When an AP is fully joined to a controller, the AP learns of all the controllers configured in that mobility group. Should the controllers that an AP is currently registered with go down, the AP will send discoveries to any and all controllers in the mobility group. Assuming one of the controller has the capacity to accept the AP, the AP should join the least loaded controller it can find. If many controllers in the mobility group, it can be difficult to determine what controller the APs will join should their current controller fail.
If you want to have more control over how the APs move between controllers on your network, you can configure the APs with Primary, Secondary & Tertiary controller names. With the controller name configured on APs, the APs always try to register the primary controller first. Should the primary controller go down, the AP tries to register with the secondary controller. If the AP is not able to join any of the configured controllers, it try to join any controller with Master Controller setting configured, or if no Master Controller, then the least loaded controller in the Mobility Group.
AP Failover priority can be used to determine who will register for a controller if there is a contention. You can configure your wireless network so that the backup controller recognize a join request from a higher priority AP and if necessary disassociates a lower priority AP as a means to provide an available port for higher fail over priority AP.
Below show the Primary, Secondary, Tertiary controller settings for a AP.(In High Availabilty tab of AP configuration)
You can configure the same via WLC CLI using following 3 commands.
config ap primary-base <controller_name> <Cisco_AP_name> [controller_IP_Addres]
config ap secondary-base <controller_name> <Cisco_AP_name> [controller_IP_Addre]
config ap tertiary-base <controller_name> <Cisco_AP_name> [controller_IP_Addres]
Here is an example of where I have configured primary,secondary, tertiary controller information for an AP named “1252-c”
(4402-a) >config ap primary-base 4402-a 1252-c 10.10.20.100 (4402-a) >config ap secondary-base 4402-b 1252-c 10.10.10.10 (4402-a) >config ap tertiary-base 4402-c 1252-c 10.10.10.20
Should you want to set a global primary backup and or secondary backup controller for all the APs joined to a particular controller. You can configure this through “Wireless -> All AP -> Global Configuration” section as shown in the below.You enable/disable Fast Heartbeat for local/H-REAP from the same page.
You can use CLI to configure this as well.
config advanced backup-controller primary <backup_controller_name> <IP_Address>
config advanced backup-controller secondary<backup_controller_name> <IP_Addres>
!
config advanced timers ap-fast-heartbeat {local|hreap|all} {ebable|disable} <interval 1-10>
config advanced timers ap-heartbeat-timeout <interval 1-30> (at least 3 times heartbeat timer)
config advanced timers ap-primary-discovery-timeout <interval 30-3600> (default it 120s)
config advanced timers ap-discovery-timeout <interval 1-10> (default is 10s)
config advanced timers auth-timeout <interval 10-600> (default is 10s)
Here is the same configuration shown in the above GUI screen capture, if you want to do it via CLI.
(4402-a) >config advanced backup-controller primary 4402-d 10.10.200.10 (4402-a) >config advanced backup-controller secondary 4402-c 10.10.10.20
Following CLI commands can be used to verify those settings.
(4402-a) >show advanced timers Authentication Response Timeout (seconds)........ 10 Rogue Entry Timeout (seconds).................... 1200 AP Heart Beat Timeout (seconds).................. 30 AP Discovery Timeout (seconds)................... 10 AP Local mode Fast Heartbeat (seconds)........... disable AP Hreap mode Fast Heartbeat (seconds)........... disable AP Primary Discovery Timeout (seconds)........... 120 AP Primed Discovery Timeout (seconds)............ 0 (4402-a) >show advanced backup-controller AP primary Backup Controller .................... 4402-d 10.10.200.10 AP secondary Backup Controller .................. 4402-c 10.10.10.20 (4402-a) >show ap config general 3502-d Cisco AP Identifier.............................. 0 Cisco AP Name.................................... 3502-d Country code..................................... Multiple Countries:AU,LK,NZ Regulatory Domain allowed by Country............. 802.11bg:-AE 802.11a:-EN AP Country code.................................. AU - Australia AP Regulatory Domain............................. 802.11bg:-A 802.11a:-N Switch Port Number .............................. 1 MAC Address...................................... 44:d3:ca:af:43:43 IP Address Configuration......................... Static IP assigned IP Address....................................... 10.10.20.4 IP NetMask....................................... 255.255.255.0 Gateway IP Addr.................................. 10.10.20.1 Domain........................................... Name Server...................................... NAT External IP Address.......................... None CAPWAP Path MTU.................................. 1485 Telnet State..................................... Disabled Ssh State........................................ Disabled Cisco AP Location................................ 3750-A Port4 Cisco AP Group Name.............................. default-group Primary Cisco Switch Name........................ 4402-a Primary Cisco Switch IP Address.................. 10.10.20.100 Secondary Cisco Switch Name...................... 4402-b Secondary Cisco Switch IP Address................ 10.10.10.10 Tertiary Cisco Switch Name....................... 4402-c Tertiary Cisco Switch IP Address................. 10.10.10.20 Administrative State ............................ ADMIN_ENABLED Operation State ................................. REGISTERED Mirroring Mode .................................. Disabled AP Mode ......................................... Local Public Safety ................................... Disabled AP SubMode ...................................... Not Configured Remote AP Debug ................................. Disabled Logging trap severity level ..................... informational Logging syslog facility ......................... kern S/W Version .................................... 