Aruba Instant & Cloud Wi-Fi

Reply
Occasional Contributor I
Posts: 7
Registered: ‎07-24-2016

IAP 205 can't reach devices on same VLAN sometimes

Hello,


I have a problem, that sometimes I'm unable to reach IAPs or IAP loses connection with other devices on management subnet.

 

Situation: we have a several subnets & VLANs. The most important is VLAN 2 (subnet 10.0.2.0/24), this a management subnet and also space, where all IAPs are located + several services, such as FreeRadius, LDAP and other servers.


IPs:
10.0.2.1 - gateway (router)
10.0.2.10 - Radius 1 (master)
10.0.2.11 - Radius 2 (slave / backup)
10.0.2.[101-126] - IAPs

 

When I turn on IAPs everything works just fine, but after 30 - 60 minutes, the IAPs lose connection to all other devices on management subnet & they are able to reach only gateway.

 

This is a very big problem, because not just that I'm unnable to display webGUI, ssh or even ping IAPs (from PC in the same subnet), but also authentification agains Radius servers will stop working, so users are not able to connect to SSID HK-Member (on which Radius authentification is set).

 

I'm a newbie to Aruba, so maybe I've configured IAPs incorrecly, but It's really strange. Radius servers can communicate between them without a problem even with LDAP server, wich is also on the same subnet, but all devices are unnable to reach IAPs (except gateway).

 

Within some intervals, the IAPs are again reachable, but most of the time it just doesn't work.
I've tried already everything and only reboot of IAPs works, but after 30-60 minutes the problem occures again.

 

For now I've configured dst-nat to Radius 1/2 port's on router & set public Radius IP to IAPs, so at least users are able to connect to HK-Member SSID (because gateway is always reachable), but this is not a solution for the main problem.

 

Another solution should be to create another VLAN & subnet just for IAPs, so if the will want to contact Radius server on different subnet, they will have to go over gateway (which seems to be always reachable), so it should work, but it will mean, that I'll have to register another VLAN on each switch we have etc.

 

I've added my current configuration to attachments, so you can check it.

 

Thanks for help.

Guru Elite
Posts: 20,416
Registered: ‎03-29-2007

Re: IAP 205 can't reach devices on same VLAN sometimes

How many devices are on that subnet?  Is it possible to move the IAPs to a subnet will little broadcast traffic?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 7
Registered: ‎07-24-2016

Re: IAP 205 can't reach devices on same VLAN sometimes

Right now, I'm working on a brand new network, which is for now completely isolated from the running one, except internet access, so the traffic is for now minimal with only up to 2 users (admins) connected at a moment.

 

In a new network there is in a management subnet (VLAN) with exactly 25 IAPs (Aruba IAP 205), 8x floor Switch, 2x DHCP, 2x DNS, 2x MX, 2x (Radius + LDAP) servers and 2x website server (one for intranet, one for internet).

 

We have 2 PCs, with KVM installed on them, one acts as a master and the secon one as a slave, so if one PC goes down, there is allways backup of each important service & network will stay functional + all trafic is balanced between them.

 

Access to management VLAN is forbidden from outside "world", and you can access only exact server on exact ports (e.g. DNS on port 53, etc.) using dst-nat / src-nat.

 

As I've mentioned earlier I can create another VLAN & put all IAPs into it, but is it really necessary?

 

In our facility we have alreary up to 239 VLANs, and because ours floow switches are Cisco Catalyst 2960, which can handle only up to 255 VLANs I really don't want to add another VLAN if it is not necessary.

 

Thank you for reply.

Guru Elite
Posts: 20,416
Registered: ‎03-29-2007

Re: IAP 205 can't reach devices on same VLAN sometimes

I don't know exactly what your problem is;  I'm just trying to eliminate the possibility of alot of broadcast traffic on your management (not user) subnet, as being the possible issue.  You are also free to open a case with TAC if you would like them to look at your logs to determine what could be the problem.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 138
Registered: ‎07-12-2012

Re: IAP 205 can't reach devices on same VLAN sometimes

[ Edited ]

1) If the ports on the switch are port access - then you don't need to define the vlan in the config for VC.

