CSCwa57853 - HA loses the connection when link encryption is enabled

CiaranB · ‎09-03-2025

Hi All,

2 x WLC8540

S/W: 8.10.185.0

After the crash of the 4500x distribution switch to which our primary unit of the WLC8540 HA cluster was connected, the primary WLC8540 restarted but was unable to rejoin the HA cluster as the standby WLC8540. This resulted in a split-brain situation.

Summary of troubleshooting steps:

Changed the redundant link to a different Layer 2 connection between the two controllers to rule out communication issues on the original link.
Rebooted both primary and secondary WLC8540s in the correct order of operation.
Isolated the secondary controller, broke the HA cluster, and attempted to rejoin it — but without success.

The current status is as follows:

The primary WLC8540 is now the active unit.
The secondary WLC8540 is isolated from the network, with both RP and LAN ports disabled to prevent split-brain and avoid impact on Wi-Fi services.

We are currently unable to rejoin the secondary WLC8540 to the HA cluster.

How can we determine if we are hitting this bug? Any particular logs which would confirm it? We would like to try confirm it first before reloading the active WLC again by disabling RP encryption (the work around).

thanks

Ciarán

MHM Cisco World · ‎09-03-2025

show redundancy summary
show redundancy

Share this

MHM

CiaranB · ‎09-04-2025

Primary Redundancy Information
Redundancy Mode.................................. SSO ENABLED
Local State...................................... ACTIVE
Peer State....................................... UNKNOWN - Communication Down
Unit............................................. Primary
Unit ID.......................................... xx:xx:xx:xx:0B:25
Redundancy State................................. Non Redundant
Mobility MAC..................................... xx:xx:xx:xx:0B:25
Link Encryption.................................. ENABLED
Redundancy Management IP Address................. x.x.x.45
Peer Redundancy Management IP Address............ x.x.x.47
Redundancy Port IP Address....................... 169.254.x.45
Peer Redundancy Port IP Address.................. 169.254.x.47

Secondary Redundancy Information
Redundancy Mode.................................. SSO ENABLED
Local State...................................... ACTIVE
Peer State....................................... UNKNOWN - Communication Down
Unit............................................. Secondary (Inherited AP License Count = 3200)
Unit ID.......................................... xx:xx:xx:xx:76:C7
Redundancy State................................. Non Redundant
Mobility MAC..................................... xx:xx:xx:xx:0B:25
Link Encryption.................................. ENABLED
Redundancy Management IP Address................. x.x.x.47
Peer Redundancy Management IP Address............ x.x.x.45
Redundancy Port IP Address....................... 169.254.x.47
Peer Redundancy Port IP Address.................. 169.254.x.45

MHM Cisco World · ‎09-04-2025

Both active' that sure issue

""Isolated the secondary controller, broke the HA cluster, and attempted to rejoin it — but without success.""

How you do that?

Did you break SSO in secondary unit correctly?

Idea to solve this as i think

1- disconnect secondary

2- break SSO

3- config redundacy encrypt in secondary

4- config sso in secondary

5- connect the secondary

MHM