cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
617
Views
6
Helpful
9
Replies

detailed breakdown of Access Point (AP) join procedures in SSO and N+1

Ahmed Gamal
Level 1
Level 1

I need to know what the access points' joining procedures are in SSO deployments and N+1 deployments, and what the timers are in each section. For example, in SSO, if the primary controller fails, what will happen with the access point, and if it comes back, also, if the whole SSO comes down, what will happen with the access points? What is the required time to join the N+1?

9 Replies 9

Saikat Nandy
Cisco Employee
Cisco Employee

Your AP join procedure is same - be in HA-SSO or N+1. You can refer these two doc to understand the process - 

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9120axe-access-point/221056-understand-the-ap-join-process-with-the.html
https://mrncciew.com/2013/03/17/ap-registration/

In HA-SSO, AP failover from Active to Standby is seamless - means no downtime required.

In HA-N+1, AP failover from Primary to Secondary takes 1-3mins - depending on multiple things. Ex -
You have 8*5 = 40 secs CAPWAP timer.
Both the Primary and Secondary are on same version.
Latency between AP & Primary/Secondary controllers are pretty much same.

marce1000
Hall of Fame
Hall of Fame

 

  - I will not cover all the details but for instance from https://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/9800/17-4/deployment-guide/c9800-n-plus-1-high-availability-wp.pdf
     Read from Difference Between SSO (Stateful Switchover) and N+1 High
availability

   M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Ahmed Gamal
Level 1
Level 1

@Saikat Nandy 

Thank you for the details shared above. I have one more point I’d like to clarify:

In the event that both SSO controllers go down and the access points join the N+1 controller, what will be the behavior of the access points once the SSO pair comes back online? Will they automatically rejoin the SSO, or is manual intervention required?

Looking forward to your clarification.

Rich R
VIP
VIP

If you have set primary/secondary/tertiary WLC in the AP HA config then the AP will constantly poll and try to switch back to the primary WLC.
The timing of that return to primary WLC is determined by the "capwap timers primary-discovery-timeout" configuration.
From an AP point of view an SSO pair looks like a single WLC - the AP is effectively unaware of the HA-SSO.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/cmd-ref/b_wl_17_12_cr/configuration-commands-a-to-f.html#wp3078683012

I would appreciate your clarification on the following scenario:

If we have an SSO setup along with an N+1 backup controller, and the access points are not configured with explicit primary/secondary/tertiary controller settings, what will be the AP behavior when the SSO pair comes back online after a failure? Specifically:

  • Will the access points automatically leave the N+1 controller and rejoin the SSO primary controller?

  • Or will they remain associated with the N+1 controller until a manual reset or failure occurs?

  • Additionally, could you please share the relevant failover and fallback timers that apply in this scenario?

Your insights on this would be very helpful.

No I don't think it will switch back automatically if there is no static WLC config.
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9120axe-access-point/221056-understand-the-ap-join-process-with-the.html
If you want it to do that then configure it that way.
You can also have a look at a previous similar discussion:
https://community.cisco.com/t5/wireless/wireless-ap-wlc-discovery/td-p/5006301

For the timers refer to the config guide and the command reference (previous reply).

We have the same setup per say, SSO with N+1.  It's just best practice to define the primary, secondary and or tertiary controller, because you want to dictate that.  Keep in mind since this is new to you, that ap's once joined to a controller will know of the controller its joined to and any in the mobility group.  However, if you have defined any discover, dhcp, dns or broadcast, the ap's can or might even join those which might not be what you want.  I have seen configurations that were used to help setup environments to get ap's to join a specific controller and then was never removed or changed.  You can't always rely on timers or ap's finding the right controller. You have variables that can cause issues, like connectivity, controller issues, controllers having the wrong image, configurations on the N+1 that is wrong, routing issues, etc.   

The general questions you asked are all documented and even folks have discussed them in blogs.  You have to understand the "what ifs" and what you need to do to remediate issues.  Having a healthy environment helps, but there is always that one issue that will cause an incident. 

-Scott
*** Please rate helpful posts ***

Totally agree with Scott - keep it deterministic and set your preference.

Leo Laohoo
Hall of Fame
Hall of Fame

One important detail that will affect new AP join process to the controllers (whether it is N+1 or SSO) and that is LOAD of each individual controller.  

Say, I have three controllers (N+1):  Controller 1 has 3600 APs, Controller 2 has 5000 APs and Controller 3 has 0 APs. 

Even if DHCP Option has Controller 1 as first, Controller 2, as second and Controller 3 as third option, there is a strong chance new APs will join Controller 3 over the other 2.  

Review Cisco Networking for a $25 gift card