2) If the ports are trunk for the iAP's and the default is different from vlan 2 please make sure you define the management vlan on each iAP.

3) If the ports are trunk but you have default vlan 2 - there is no need to specify it in either VC config or iAP config.

4) Are you able to reach the RADIUS IP's when from the workstation connected on the same vlan when you are not able to get to the iAP's? (If the answer is no then it's a problem layer2 or 3).

If you found my post helpful, please give kudos!
Frequent Contributor II
Posts: 116
Registered: ‎07-13-2015

Re: IAP 205 can't reach devices on same VLAN sometimes

[ Edited ]

What switch model are the IAPs plugged into ?
Can you paste the "show run interface" output of one switchport where an IAP is connected ?

Any port-security ?

Also, Wireshark a port-mirroring from virtual controller port would be interesting.

ACMP, ACCP, BCNE
Occasional Contributor I
Posts: 7
Registered: ‎07-24-2016

Re: IAP 205 can't reach devices on same VLAN sometimes

[ Edited ]

Thank you for reply.

 

All ports on switch where IAPs are connected are trunk ports, because users connected to SSID HK-Member are casted to theirs VLAN (decided by Radius which sends Aruba-User-VLAN attribute in reply).

 

So answers are:
1) no, trunk

2) yes, default is VLAN 1, all IAPs are set to be on VLAN 2 (management network)

3) no

4) yes, I'm able to reach all RADIUS IP's & also all other devices on VLAN2 from workstation in this subnet, but not IAPs. When I restart IAPs, then I'm ABLE to reach them (from RADIUS etc.), but within 30-60 minutes I'll LOSE contact with them. After that, in some intervals I'm able to reconnect to IAP, but after a while I'll lose connection with them again.

 

In a shortcut, connection on VLAN 2 between:
Gateway <=> Any device (including IAPs) / workstation = works
Any device (except IAPs) / workstation <=> Any device (except IAPs) / workstation = works

Any device / workstation <=> IAPs = within some intervals works, but most of the time doesn't work

Occasional Contributor I
Posts: 7
Registered: ‎07-24-2016

Re: IAP 205 can't reach devices on same VLAN sometimes

We have Cisco SG300-52P 52-Port Gigabit PoE Managed Switch.

 

Running config is in attachment, ports are configured:

1 - 36 are TRUNK ports for IAPs (only up to 25 should be userd) / other devices.

37 - 48 are ACCESS ports with port-control (RADIUS controlled, with dynamic VLAN cast, mac-bypass & fail -> guest VLAN), for users.

49 - 50 are uplink TRUNK ports (only 1 used at a time).

51 - 52 are ACCESS ports for admin assigned to VLAN 2 (management VLAN).

 

Switch has for now minimal configuration, I'm just trying to get it working.

 

I'm unnable to do Wireshark log for now, sorry & thank you for reply.

Frequent Contributor II
Posts: 116
Registered: ‎07-13-2015

Re: IAP 205 can't reach devices on same VLAN sometimes

Ok, since you are trunked with native VLAN as 1, then your management needs to be tagged. From looking at the config I couldn't tell if it was properly configured but I suspect this is the problem.

 

To verify current config SSH to IAP and type 

(Instant Access Point)# show uplink-vlan

 

If it's 0 or 1, then enter the following command to tag management with VLAN 2
(Instant Access Point)# uplink-vlan 2

 

 

ACMP, ACCP, BCNE
Occasional Contributor I
Posts: 7
Registered: ‎07-24-2016

Re: IAP 205 can't reach devices on same VLAN sometimes

[ Edited ]

I'll dissapoint you, but configuration seems to be ok:

70:3a:0e:c7:1f:b2# show uplink-vlan

Uplink Vlan Current :2
Uplink Vlan Provisioned :2

Also, it doesn't explains why it is sometimes working and sometimes not.

If IAPs will be in wrong VLAN, then I'll be never able to contact them, not only sometimes.

Search Airheads
Showing results for 
Search instead for 
Did you mean: