Solved: Re: N+1 5508 WLC failover test - Page 2

edwardzeng · ‎08-01-2013

Good day all,

I have a question about the N+1 5508 failover test:

Should I shutdown one of the primary WLC to test failover?

I just setup the N+1 bakcup WLC (5508). B

Based on: http://www.cisco.com/en/US/docs/wireless/technology/hi_avail/N1_High_Availability_Deployment_Guide.pdf

We have two production WLCs both 5508 and one 4405.

We just purchased another HA-SKU WLC 5508.

All our four WLCs had been setup into one mobility group in version 7.4.100.6.

.

Their neighbors are all up.

But our test AP could not register to the Backup N+1 WLC. ( We are using option 43 in our DHCP server for all the AP boot.)

Here are the log screen:

================ From test Access Point============

*Mar 1 00:00:53.099: %CDP_PD-4-POWER_OK: Full power - INJECTOR_CONFIGURED_ON_SOURCE inline power source

*Mar 1 00:00:53.842: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.255.1.3, mask 255.255.255.0, hostname wo11-test-ap1

*Mar 1 00:00:54.188: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up

*Mar 1 00:00:55.188: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up

*Mar 1 00:00:55.279: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up

*Mar 1 00:00:56.280: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up

*Mar 1 00:01:03.820: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.254.240.5 obtained through DHCP

*Mar 1 00:01:03.820: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.

*Mar 1 00:01:13.823: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Aug 2 02:30:55.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.254.240.5 peer_port: 5246

*Aug 2 02:31:25.003: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2051 Max retransmission count reached!

*Aug 2 02:31:55.001: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.254.240.5:5246

*Aug 2 02:31:55.001: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Aug 2 02:30:55.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.254.240.23 peer_port: 5246

*Aug 2 02:30:55.490: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.254.240.23 peer_port: 5246

*Aug 2 02:30:55.493: %CAPWAP-5-SENDJOIN: sending Join Request to 10.254.240.23

*Aug 2 02:30:55.493: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.

*Aug 2 02:30:55.493: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.

*Aug 2 02:30:55.493: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller

*Aug 2 02:30:55.493: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 10.254.240.23

*Aug 2 02:30:55.874: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down

*Aug 2 02:30:55.931: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset

*Aug 2 02:30:55.987: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller WG-WLC1

*Aug 2 02:30:56.041: ac_first_hop_mac - IP:10.255.1.1 Hop IP:10.255.1.1 IDB:BVI1

*Aug 2 02:30:56.041: Setting AC first hop MAC: ccef.481f.14bf

-test-ap1#sh int bvI 1

BVI1 is up, line protocol is up

Hardware is BVI, address is e8b7.489e.4645 (bia e8b7.489e.4645)

Internet address is 10.255.1.3/24

===================From backup N+1 WLC===

*spamApTask4: Aug 02 11:41:09.842: #CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:7305 64:a0:e7:40:eb:42: Failed to create DTLS connection for AP 10:255:1:3 (58470).

*spamApTask4: Aug 02 11:41:01.889: #CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:7305 64:a0:e7:40:eb:42: Failed to create DTLS connection for AP 10:255:1:3 (58470).

*spamApTask4: Aug 02 11:40:57.912: #CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:7305 64:a0:e7:40:eb:42: Failed to create DTLS connection for AP 10:255:1:3 (58470).

*spamApTask4: Aug 02 11:40:55.924: #CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:7305 64:a0:e7:40:eb:42: Failed to create DTLS connection for AP 10:255:1:3 (58470).

*spamApTask4: Aug 02 11:18:50.553: #CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:7305 64:a0:e7:40:eb:42: Failed to create DTLS connection for AP 10:255:1:3 (58469).

*spamApTask4: Aug 02 11:18:42.600: #CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:7305 64:a0:e7:40:eb:42: Failed to create DTLS connection for AP 10:255:1:3 (58469).

*spamApTask4: Aug 02 11:18:38.623: #CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:7305 64:a0:e7:40:eb:42: Failed to create DTLS connection for AP 10:255:1:3 (58469).

*spamApTask4: Aug 02 11:18:36.636: #CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:7305 64:a0:e7:40:eb:42: Failed to create DTLS connection for AP 10:255:1:3 (58469).

.

*mmListen: Aug 02 10:43:38.637: #LOG-3-Q_IND: spam_lrad.c:1676 Ignoring discovery request from AP e8:b7:48:9e:46:45 - maximum number of downloads (0) exceeded

*spamApTask0: Aug 02 10:43:38.500: #LWAPP-3-DISC_MAX_DOWNLOAD: spam_lrad.c:1676 Ignoring discovery request from AP e8:b7:48:9e:46:45 - maximum number of downloads (0) exceeded

