Wireless Access

I am trying to configure a VRRP between a 620 and a 3200. Master-Master (no redundancy).

Testing....

 

I setup my VRRP on my master first

 

vrrp 100
  priority 110
  authentication aruba123
  ip address 172.30.50.78
  description "wlc-1"
  vlan 1
  no shutdown
!

 

(dnoc-wlc-1.rdlab.dv) (config-vrrp)# show vrrp

Virtual Router 100:
    Description wlc-1
    Admin State UP, VR State MASTER
    IP Address 172.30.50.78, MAC Address 00:00:5e:00:01:64, vlan 1
    Priority 110, Advertisement 1 sec, Preemption Disable Delay 0
    Auth type PASSWORD, Auth data: ********
    tracking is not enabled

It comes up as Master, VIP is pingable (50.78)

 

I then configure it on the backup-master and it becomes Master as well

vrrp 100
  priority 90
  authentication aruba123
  ip address 172.30.50.78
  description "wlc-2"
  vlan 1
  no shutdown
!

(dnoc-wlc-2.rdlab.dv) (config) #show vrrp


Virtual Router 100:
    Description wlc-2
    Admin State UP, VR State MASTER
    IP Address 172.30.50.78, MAC Address 00:00:5e:00:01:64, vlan 1
    Priority 90, Advertisement 1 sec, Preemption Disable Delay 0
    Auth type PASSWORD, Auth data: ********
    tracking is not enabled

In 'show log system' I see the following for both controllers:

WLC-1

Mar 27 11:13:34 :313329:  <DBUG> |fpapps|  VRRP: Sending Advertisement for vrid 100
Mar 27 11:13:38 :307048:  <DBUG> |cfgm|  Got a message from 8231:5010
Mar 27 11:13:38 :307050:  <DBUG> |cfgm| Received a IPSEC CFG Message
Mar 27 11:13:38 :307219:  <DBUG> |cfgm| Sending the IPSEC Configuration
Mar 27 11:13:39 :313329:  <DBUG> |fpapps|  VRRP: Sending Advertisement for vrid 100
Mar 27 11:13:42 :301278:  <INFO> |snmp| Authentication failure, bad community string
Mar 27 11:13:42 :301246:  <NOTI> |snmp|  201 SNMP Authentication Failed for Management station 172.30.49.19
Mar 27 11:13:43 :313329:  <DBUG> |fpapps|  VRRP: Sending Advertisement for vrid 100

WLC-2

Mar 27 11:13:46 :313329:  <DBUG> |fpapps|  VRRP: Sending Advertisement for vrid 100
Mar 27 11:13:49 :307048:  <DBUG> |cfgm|  Got a message from 8231:5010
Mar 27 11:13:49 :307050:  <DBUG> |cfgm| Received a IPSEC CFG Message
Mar 27 11:13:49 :307219:  <DBUG> |cfgm| Sending the IPSEC Configuration
Mar 27 11:13:50 :313329:  <DBUG> |fpapps|  VRRP: Sending Advertisement for vrid 100
Mar 27 11:13:54 :300197:  <DBUG> |licensemgr|  __license_timer
Mar 27 11:13:54 :300149:  <DBUG> |licensemgr|  __license_expire: executing cmd SELECT id, skey, installed, expires, complete, enabled, icount, inactive from licenseinfo_new
Mar 27 11:13:54 :300197:  <DBUG> |licensemgr|  __license_remove_cli_warning: removing warning file
Mar 27 11:13:54 :300197:  <DBUG> |licensemgr|  __license_publish_expiry: not publishing update value unchanged [-1
Mar 27 11:13:55 :313329:  <DBUG> |fpapps|  VRRP: Sending Advertisement for vrid 100

 

Both of them are sending advertisements but none of them are responding....any ideas?

 

 

 

 

#3200

you need to configure:

 

- VRRP first...  Make sure it works

- Master Redundancy Second (after VRRP) works.

 

 

I would suspect one of two things.

 

1. Either one of the ports from either controller into the network isn't "trusted".

2. There is a layer 2 split on VLAN1 between the two controller interfaces.

 

Can you ping between the two controller VLAN 1 IP interfaces? If so, it's worth trying a reboot.

 

 

Colin, not trying to do master redundancy, just a simple VRRP. Before I even touched controller 2, I made sure my #1 was master. I then configured it on #2. Both became Master without receiving any messages but both advertising their VRID The.Racking.Monkey. 1. Either one of the ports from either controller into the network isn't "trusted". They are trusted 2. There is a layer 2 split on VLAN1 between the two controller interfaces. No split -P

Can you ping each controller from another on that VLAN?

 

yeah, they can ping each other, the VIP also responds.

you need to type "show vrrp 100 statistics" on each side and see what is happening.  Also make sure you do not have HSRP running on the same segment........

been running that command and I see the following:

  Last advertisement received timestamp:   never

Since I am piggybacking off our R&D network (no control over L2), I will check internally on Monday for HSRP

---

@pmonardo wrote:

been running that command and I see the following:

  Last advertisement received timestamp:   never

Since I am piggybacking off our R&D network (no control over L2), I will check internally on Monday for HSRP

---

Well, that means they cannot see each other, OR the preshared key is misconfigured.  They should be able to see master advertisements on their own subnet.

 

 

preshared key is exact same.

Running a packet capture, I don't see any traffic which I find odd.

I tried with another controller (same subnet) I was able to see traffic but it still wouldn't work.

 

I'll try to figure this out on Tuesday.

 

 

Can you try and plug the two controller interfaces into each other directly? See if the VRRP works when doing that if so? If it does, the switches are the source of the problem obviously, with a VLAN issue of some sort.

 

If it doesn't work that way, maybe reboot both controllers? If still no joy, what version of code is it?

 

I am going to need to find a x-over cable....should have one somewhere here..

 

They are 6.1.4.0, I am replicating a customer environment in house to strictly test VRRP so I am using the same code version

Works when controllers are connected to each other.

I am suspecting the switch is the culprit. I spoke to my systems team who manages that particular network and they don't see any issues.

 

I will try another switch tomorrow and see if that changes anything.

Thought it sounded like that.

 

What switches are they (vendor/model)? Post some configs too if possible?

 

If it's a vendor I've dealt with, I'll see if I can see anything obvious?

 

1st switch is a 3Com SuperStack 3 Switch 4200. :(

It is pretty much defaultedm no real configs to speak of.

 

The 2nd switch is a Cisco Small business switch (can't remember the model right now), will try this one today

I had some parts lying around....;)

2nd Switch is a Cisco SMB SF300-24P.

 

I moved everything onto this switch and it began to work.

 

:)

I'd need to see configs of both switches to tell what's wrong.

 

However, as a guess, if the pings were working, I suspect the 4200 is dropping multicast traffic.

 

I suspect it's got IGMP snooping disabled?

 

EDIT:

IGMP snooping was enabled.

The 3Com switch was basically a factory defaulted switch and so was the Cisco, no VLANs created for this, etc..

 

 

I guess as you found the problem (3Com) and worked around it, you're not so worried about fixing it?

 

If you are, the next thing I'd try is upgrading the 3Com code. It does sound like it's dropping the mcast. If it's an old switch, that might be a challenge!

To be honest, it isn't a good switch, its old and busted.

I'd rather use a POE switch at this time, it saves me time as well.

 

I'll probably re-use the 3Com at some point, when I do, I will look for newer firmware but I believe you are correct about it dropping mcast.

Packet Captures showed no multicast traffic at all, none

Sounds like next stop ebay to me?!

HHAHA possibly