Wireless Access

We have an AOS 8.6.0.5 cluster with 2 controllers and a RAP connected to the cluster using 2 public IPs NAT'd to the controllers.

Is there a simple way to test failover or access via the second controller without actually bringing one of the controllers down?

The ap-move command does not appear to work for RAPs in a cluster environment.

Are you wanting to simply just confirm the RAP has connectivity to the secondary controller? How the RAPs discovering the cluster, via a DNS record? You could provision the RAP to the external NAT of the controller you want to test?

I can see that IPSec connectivity is established to the second controller using 'show datapath session table <RAP Public IP>'.

The RAP is provisioned using a DNS record pointing to the first cluster node, but I'm assuming once it connects it will populate its nodelist with both.

I'm trying to observe the impact in the AP 'failing over' to using the other controller as an AP / User Anchor.

It seems the only way to do this may be to reload the active controller during a maintenance window?

Do you have a way to block traffic to one of the NAT addresses, by firewall rules on the NAT device, removing the NAT configuration, or putting a null-route on a router near the RAP?

If you block the path somewhere between the RAP and the controller, that should be enough to trigger a failover.

Funnily enough this was the case for some time for controller 2 - there was no firewall rule allowing inbound access, but the MDs in the cluster were connected to each other (healthy cluster).

This resulted in some users failing to connect because the cluster wanted their UAC to be controller 2, but a tunnel couldn't be established.