Wireless Access

Dear Team,

I have two 3400 mobility controller on a HA Mode. and VRRP is working fine but when my primary controller goes down the secondary controller is not reflecting the AP which were there on primary controller.

Also I have noticed the secondary controller is able to reflect the local controller RAP devices. but only primary controller RAP missing..

Controller OS :- 5.0.4.3

Model :- 3400

Local controller:- 650

License:-both controller is having enough license.

(XXXXXXXXX_01 ) #show vrrp

Virtual Router 1:
    Description Primary-Master
    Admin State UP, VR State MASTER
    IP Address 10.10.10.1, MAC Address 00:00:5e:00:21:21, vlan 1
    Priority 200, Advertisement 1 sec, Preemption Enable
    Auth type NONE
    tracking type is master-up-time, duration 30 minutes, value 20
    tracked priority 220

Alex George

Unless the APs are pointing to the VRRP using the VRRP address, this will not happen, for Campus APs.

If these are RAPs, VRRP will not work behind a firewall.  You should try making it so that APs use DNS to find the controllers and DNS is populated wth both public addresses.

More details, please.

Dear Joseph,

Thanks a lot for sending the reply.

I will explain how my controller is placed. what I have is all RAP devices, and All my RAP devices are configured with VRRP virtual IP Address.

remote location>>>>> fw>>>dmz>>> controller..

when I reboot primary and when I try to access the portal with VRRP IP , the traffic is moved to secondary ip , but the RAP is not reflected..

Pls advise..

Both controllers NEED a public ip address; that can be accomplished either through NAT or a physical interface on the controller.  RAPs would NEED to point to an external dns url like rap.yourcompany.com on the public side which has the two public addresses in it.  When the RAP is booted, it will get both addresses from DNS, and then try one controller, and then the other.

This is because VRRP does not work behind a firewall for devices that need to access it from the other side.  You CANNOT use VRRP in this scenario.  VRRP is not firewall-friendly.

Dear Joseph,

Thanks a lot for the reply,

presently my LMS IP  is a public IP, which is NATed on the VRRP IP address of the device (example. private ip , physical 10.1.1.2 and 10.1.1.3 and virtual 10.1.1.1 NATed with 1.1.1.1 ), My RAP devices are working with master controller static IP address , as I have manually configured the RAP provision. and DNS does not work for me with RAP device. ( I have presently having only RAP device,).

The RAP devices are connecting over the internet with IP 1.1.1.1 and also with10.1.1.1 over MPLS too.. but when the primary goes down, the secondary does not show RAPs.

also I cannot change this setup from the firewall DMZ side, any way to work VRRP for the RAP devices..

Alex,

I'm sorry that I don't have an answer for you in that situation.  Maybe someone can post something useful.  The difficulty is VRRP and the firewall.

I am assuming your NAT device is also a Firewall and you have only one firewall and not two in HA.

see if you have turned on Antispoofing on the firewall and see if you can turn it off for that interface.

also some of the firewalls have proxy ARP settings, if you have this configured, then it should be the VRRP MAC address.

regards

Ariya

Dear Team,

I will give my exact scenario,

I have two controller 3400 on HA mode on behind firewall. my firewall is checkpoint on HA mode.

my AP profile configuration is having , LMS IP as controller's Private  IP Address VRRP IP (10.10.80.140). and Backup LMS as public IP Address (NATed of the VRRP IP ), when the WAN link goes down the RAPs are able to reach on backup LMS IP too.

But this is happen, when the primary controller goes down, the VRRP change to secondary device, but the RAP devices which are connected is not reflecting.

I can  get a ping to 10.10.80.140 and even to backup LMS IP too.

But only the RAP devices are not reflecting on secondary controller.

Hello,

Pls find my attached deployment scenario given, pls advise what could be the best solution...

Alex

dear Team,

Any one can pls advise me why VRRP will not properly on DMZ network. what is the reason for the same..

Alex,

Let me take a step back.  Can you do some troubleshooting?

To test, SSH into the backup master.  When you bring the master down, type "show datapath session table | include 4500" on the backup master to see if the ipsec traffic is getting to the backup controller.  If it is, type "show crypto ipsec sa" after a minute to see if an SA is being established.