AP Failover and AP Fallback in Cisco Unified Wireless Implementation

When the access point has already connected to the controller (AP Join), there are two mechanisms that affect the choice of controller:

• If the access point loses communication with an existing controller, then the AP Failover mechanism starts.
• If the access point needs to switch to another controller without losing communication with the controller, for this, there is an AP Fallback mechanism

AP Failover

AP Failover uses the following information in order of priority (first priority first).

1. Per AP Primary, Secondary and Tertiary controller
2. Global Backup Primary / Secondary WLC
   
   • These options only work when FastHeartbeat Timeout is activated.
   • This information is not immediately activated at the point, but after some time. It should appear in the so-called Backup WLS arrey.
3. WLC Mobility Group Membership
   
   

   WLC Mobility Group Membership

Let's test, starting with the lowest priority, gradually increasing it.
We have an access point connected to the vwlc2 controller (10.0.194.4), on which only the Mobility Group member vwlc (10.0.193.4) ​​is configured.

LAP1#sh capwap cli con mwarName mwarIPAddress 0.0.0.0 mwarName mwarIPAddress 0.0.0.0 mwarName mwarIPAddress 0.0.0.0 Configured Switch 1 Addr 10.0.193.4 Configured Switch 2 Addr 10.0.194.4 

Next, turn off all interfaces on vwlc2.

 config port adminmode all disable 

And look at the response of the access point.

 *Mar 20 09:29:18.207: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.0.194.4:5246 *Mar 20 09:29:54.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.0.193.4 peer_port: 5246 *Mar 20 09:29:54.520: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.0.193.4 peer_port: 5246 *Mar 20 09:29:54.521: %CAPWAP-5-SENDJOIN: sending Join Request to 10.0.193.4 

Without the Discovery phase, the access point connected to 10.0.193.4, that is, to the Mobility Group member in memory.

Global Backup Primary / Secondary WLC

Now let's test the next priority mechanism - Backup Primary / Secondary WLC. Let's write the Backup Primary 10.0.191.4 (wlc2504) address on the vwlc2 controller, it is not in the mobility group members.

 config advanced backup-controller primary wlc2504 10.0.191.4 

You can see how these settings “went down” to a point using the command

 LAP1#sh capwap cli ha fastHeartbeatTmr disabled primaryDiscoverTmr(sec) 120 primaryBackupWlcIp 10.0.191.4 primaryBackupWlcName wlc2504 secondaryBackupWlcIp 0.0.0.0 secondaryBackupWlcName DHCP renew try count 0 Fwd traffic stats get 0 Fast Heartbeat sent 0 Discovery attempt 0 Backup WLC array: 

Now turn off all interfaces on the connected controller. Connection happened on the controller in the same mobility group (10.0.193.4). This happened because FastHeartbeat Timeout was not configured. Customize them.

 config advanced timers ap-fast-heartbeat local enable 10 

Check that this setting "went down" to the point

 LAP1#sh capwap cli ha fastHeartbeatTmr(sec) 10 (enabled) primaryDiscoverTmr(sec) 120 primaryBackupWlcIp 10.0.191.4 primaryBackupWlcName wlc2504 secondaryBackupWlcIp 0.0.0.0 secondaryBackupWlcName DHCP renew try count 0 Fwd traffic stats get 12 Fast Heartbeat sent 12 Discovery attempt 0 Backup WLC array: Index [3] System name wlc2504 Index [3] IP 10.0.191.4 Index [3] Aging Count 0 

Significant changes are visible: the "Fast Heartbeat sent" and "Fwd traffic stats get" counters are increasing, the wlc2504 controller has appeared in the Backup WLC arrey (it does not appear immediately, but after a while, only after that the mechanism starts working!)

Now turn off all interfaces on the connected controller.

 *Mar 20 09:29:18.207: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.0.194.4:5246 *Mar 20 09:29:54.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.0.191.4 peer_port: 5246 *Mar 20 09:29:54.520: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.0.191.4 peer_port: 5246 *Mar 20 09:29:54.521: %CAPWAP-5-SENDJOIN: sending Join Request to 10.0.191.4 

Now everything is working, the access point has connected to the Backup Primary.

Per AP Primary, Secondary and Tertiary controller

Configure the Primary controller again on vwlc - 10.0.193.4 and make sure the Backup Primary is configured as well.

 LAP1#sh capwap cli con mwarName wvlc mwarIPAddress 10.0.193.4 LAP1#sh capwa cli ha fastHeartbeatTmr(sec) 10 (enabled) primaryDiscoverTmr(sec) 120 primaryBackupWlcIp 10.0.191.4 primaryBackupWlcName wlc2504 secondaryBackupWlcIp 0.0.0.0 secondaryBackupWlcName DHCP renew try count 0 Fwd traffic stats get 32 Fast Heartbeat sent 32 Discovery attempt 0 Backup WLC array: Index [3] System name wlc2504 Index [3] IP 10.0.191.4 Index [3] Aging Count 0 

Now turn off the controller.

 *Mar 20 09:29:18.207: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.0.194.4:5246 *Mar 20 09:29:54.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.0.193.4 peer_port: 5246 *Mar 20 09:29:54.520: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.0.193.4 peer_port: 5246 *Mar 20 09:29:54.521: %CAPWAP-5-SENDJOIN: sending Join Request to 10.0.193.4 

As you can see, the access point connected to the Primary controller, ignoring the Backup Primary setting.

AP Fallback

When the AP Fallback feature is activated (tab CONTROLLER-> General), the access point can change the controller even if the connection with the current controller is not lost.
This can happen in the following cases.

• If Per AP Primary is configured on the point, the Secondary and Tertiary controller and the access point is not on one of these three controllers. With Secondary, the access point will not migrate to Primary.
• If the controller is configured with the Global Backup Primary / Secondary WLC, which in turn is configured for Master Controller Mode.

We will try to check both options.

The access point is connected to the vwlc2 controller (10.0.194.4), we write the controller 2504 (10.0.191.4) on the Primary controller and see what happens. After some time, the point switches itself to the controller, while the mobility members on both controllers are not registered.

 *Mar 20 09:29:18.207: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.0.194.4:5246 *Mar 20 09:29:54.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.0.191.4 peer_port: 5246 *Mar 20 09:29:54.520: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.0.191.4 peer_port: 5246 *Mar 20 09:29:54.521: %CAPWAP-5-SENDJOIN: sending Join Request to 10.0.191.4 

In the second case, we will write on the wlc2504 Master Controller Mode (all other settings, namely the Global Backup Primary WLC, have remained with the AP Failover check. After some time, the access point connects to 10.0.191.4!

 *Mar 20 09:29:18.207: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.0.194.4:5246 *Mar 20 09:29:54.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.0.191.4 peer_port: 5246 *Mar 20 09:29:54.520: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.0.191.4 peer_port: 5246 *Mar 20 09:29:54.521: %CAPWAP-5-SENDJOIN: sending Join Request to 10.0.191.4