Aruba Instant & Cloud Wi-Fi

Reply
MVP
Posts: 1,110
Registered: ‎10-11-2011

IAP-VPN - No Client Connectivity

I am working on migrating RAPs to an IAP-VPN model.  I'm testing a single RAP-155 and trying to terminate it on the same controller as the RAPs.  I used the IAP VRD to configure IAP-VPN and did the following:

 

  1. Whitelisted IAP in controller.
  2. Configured IAP with Aruba GRE to primary data center controller.
  3. Configured IAP with default route to controller's (internal) IP.
  4. Configured IAP with centralized L2 scope.  I specified a VLAN that RAP clients already use.
  5. Configured IAP with PSK SSID and specified the centralized L2 scope.

When I connect the client to the SSID, the client doesn't obtain an IP address.  I configured a static IP as well, but still no network connectivity.

 

I verified that the IAP has an IPSec connection to controller (show crypto ipsec sa & show crypto isakmp sa).  I am able to connect to the GUI of the IAP from the inside of our network.  I see the client connected in the IAP GUI.

 

I also tried setting up a distrubuted L3 scope and it doesn't work.  If I issue 'show datapath session' I'm unable to see any traffic to/from the IAPs address.

 

Any thoughts on what might be keeping the clients from working?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: IAP-VPN - No Client Connectivity

I believe I'm one step further.  Since I am not using Airwave or Aruba Central, you must add the IAP to the trusted IAP database, which I had not done.  The command is:

 

controller# iap trusted-branch-db add <MAC>

 

Now I can see it when issuing 'show iap table', but still unable to pass client traffic.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
MVP
Posts: 4,162
Registered: ‎07-20-2011

Re: IAP-VPN - No Client Connectivity

Is the IAP-VPN pool in your controller routable?

What’s the user-role for VIA clients?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: IAP-VPN - No Client Connectivity

Yes, the pool is routable.  I am able to get to the web GUI of the IAP when it's online.

 

defafult-vpn-role for the IAP.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: IAP-VPN - No Client Connectivity

After changing the VPN from Aruba GRE to Aruba IPSec, it started working!  Looks like I needed the change above (IAP whitelisting) and Aruba IPSec to pass client traffic.

 

One thing I don't understand is why Aruba GRE was not the appropriate solution.  I've read the user guide and VRD, and Aruba GRE seemed like what I needed since I'm tunneling L2 traffic (Centralized L2).  Can anyone help me understand the difference between the two modes?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Search Airheads
Showing results for 
Search instead for 
Did you mean: