Header Only - DO NOT REMOVE - Extreme Networks

Need Fast Failover with Deauth to trigger Client DHCP-Requests


Userlevel 3
Hi,
we have a V2110 Controller HA-Pair with EWC-Firmware 10. Both are on different locations with topologies in different subnets. Both locations are connected directly with 10G. Now when a Fast Failover occurs, clients are connected into the topology of the other location but clients need to get a valid IP adress from the other location to be able to communicate. This happens when user triggers a new DHCP-Request. Now I want to happen this automatically.

A solution would be if deauth packet are sent to clients when the failover occurs. It seems it was possible in EWC-Firmware 9 because the following KB entry discribed how to counter those packet if one would not want those deauth packets: https://gtacknowledge.extremenetworks.com/articles/Solution/Wireless-Appliance-disconnects-a-user-during-a-fast-failover-event-code-107/

But I cant find "configure Fast Failover Events" in EWC 10. Is it possible to trigger those deauth packets on Fast Failover?

6 replies

Userlevel 7
As far as I unterstand the KB article that is only possible if you use 802.1X or MAC authentication with a NAC. It's a accounting message that is generated on the NAC.

Here a screenshot of my V10 controller - VNS with 802.1X and a NAC - option on the pop-up



I've an idea, let me get back to you by tomorrow, I'd need to check some things first.
#notenoughsleep #toomuchredbull
Userlevel 7
Ron wrote:

As far as I unterstand the KB article that is only possible if you use 802.1X or MAC authentication with a NAC. It's a accounting message that is generated on the NAC.

Here a screenshot of my V10 controller - VNS with 802.1X and a NAC - option on the pop-up



I've an idea, let me get back to you by tomorrow, I'd need to check some things first.
#notenoughsleep #toomuchredbull

#hashtagsLookLikeWaffles
Userlevel 3
Thanks to your sceenshot I located the option at VSN/Global/Authh. Unfortunately it was already disabled by default there and yet no Deauth packets.

At VNS/WLAN Service Auth this option doesnt exist. Is it a difference between 10.01.03 and 10.01.04?


I use 802.1x but defined the nac5radius as "RADIUS Server" in WM:



As the screenshot shows there are NAC-definitions "nac5" and "nac6" but I cant select them as RADIUS Server at the WLAN Service definition.
Userlevel 7
Please check again in the controller GUI- this time in the pop-up window click on the line "Acct" to highlighted it to get the option.
In your screenshot "Auth" is highlighted that is why you can't see the field.

I can't help you with WM as I don't like it = don't use it.
Userlevel 3
Ok, found it and "Fast Failover Events" was deselected there too. So I actually have the configuration which is discribed in the V9 knowledgebase article. But the clients still doesn't get Deauths' when their AP failovers.
Userlevel 3
I found the following solution:
- Activate Mobility betwen the two HA-controllers
- use different VNS one each controller (the only difference between the VNS is their name, their content, roles and wireless services are the same)
- deactivate "Permit Inter-WLAN Service Roaming" in the advanced settings of the WLAN service which is associated with the VNS

When I release an accesspoint to the other HA controller, the client gets shortly disconnected with reason "VNS[...] Cause[Request from Other Controller]", reassociates and gets a valid IP-Adress from the failover-controllers topologies.

WM has a VNS-desync now because it wants to deploy a VNS always on both HA Controllers but at least clients reassociate now automatically when APs change their controllers (fe. during controller mainteanance)

*happy*

Reply