7.0.116.0 Boot Version ................................... 12.4.2.4 Mini IOS Version ................................ 7.0.112.74 Stats Reporting Period .......................... 180 LED State........................................ Enabled PoE Pre-Standard Switch.......................... Disabled PoE Power Injector MAC Addr...................... Disabled Power Type/Mode.................................. Power injector / Normal mode Number Of Slots.................................. 2 AP Model......................................... AIR-CAP3502I-N-K9 AP Image......................................... C3500-K9W8-M IOS Version...................................... 12.4(23c)JA2 Reset Button..................................... Enabled AP Serial Number................................. FGL1533S1U8 AP Certificate Type.............................. Manufacture Installed AP User Mode..................................... AUTOMATIC AP User Name..................................... Not Configured AP Dot1x User Mode............................... Not Configured AP Dot1x User Name............................... Not Configured Cisco AP system logging host..................... 255.255.255.255 AP Up Time....................................... 0 days, 15 h 37 m 09 s AP LWAPP Up Time................................. 0 days, 14 h 19 m 15 s Join Date and Time............................... Sun Apr 7 08:02:40 2013 Join Taken Time.................................. 0 days, 00 h 01 m 16 s Ethernet Port Duplex............................. Auto Ethernet Port Speed.............................. Auto AP Link Latency.................................. Disabled Rogue Detection.................................. Enabled AP TCP MSS Adjust................................ Enabled AP TCP MSS Size.................................. 1363
When using both the local (primary, secondary, tertiary) and global backup configurations, the locally configured settings take precedence in the event of a controller failure. If an AP is not able to join any of the locally configured controllers, it then tries to join the global backup controllers.
When an AP moves off the primary controller, it joins another controller and stays registered to that controller until the primary controller comes back online. The AP continuous to send primary discovery request every 30s to the configured primary controller. AP primary discovery timeout value is set to 120s by default (it can be value from 30s to 3600s). As soon as the primary controller responds, the AP tries to re-join it.
There may be a situation where APs do not move back to the configured primary controller when that controller is back on the network. When this happens, ensure that AP fallback is enabled under “Controller -> General” section.
If that setting is disabled, the AP remain on the backup controller until you manually reboot them. AP fallback is enabled by default.
To configure AP failover priority, you have to enable this feature globally (“Wireless -> All AP -> Global Configuration”) & then individual APs with a suitable priority level. By default all APs are set to priority level 1 ( Low). Other values are (2- Medium, 3- High, 4-Critical)
Here is the individual AP fail-over priority settings you can choose.
By using CLI you can configure AP fail-over priority as below. To enable this globally you can use “config network ap-priority {enable|disable}” command. Then specify the priority of an AP by entering this CLI command.
config ap priority {1|2|3|4} <Cisco_AP_name>
Here is an example of this CLI usage.
(4402-a) >config network ap-priority enable (4402-a) >config ap priority 3 3502-d
You can verify this by “show network summary” & “show ap summary” CLI output as shown below.
(4402-a) >show ap summary Number of APs.................................... 2 Global AP User Name.............................. Not Configured Global AP Dot1x User Name........................ Not Configured AP Name Slots AP Model Ethernet MAC Location Port Country Priority ------------------ ----- -------------------- ----------------- ---------------- ---- ------- ------ 3502-d 2 AIR-CAP3502I-N-K9 44:d3:ca:af:43:43 3750-A Port4 1 AU 3 1252-c 2 AIR-LAP1252AG-N-K9 c8:4c:75:2c:95:c0 3750-a-PORT3 1 NZ 1 (4402-a) >show network summary RF-Network Name............................. mrn-rfg Web Mode.................................... Disable Secure Web Mode............................. Enable Secure Web Mode Cipher-Option High.......... Disable Secure Web Mode Cipher-Option SSLv2......... Enable Secure Shell (ssh).......................... Enable Telnet...................................... Disable Ethernet Multicast Forwarding............... Enable Ethernet Broadcast Forwarding............... Disable AP Multicast/Broadcast Mode................. Multicast Address : 239.239.239.1 IGMP snooping............................... Enabled IGMP timeout................................ 60 seconds IGMP Query Interval......................... 20 seconds User Idle Timeout........................... 300 seconds ARP Idle Timeout............................ 300 seconds Cisco AP Default Master..................... Disable AP Join Priority............................ Enabled Mgmt Via Wireless Interface................. Disable Mgmt Via Dynamic Interface.................. Disable Bridge MAC filter Config.................... Enable Bridge Security Mode........................ EAP Mesh Full Sector DFS........................ Enable Apple Talk ................................. Disable AP Fallback ................................ Enable Web Auth Redirect Ports .................... 80 Web Auth Proxy Redirect ................... Disable Fast SSID Change ........................... Disabled 802.3 Bridging ............................. Disable IP/MAC Addr Binding Check .................. Enable
.
