When attempting to configure or initiate failover between two Management Center (MC) appliances, the secondary unit fails to authenticate with the primary unit.

Product: Management Center (MC)

Version: 3.3.3.1 and above.

Deployment: High Availability (HA) / Failover Pair

The failover process utilizes a specific system account named failoverinituser to establish the initial secure connection. In environments where Management Center is configured to use LDAP for administrative authentication, the system may attempt to validate this internal account against the LDAP server.

If the LDAP service on the Primary MC is unreachable or the transport endpoint is disconnected, the authentication request from the Secondary MC reaches the Primary but fails immediately during the validation phase. This results in an SSH authentication failure on the secondary side.

Step 1: Verify LDAP Connectivity on Primary MC

1. Log in to the Primary Management Center CLI or Web Console.

2. Navigate to Settings > Authentication > LDAP.

3. Ensure the LDAP server status is "Connected" and performing correctly.

4. If using local authentication as a fallback, ensure the failoverinituser can be validated locally.

Step 2: Fix LDAP Transport Issues

If the logs show that the Transport endpoint is not connected:

1. Restart the LDAP service or verify the network path between the MC and the LDAP server.

2. If LDAP is not required for system-level accounts, ensure local authentication is prioritized for internal services.

Step 3: Re-initiate Failover

Once LDAP connectivity is restored on the Primary MC:

1. Run the following command on the Primary appliance:
   failover make-primary

2. Obtain a new authentication token.

3. On the Secondary appliance, re-run the failover setup using the new token.