5520 WLC HA SSO not working

geert.debraekeleer · ‎10-12-2020

Hello Community,

We have an SSO HA implementation with 2x 5520 (both AIR-CT5520-K9), software version 8.5.151.0.
License for 100 APs, 96 APs in use.
When we simulate a problem by powering off the Active Controller, the standby controller will reboot, all of our APs loose
their Capwap tunnel, APs and clients get disconnected. During this event, all interfaces on the controllers are unreachable.
(including the management interface)

Here is the configuration/status of the controllers...

(Cisco Controller) >show redundancy summ
Redundancy Mode = SSO ENABLED
Local State = ACTIVE
Peer State = STANDBY HOT
Unit = Primary
Unit ID = B4:DE:31:75:AC:CD
Redundancy State = SSO
Mobility MAC = B4:DE:31:75:AC:CD
Redundancy Port = UP
BulkSync Status = Complete

(Cisco Controller-Standby) >show redundancy summ
Redundancy Mode = SSO ENABLED
Local State = STANDBY HOT
Peer State = ACTIVE
Unit = Secondary (Inherited AP License Count = 100)
Unit ID = B4:DE:31:E5:42:2F
Redundancy State = SSO
Mobility MAC = B4:DE:31:75:AC:CD
Redundancy Port = UP

-------------------------

(Cisco Controller) >show interface summ

Number of Interfaces.......................... 12

Interface Name Port Vlan Id IP Address Type Ap Mgr Guest
ap-management LAG 1113 172.28.13.1 Dynamic Yes No
blackhole LAG 998 123.123.123.123 Dynamic No No
management LAG 1112 172.28.12.1 Static No No
redundancy-management LAG 1112 172.28.12.3 Static No No
redundancy-port untagged 169.254.12.3 Static No No
service-port N/A N/A 169.169.169.169 Static No No
virtual N/A N/A 192.0.2.2 Static No No

(Cisco Controller-Standby) >show interface summ

Number of Interfaces.......................... 12

Interface Name Port Vlan Id IP Address Type Ap Mgr Guest
ap-management LAG 1113 172.28.13.1 Dynamic Yes No
blackhole LAG 998 123.123.123.123 Dynamic No No
management LAG 1112 172.28.12.1 Static No No
redundancy-management LAG 1112 172.28.12.4 Static No No
redundancy-port - untagged 169.254.12.4 Static No No
service-port N/A N/A 10.11.12.13 Static No No
virtual N/A N/A 192.0.2.2 Static No No

I know that the ap-management interface is not neccessary, could this cause the problem?

Many thanks in advance!!

Sandeep Choudhary · ‎10-12-2020

I am running the same software version on 5520 and dont have any issue with failover.

in first overview, i can just see that you have ap-mgmt configuration on both wlc.

ap-management LAG 1113 172.28.13.1 Dynamic Yes No --> You dont need it. Better to enable Dynamic AP mgmt over management interface and then delete it.

Regards

Dont forget to arte helpful posts

geert.debraekeleer · ‎10-13-2020

Hi Sandeep,

Thank you very much for your help!
I agree with you that this is a good suggestion, however our IT management is convinced that

keeping the ap-management interface seperate through our firewalls is a more secure solution... So we will keep this as a last step

solution...

thanks again for the great help!

Scott Fella · ‎10-12-2020

Doesn’t seem right, might want to open a tac case. Have you tried just issuing a force failover on the primary? If that doesn’t work also, then it’s a bug.

-Scott
*** Please rate helpful posts ***

geert.debraekeleer · ‎10-13-2020

Hi Scott,

Thanks for your reply !

I didn't try the force failover yet but have it planned for tomorrow...

true, it might be a bug, we are also preparing to upgrade to AireOs 8.10

I will keep you informed

Thanks a lot for your help!

Grendizer · ‎10-12-2020

Check "TAC Recommended AireOS Builds" here https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html#anc10

Gustavo Oliveira Ruas Naves · ‎10-14-2021

Hi,

A doubt.
You have configured the same Management IP Address in both WLC's? Because the recommendation is to configure the "Management Interface" of both WLC's with IP's in the same subnet, but not the same IP.

I'm setting up two 5520 WLC's too. They have the same version 8.10.151.0.
I configured SSO and works fine with the command: "redundancy force-switchover".

However, when simulating failover, turning off the Primary WLC, I saw that the Secondary WLC did not assume the Management IP.

I only had access again, after restarting both WLC's.
I followed all the cake recipe and Cisco recommendations.
I follow this link: https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-7/High_Availability_DG.html

Best regards!!!

Scott Fella · ‎10-14-2021

Every time I run into issues with SSO. I look at the console from both controllers. That will show you any errors during your testing. SSO when setup properly works fine. It’s also good to open a TAC case if you are having stability issues. Keep in mind that you can always break SSO and re-build it back as long as your SSO configuration and connect are correct. You don’t even have to break SSO, just factory reset your standby and join it back after your initial configuration.

-Scott
*** Please rate helpful posts ***