mrn-cciew 
Excellent article, very clear and concise.
Thanks for the feedbak
Hi Nayarasi,
i have a question can i configure to independent controller on the same network and both of them serving different AP on the same floor?
can i configure them with the same SSID ?
shall i configure them on the same mobility domain ?
Hi Mahmoud,
If you expect clients to be roam between those two APs, WLC to be in mobility peer list.
You can keep them separate mobility groups, but have to be in each others mobility list
HTH
Rasika
i’m trying to change primary base and secondary base for a particular AP, and somehow it’ doesn’t works!
if i type in cli the command:
config ap primary-base , the output is:
“””Primary, Secondary, Tertiary controller names and IP address must be unique.””””
This is because i’m interchanging the primary and secondary and WLC tell me that primary and secondary must be unique.
So i’m not able to interchange primary and secondary throught cli, only way i’ve found is in https, go to AP, go to HA tab, delete the secondary controller and aply, after do that you can set the primary and secondary controller once again.
I don’t know if there is a command in cli to delete secondary controller for an AP, anyway i think is a mistake by Cisco, they should make things easier.
Our custumer is always complaining about that, because they have Wirelless controller of Ruckus and Cisco, and Rockus is easier than Cisco in this kind of configs.
Regards!!!!
I,ve found a workarround to configure HA in CLI, in order to manual switchover one AP from one WLC to another WLC.
The problem is if i try to ínterchange primary and secondary WLC, i can,t do it directly, because controller names and ip address must be unique, so let,s change primary and secondary with wrong data.
Config ap primary-base “invented-WLC” ap-name 0.0.0.0
Config ap secondary-base “invented-WLC2” ap-name 2.2.2.2
Once you has configured the AP pointing to incorrect or imaginary WLC and ip address, you can configure the real HA for the AP.
Config ap primary-base “real-WLC” ap-name “real-ip-address”
Config ap secondary-base “real-WLC2” ap-name “real-ip-address”
Now the AP will leave the actual WLC and Join the Other WLC.
I,ve write a script to change this config for a large number of AP. The script connects to WLC using SSH, login automatically and execute the config changes for every AP that i previous entered in a .txt file.
Regards!
Very good… It is the only way in this situation.. great that you picked it up by yourself..
Rasika
Can you please share the script here
thank i would like a question this time AP fail from WLC1 and go to joint WLC2 i need user or client can use traffic is normally i don’t want Client disassociate from AP
i don ‘t know WLC is feature fast HA ? thank you
When AP failover occurs, it will reboot. So client will be disrupted.
You have to consider AP & Client SSO (stateful switch over) feature, if you want something like that.
Here is some reference document on this feature
Click to access High_Availability_DG.pdf
HTH
Rasika
Today I have found a peculiar behavior. AP wouldn’t join primary controller first if Name is written incorrectly. (AP always joins secondary controller first, but if secondary fails – AP falls back to primary as usual).
That means should be the written EXACTLY as WLCs sysname (or NAS id) in this command:
config ap primary-base [controller_IP_Addres]
Example:
(Cisco Controller) >show sysinfo
System Name……………………………….. test-wlc1
System Nas-Id……………………………… test-wlc1
IP Address………………………………… 10.0.0.2
(Cisco Controller) >config ap primary-base test-wlc1 AP1 10.0.0.2
(Cisco Controller) >config ap secondary-base test-wlc2 AP1 192.168.1.2
Yes, Name & IP address required for proper operation of this.
HTH
Rasika
Rasika,
It will be nice to know how long a stranded local mode AP can continue to serve clients, please.
