Wireless Access

 

I have a VRRP based MASTER-MASTER redundancy, within the same network setup. 

Failover for the controllers works well.

I have CAPs and RAPs, and also a seperate Instant network VPN connection within my setup.

 

I originally had a W-7210 and W-7240 as the two controllers, but recently replaced the W-7240 with a W-7210.

I'm assuming the models are not important in my issue.

As far as I can tell, I have exactly replicated the controller config that I replaced on the new one.

 

When I intentionally fail the Active controller, the standby picks up as designed.  The CAPs move over to the standby(now Master) controller.  The VPN connection from my Instant network also gets reestablished.

The only thing wrong is the RAP doesn't reconnect to the new active Master. It stays down.

Manually rebooting the RAP doesn't help either.

 

I've reset the Instant and converted it to a RAP again, after completing the controller replacement. I did this just in case there was seom behind the scenes database info that replacing one of the controllers woudl cause an issue.

 

Is there anything I'm missing or can check?  

The RAP console only says "Transport endpoint is not connected"

Othe than that it correctly uses ADP to find/confirm the Master.

 

 

Regards,

Colin 

 

 

 

 

 

Did you check the RAP whitelist on the standby to see if that AP is in there?

Do you have a VPN pool configured on the standby? (that config is individual to each controller).

 

 

Yes, I have the whitelist and VPN pool set on both controllers.

 

I must have checked the whitelist mac 10 times to see if I typed it right :)

 

Regards,

Colin

 

Well,

 

You need to

- type "show datapath session table | include 4500" to see if the traffic is hitting the controller

- type "show log security 50" to see if there are any errors to indicate what might be happening wrong.

I've run into this before with a brand new 3200XM.  I could not get any RAP to terminate on it.  #show crypto ipsec sa never displayed any peers.  TAC determined that the RSA key was bad and that erasing the controller and starting over was the fix.  We copied the config, erased the controller, and pasted the same config back in.  This resolved the problem for us.

 

Now my experience is not everyones, and the root of my problem could differ from yours.  For that reason, I'd only recommend wiping the controller as a last resort.

Jay,

 

Factory reseting the controller worked!  Thanks a lot.

 

I'm not sure if the RSA key was bad, but certainly something other than the config or whitelist, or anything I could control was the problem.

 

Regards,

Colin

 

 

 

 

 

How do you have your LMS definition setup in the AP System profile?    Also, assuming you have some sort of NAT device translating its Internet IP to its internal IP, what IP is that NAT'ing to?   A physical IP of one of the controllers?  VRRP?

Chris, 

 

I do not have an local controllers, should I still configure LMS?

 

I have a MASTER-MASTER setup with no local controllers.  I configured LMS with the VRRP vip address, but that just breaks the RAP completely, it won't attach or convert at all even to the previously working primary controller.

 

 

 

you need to copy whitelist db from old controller to new controller. If you enable security logs, you would see authentication failure for RAP. What AOS release are you using?
How did you copy config to new controller ?

When using a database copied across from a master, when the master is unavailable you have to explicitly tell the local to use its internal (copied across) database using -

aaa authentication-server internal use-local-switch

 

Is this setting in place?

Matt,

 

I do not have any local controllers, just a MASTER-MASTER setup.  

 

I do not have the aaa command configured as you stated, but do I need to if I don't have local controllers?

 

 

Deepak,

 

I'm using 6.3.1.2 AOS.

 

I did not copy the config over.  I manually built the items that are local to the standby, and then let the rest copy over during the VRRP-based copy process. 

 

 

Glad to hear it worked!