==================== From one of our Primary WLC=====================

(WLC-5500) >show advanced backup-controller

AP primary Backup Controller .................... ODC-WLC1 10.254.240.5

AP secondary Backup Controller .................. 0.0.0.0

(WLC-5500) >show redundancy summary

Redundancy Mode = SSO DISABLED

Local State = ACTIVE

Peer State = N/A

Unit = Primary

Unit ID = 54:75:D0:DE:DE:40

Redundancy State = N/A

Mobility MAC = 54:75:D0:DE:DE:40

Redundancy Management IP Address................. 0.0.0.0

Peer Redundancy Management IP Address............ 0.0.0.0

Redundancy Port IP Address....................... 0.0.0.0

Peer Redundancy Port IP Address.................. 169.254.0.0

(WLC-5500) >show license capacity

Licensed Feature Max Count Current Count Remaining Count

-----------------------------------------------------------------------

AP Count 250 203 47

==============From the Backup N+1 WLC in DR =====================

(Cisco Controller) >show redundancy summary

Redundancy Mode = SSO DISABLED

Local State = ACTIVE

Peer State = N/A

Unit = Secondary - HA SKU

Unit ID = 6C:41:6A:5F:4C:80

Redundancy State = N/A

Mobility MAC = 6C:41:6A:5F:4C:80

Redundancy Management IP Address................. 10.254.240.3

Peer Redundancy Management IP Address............ 0.0.0.0

Redundancy Port IP Address....................... 169.254.240.3

Peer Redundancy Port IP Address.................. 169.254.0.0

(Cisco Controller) >show license capacity

Licensed Feature Max Count Current Count Remaining Count

-----------------------------------------------------------------------

AP Count 500 0 500

ajc · ‎01-24-2014

Hi Wesley, next the screenshots:

Regarding the Evaluation License you need to accept it so the HA N+1 would work (see another screenshots on this post). However, this is what I got in the HA SKU WLC which keeps counting down even though the AP is no more connected to that Controller. I opened a TAC Case because we expected that the Evaluation License in the HA SKU would reset its counter and would go back to the default 8 weeks valid period. Apparently this issue is solve on version 7.6. In addition to that you CANNOT install the minimum 50 ap count permanent license on version 7.4 and 7.5 as mentioned in the Cisco Guide for HA N+1 so you do not have to worry about the Evaluation License topic mentioned before. This subject is also solved on version 7.6

TEST RESULTS SCREENSHOTS

No WLC configured in the AP High Availability Option

User connected to PRIMARY WLC

URL Redirect and User Authentication on PRIMARY WLC

Disconnecting PRIMARY WLC from the Network

Losing connectivity to the SSID

Acting like an enduser, I manually reconnected and authenticated on HA SKU WLC. The SSID's are broadcasted by the HA SKU WLC, I got and IP and could authenticate as showed above.

I repeated the same tests with the High Availability in the AP configured with both WLC (HA SKU and PRIMARY WLC). Same result when I disconnected the PRIMARY WLC from the network. I mean, the AP goes to the HA SKU WLC, the SSID's are broadcasted by the Backup WLC, I associated to that AP, authenticated and finally navigated on the Web.

CONFIGURATION IN THE PRIMARY WLC and HA SKU WLC is the same as indicated in the guide, I mean:

Scott Fella · ‎01-14-2014

I just set this up recently and it depends if your setting up AP SSO or N+1 for N+1, you can follow this guide. The configuration you mention about peer address is for AP SSO.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

ajc · ‎01-14-2014

I am configuring:

N+1 High Availability Deployment Guide

April 04, 2013

The only thing I did, was the following. I am using version 7.5. I am getting:

*Aug 2 02:31:25.003: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2051 Max retransmission count reached!

Scott Fella · ‎01-14-2014

That is all you need to do... the error you has nothing to do with N+1.... did you activate the license?

http://www.cisco.com/en/US/docs/wireless/technology/hi_avail/Licensing.html

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

ajc · ‎01-14-2014

Based on the documentation I do not need a license in the HA WLC, the Primary WLC replicates its license information into the HA WLC. But, If I am wrong, please let me know.

thanks

Scott Fella · ‎01-14-2014

You don't, but make sure it's showing active... 500 AP count.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

ajc · ‎01-14-2014

Base-ap-count on the HA SKU WLC has the following information per column:

Type = evaluation

Count = 500

Priority = none

Status = EULA Not accepted.

I am using version 7.5 on the WLC's (PRIMARY + HA SKU). Is that the reason of the problem?

thanks

Leo Laohoo · ‎01-14-2014

Status = EULA Not accepted.

No, but this could be the reason why.

ajc · ‎01-14-2014

From Software Activation --- > Licenses --- > Base AP Count , I am getting: Licenses cannot be modified on secondary HA SKU Controller.

ajc · ‎01-14-2014

I was wondering if there is any particular configuration required in the HA SKU WLC.

Scott Fella · ‎01-14-2014

You should be able to change the priority and hit apply. You then need to reboot the WLC.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎01-14-2014

This is the guide to configure N+1 and you just have to work on getting the license active.

http://www.cisco.com/en/US/docs/wireless/technology/hi_avail/N1_High_Availability_Deployment_Guide.pdf

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

ajc · ‎01-15-2014

Hi Scott,

As I mentioned before and you could see in the screenshots. I applied the 2 basic steps indicated in the guide on the Primary WLC and HA SKU WLC using GUI, and configured as well in the High Availability option of the AP both WLC (first entry Primary WLC and 2nd entry HA SKU WLC0. But still not working. I am assuming that is the version I am using the root cause for this issue (7.5.102). I wanted to use this version because we also want to implement Bonjour using mDNS Gateway and LSS.

thanks

ajc · ‎01-17-2014

INFORMATION OF INTEREST:

I found the issue on the URL REDIRECT on version 7.5.102.0 for Authentication using External Login Page (in our case the ISE Device is acting like Web Server + AAA Server for Web Authentication).

The post that I opened is the following:

https://supportforums.cisco.com/message/4114736#4114736

ajc · ‎01-15-2014

Hi Edward,

In the screenshots that I posted below, you will see that I followed the 2 basic instructions provided in the guide using the GUI on the Primary WLC and HA SKU WLC. In addition to that, I have exactly the same condition you mentioned for the WLC licensing for the HA SKU device we directly purchased to Cisco. It is weird, but in my case is not working and the only difference that I can see is the version I am using (7.5.102). I decided to use this version because we also want to implement Bonjour using MDNS Gateway in the WLC as well.

thanks