Prakash
Hi Prakash,
It should work as long as AP got power. If you see frequent dropouts of your AP, then it is not normal
HTH
Rasika
AP migration/move script: https://www.iptel.com.au/ap-migration-tool.html
Sometimes it can be very useful 🙂
Tks for sharing it here
I want to remove secondary and Tertiary Controller from High Availability for each access point. I have over 900 APs associated to a 8510 WLC Software Version 8.0.121.0. What is the best/easiest way to remove secondary and Tertiary Controller?
And/or can I create a template in Prime. We are using version 2.2
Are they primary,secondary and tertiary be in the same vlan network?
No, It can be L3 seperated. As long as AP has IP reachability to WLC it would work.
HTH
Rasiia
Hi,
We have an issue wherein the AP is configured with primary and secondary WLC. However, in the event the FlexConnect AP loses its connection to primary, it does not failover to secondary but rather to a different WLC not defined in the high availability settings.
Any idea?
Thanks!
May be AP learn about those WLC somehow.
Is this happen to brandnew AP that only knows about primary & secondary ?
HTH
Rasika
Hi, Rasika.
Thank you for the response. Basically, this is an old AP deployment and what I plan to do is to reset to factory default but is still waiting for the approvals. While waiting for that, is there anything that we can check?
Thanks!
In this kind of mobility group failover, it takes 80 seconds for the AP to connect to the secondary WLC after the primary fails correct? Oh the 5760 there is a limit to the number of APs that can join at a time, is there a limit for this on the aireos based controllers (5500 series,4400 series etc) ?
Yes, It will take some time to failover to secondary WLC in case of primary failure.
If you have different software versions between primary & secondary WLCs, then AP has to upgrade/downgrade during failover. Even in AireOS there are limit number of AP can go through this upgrade process at a time.
HTH
Rasika
Thanks Rasika. This limit only applies to AP upgrade though and not on AP failover? so during failover all APs will join the secondary at the same time?
I just tested SSO mode on dual 5520’s and am very impressed with that. Seems SSO HA is the better way to go than a mobility group failover although there are so many restrictions on SSO that I’m finding 😦
Yes, SSO is the way to go for HA, instead of Primary/Secondary
Rasika
i have configure HA between WLC 2504 what i am facing that When primary controller UP backup controller not handshake to primary controller. I did all the necessity configuration but it wont happen …………Controller version 8.2
Need you advice
What do you mean by handshake to primary controller ? Did you configure mobility peer between those 2 WLCs ? what is the output looks like in “show mobility summary” ?
Best place to get troubleshooting help is CSC. Post your thread here, if you haven’t done that yet.
https://supportforums.cisco.com/community/5921/other-wireless-mobility-subjects
HTH
Rasika
Hi, We are facing weird issue.. we have two foreign controllers and two anchor..one set of pair in DC & Another pair in DR…everything was working fine..all of sudden some APs are started joining DR foreign controller and they keep it there…though we have primary and secondary controller settings are configured…plus global primary and secondary as well….when we reboot DR foreign then they come back to DC foreign…but after few days or sometime multiple times in a day APs go back to DR foreign controllers….Note not all of them are going there….only 60% APs…
Hello Rasika. What is we wanted to remove the primary/secondary controller configuration from the global configuration tab?
If the APs are configured in AP Groups, does the AP Group need to exist in the Secondary, Tertiary controllers for the AP to remain in the AP Group?
Yes, otherwise AP will go to default group on those controllers.
HTH
Rasika
Hi Nayarasi,
what happened if we change the hostname of our wlc ?
does the name of Primary controller settings in AP will change automatically ?
Hi Kevin,
No, it will not update automatically, you have to update them once you change WLC hostname
Rasika
Hi Rasika,
I understood clearly from your post above that the sequence is AP HA entries, Global WLC Backup entry if the Primary/Secondary/Tertiary entry in the AP does not respond. But, IF I also have Mobility Group where 1 of the members is not part of the previous configuration, what is the sequence?. I have seen AP’s joining to that Non Backup WLC but mobility group member. Is the sequence then: AP HA entries, Global WLC Backup entries and finally Mobility Group WLC member learned? thanks
I haven’t tested to see all those scenario Abraham. One thing is sure that AP will use its Primary/Secondar/Tertiary config first, hence we configure it as best practice.
HTH
Rasika
Hello Rasika,
Is there a particular CLI command to extract the Primary/Secondary & Tertiary WLC entries for all APs?
I know i can get it one by one but just wondering if there is any easier way.
Hi Isuru,
It is an individual AP config, you have to apply it per AP and I do not think there is one global CLI command without using AP name
HTH
Rasika
Thank you very much, I always find in this blog the answer to my doubts about Wifi.
You are welcome Victor. Thank you for giving positive energy for me to keep doing it
Rasika