controller doesn't have an ipsec map for standby. This means there is NO ipsec tunnel to the Local controller. So, the traffic will be dropped since the route entry is not valid. The ipsec map on the Standby will take effect when the Standby controller takes the Master role.

     

    (Local) #show datapath session table | include 4500
    192.168.2.6 192.168.2.10 17 4500 4500 0/0 0 0 255 0/0/0 2862 0 0 F
    192.168.2.10 192.168.2.6 17 4500 4500 0/0 0 0 0 0/0/0 2862 0 0 FC


    This explanation is based on my understanding and not from any official Aruba documents.


    Thanks,
    Rajaguru Vincent



  • 5.  RE: Is it normal that the local controllers cannot reach the standby master?

    Posted Dec 11, 2015 03:00 AM

    I agree with Raj, here is how I found out:

    Ping from Local to Standby - Local will send ICMP traffic to Standby via default gateway/static route configured, the return traffic from standby will never reach local because there is ipsec route in routing table and it tries to send through the ipsec but the tunnel is down, so the traffic goes nowhere.

    That is the reason the ping is not successful.

     

    Attaching the screenshot for reference: Ping from Local Controller

    Datapath from standby.JPGLocal.JPGMaster.JPGStandby.JPG

    Regards,

    Deepak Balachandran

    @rvincent wrote:

    Hi Peter,

     

    You are correct. Here is the explanation,

     

    (Master) #show ip route

    C 192.168.2.6/32 is an ipsec map default-local-master-ipsecmap192.168.2.6
    C 192.168.2.3/32 is an ipsec map default-psk-redundant-master-ipsecmap


    (Standby) #show ip route

    C 192.168.2.6/32 is an ipsec map default-local-master-ipsecmap192.168.2.6
    C 192.168.2.4/32 is an ipsec map default-psk-redundant-master-ipsecmap


    (Local) #show ip route

    C 192.168.2.0/27 is directly connected, VLAN49
    C 192.168.2.4/32 is an ipsec map default-local-master-ipsecmap


    On Master, there is an ipsec map to local, "default-local-master-ipsecmap192.168.2.6". On Local, there is an ipsec map to Master, "default-local-master-ipsecmap".

     

    On Standby, there is an ipsec map to local, "default-local-master-ipsecmap192.168.2.6". Note the ipsec map name. On Local, there is NO ipsec map to Standby. Local controller will have an ipsec map only to the Master, not to the standby.

     

    On the Local controller, the ipsec map is created only to the Master. Not to the Standby.
    The ipsec tunnel is in fact made to the VRRP IP (192.168.2.10) between the Master and Standby when you configured the Local.


    When you ping from Local,
    The traffic may go out, since it would take the directly connected route.

     

    The return traffic from Standby,
    This should take the ipsec map as per the routing table. This is only a map on the routing table of Standby, but the local controller doesn't have an ipsec map for standby. This means there is NO ipsec tunnel to the Local controller. So, the traffic will be dropped since the route entry is not valid. The ipsec map on the Standby will take effect when the Standby controller takes the Master role.

     

    (Local) #show datapath session table | include 4500
    192.168.2.6 192.168.2.10 17 4500 4500 0/0 0 0 255 0/0/0 2862 0 0 F
    192.168.2.10 192.168.2.6 17 4500 4500 0/0 0 0 0 0/0/0 2862 0 0 FC


    This explanation is based on my understanding and not from any official Aruba documents.


    Thanks,
    Rajaguru Vincent

     



  • 6.  RE: Is it normal that the local controllers cannot reach the standby master?

    Posted Nov 22, 2017 03:17 AM

    I got same behaviour in our setup. It is the same setup Master/Standby and local controllers connecting to the vrrp adress.

     

    In addition i have another question. In my setup it is necessary to tunnel a L2 VLAN from master/standby network to the local controller.

    So i try to do this with a GRE Tunnel between local and master controller because GRE to vrrp ip is not working. So I am thinking about redundancy.

    Because vrrp ip in gre config ist not working i have to create two gre tunnels on local controller.One to master and one to standby. The standby tunnel never comes up because standby does not reach local because of your mentioned reasons.

     

    Does it make sense to create a tunnel group? will redundancy work ?