Wireless Access

Hi, everyone. I faced a problem in Aruba redundancy. I'm using 2 controllers (Aruba 3200 and 3600) in master/local architecture. Aruba 3600 - master controller. Aruba 3200 - local controller. Also, they are using VRRP protocol to perform HA. Controllers are in the same network. The ArubaOS version on both controllers is 6.3.1.13. So, here is a problem: local controller handles 110 active APs and 10 APs (which seems to be down). I was trying to troubleshoot that 10 APs, but didn't get any result. Finally, I rebooted local controller and found interesting and strange behaviour: when local controller went down, all APs moved to master. Also, that 10 APs (which was down before) become up on master controller. After 3200 controller rebooted, all APs moved back to local controller. And I found that 110 APs was in up state, and 10 was down. In logs I didn't find any errors, licenses are ok (128 for Aruba 3200 controller).] So, I'm trying to find out - why that 10 APs was down on local controller and became up in master.

Have this ever worked?

 

3200 series only support up to 32 campus APs.

http://www.arubanetworks.com/assets/ds/DS_A3000.pdf

 

Can you send the output of show license-usage ap and show keys

 

Borja

Hi, Borja.
Yes, it was working before. But, for a last week I've lost 6 APs from controller.I'm using RAP mode.

(Aruba3200) #show license-usage ap

AP Licenses
-----------
Type Number
---- ------
AP Licenses 128
RF Protect Licenses 128
Overall AP License Limit 128

AP Usage
--------
Type Count
---- -----
Active CAPs 0
Standby CAPs 0
RAPs 111
Remote-node APs 0
Tunneled nodes 0
Total APs 111

Remaining AP Capacity
---------------------
Type Number
---- ------
CAPs 4
RAPs 17

(Aruba3200) # show keys

Licensed Features
-----------------
Feature Status
------- ------
Access Points 128
RF Protect 128
VPN Server Module 2048
xSec Module 0
Next Generation Policy Enforcement Firewall Module 0
Advanced Cryptography 0
RF Protect ENABLED
Policy Enforcement Firewall DISABLED
VPN Server ENABLED
xSec Module DISABLED
Policy Enforcement Firewall for VPN users DISABLED
Advanced Cryptography DISABLED
Maritime Regulatory Domain DISABLED

Also, here is an output for one of APs which is in down state:
Apr 21 12:34:23 authmgr[1645]: <124004> <DBUG> |authmgr| Select server for method=VPN, user=ap-9k-118-2, essid=<>, server-group=internal, last_srv <>
Apr 21 12:34:23 authmgr[1645]: <124004> <DBUG> |authmgr| match_rule Value Pair to match User-Name : ap-9k-118-2
Apr 21 12:34:23 authmgr[1645]: <124038> <INFO> |authmgr| Selected server Internal for method=VPN; user=ap-9k-118-2, essid=<>, domain=<>, server-group=internal
Apr 21 12:34:23 authmgr[1645]: <124447> <DBUG> |authmgr| auth_vpn_resp_raw: user name ap-9k-118-2, check_vpn_cp_single_session ret -5
Apr 21 12:34:23 authmgr[1645]: <124546> <DBUG> |authmgr| aal_authenticate user:ap-9k-118-2 vpnflags:1.

So it seems that you are using RAP mode to get around the 32 AP limit of the 3200. Redundancy is a little more complicated with APs that are configured as RAPs, because platforms like the 3200 are only designed to handle wan-like traffic from RAPs and not LAN traffic.  I would type "show log system 50" on each controller to see if you can get a clue what is happening wrong.

cjoseph, there are no other logs according to APs in down state except the following:

Apr 21 12:34:23 authmgr[1645]: <124004> |authmgr| Select server for method=VPN, user=ap-9k-118-2, essid=<>, server-group=internal, last_srv <>

Apr 21 12:34:23 authmgr[1645]: <124004> |authmgr| match_rule Value Pair to match User-Name : ap-9k-118-2

Apr 21 12:34:23 authmgr[1645]: <124038> |authmgr| Selected server Internal for method=VPN; user=ap-9k-118-2, essid=<>, domain=<>, server-group=internal

Apr 21 12:34:23 authmgr[1645]: <124447> |authmgr| auth_vpn_resp_raw: user name ap-9k-118-2, check_vpn_cp_single_session ret -5

Apr 21 12:34:23 authmgr[1645]: <124546> |authmgr| aal_authenticate user:ap-9k-118-2 vpnflags:1.

There are no errors or some othe suspicion info.