Wireless Access

Hello communtiy,

 

we have 2 651 Controller, software 6.2.1.4 running on bouth.

So I configured Master redundancy with vrrp and the failover works (the same config on bouth controller, oher IP and hostname).

But the database sync won´t work.

 

 

Controller1 Master:

 

 

Controller2 Backup Master

 

Controller1:

 

 

 

 

Have anybody an idea why master redundancy is not configured?

 

Controller1

Controller2

 

 

Have anybody an idea why the database sync doesn´t work?

Why the controller says master redundancy is not configured?

 

Thanks

On your backup, set the vrrp to have a lower priority.

 

vrrp 1
shut
priority 90
no shut

 

you have to set the peer ip address and make sure the ipsec keys match.

Ok, I ´ve done this.

 

But the sync does not work.

Now this message comes up:

 

 

try to do it from the master.  What is the output of 'show master-redundancy' on both boxes?

Ok, it still doesn´t work.

 

yes I tried it from the Master:

 

Master:

 

Backup:

 

 

 

 

you have the same peer-ip configured on the both boxes.

 

On the master, the peer should be the backup.

 

On the backup, the peer should be the master.

 

 

I changed it but it won´t work.

 

Master:

 

 

 

 

Backup:

 

 

 

 

 

Is the problem that the show master red

The two controller are vrrp id 1 state master ?

The log shows this:

 

The controllers cannot communicate with each other.  That means that the ipsec tunnel is not coming up.  Check your shared secret again, which must be the same on both boxes.

under Configuration - Redundancy the IPSec is is the same.

Must I configure the key anywhere else?

At the CLI (enable) do "encrypt disable", and post on here an output of the "show master-red" please.

 

This will help us check the keys etc. You'll be showing us your keys, but I suspect at this point you won't mind.

 

Then, if that looks ok, can you ping from the real to the real IP on each controller on that 192.168.25.x subnet?

 

The outputs earlier suggest the controllers are both master.

 

If you can ping, but the sync/vrrp isn't coming up, you've got a multicast issue on the vlan. I.e. it's being dropped or the VRID is conflicting with something (another device). Try another VRID number (like 200). Are you using Extreme switches between? I sometimes see odd behaviour on these where the drop some multicast seemingly at random!

 

If you can't ping from real to real, you've got a layer 2 break between boxes.

At the CLI (enable) do "encrypt disable", and post on here an output of the "show master-red" please:

Master:

Backup:

 

I can not ping between the controller, but I think thats no Vlan problem or Switch ...

I think that is a controller ip config problem, every controller can ping the dhcp server on the vlan25 and the gateway on the vlan25

but not each other?

 

Ich bouth controllers IP Adress under Configuration-Networkt-Controller -> Master IP Adress is changed to the VRRP adress 192.168.99.99 on vlan 99

 

Every Controller is in master state.

If you can't ping between each other, but can ping the controllers from elsewhere, that is because the ipsec tunnel is not coming up.

Ok but what can I do?

 

on both controllers in the vrrp you should also have

 

tracking master-up-time 30 add 20

 but not sure if that is exactly why it's not working.

 

What is the role of the backup controller?  show role

 

From what I can tell it should work, so you may need to raise with TAC

Please post an output of...

 

1. Your physical port configurations (including any port-channels).

2. Your VLAN configurations.

3. Your IP interface configurations (including VRRPs).

4. Your output of "show vlan"

5. Your output of "show port status"

6. Your output of "show ip interface breif"

7. Your output of "show vrrp"

 

Run 4-7 on both controllers please.

 

1. Your physical port configurations (including any port-channels):

 

2. Your VLAN configurations:

 

3. Your IP interface configurations (including VRRPs).:

 

4. Your output of "show vlan":

 

 

5. Your output of "show port status":

 

 

6. Your output of "show ip interface breif"

 

 

 

7. Your output of "show vrrp"

 

 

Thanks for your commitment!!!

Final piece of data. Do a "show switches" on both controllers, and check both boxes are shown referencing the 192.168.25.x addresses. If they're not, take out the 10.10.10.x addresses (and reboot), as they're "down" and it looks like you're not using them?

 

It might be that the controllers believe their seed addresses are the 10.10.10.x ones, as you haven't set loopbacks.

 

If not...

 

This genuinely looks like a layer 2 vlan break for vlan 23 between the controllers which look attached on ports 1/5 at each end.

 

Question. Is it physically feasible to...

 

Disconnect your ports 1/5 on both, set another port (for example 1/6 as switchport access vlan 25), then connect those two interfaces directly just to test? If you can, and it works, you DEFINATELY have a vlan break across the switches. If it doesn't the other comment is right regarding your IPSEC settings. If it's that, and all keys match, reboot both boxes. If that doesn't work, log it with TAC?

Ok, I delete the 10.10.10.xx adresses on bouth controllers.

 

On  everey controller I create an access port vl 25 and connect them direct.

I can not ping between the direct connection.

Why?

 

for administration I use the vl 25 and the 192.168.25.10 and 192.168.25.11 addresses?

 

 

Now I reboot all controller, so now I can ping each other.

But the sync does not work!

Leon123,

 

Please open a support case.

I would agree. We've checked as much stuff as is practical on here. TAC is the way forward.