Aruba Instant & Cloud Wi-Fi

Reply
Contributor I
Posts: 27
Registered: ‎03-12-2015

RAP-NG VPN DHCP distributed L3: returning dhcp offer does not reach IAP

Hi,

Got a setup with a RAP-155P (v 6.4.2.6) which has a VPN to a cluster of 7010 controllers (v 6.4.2.10). Everything works fine, but I have an issue with the DHCP distributed L3:

 

When a client connects to the SSID linked to the VLAN (2) with the distributed L3 dhcp, I see the dhcp discover packet coming out of the aruba controller in the datacenter firewall logs (there is a firewall at the datacenter where the aruba controllers and dhcp server are located), and i see a response coming from the dhcp server towards the aruba controllers.

 

I've set up logging on the IAP as well, and the log shows that the initial dhcp packet is indeed being sent, but there is no returning traffic.

 

I can reach the DHCP server pinging from the IAP and vice versa, so the path is OK.

When I put a static IP on the wifi client, everything is working, I can reach the servers in the datacenter.

 

Any ideas on how to troubleshoot this?

My suspicion is that the returning traffic is being dropped by the aruba controller at the datacenter, as i don't see anything in the IAP logs. The datacenter is remote, so going on-site for a packet capture is an absolute last resort.

 

Any help is appreciated!

 

Regards,

Dante

 

MVP
Posts: 4,008
Registered: ‎07-20-2011

Re: RAP-NG VPN DHCP distributed L3: returning dhcp offer does not reach IAP

. Distributed L3 mode

Contains broadcast and multicast traffic to a branch
DHCP server for clients is the Master AP
Even when the WAN is down, a client can renew its DHCP leases and a new clients can receive IP address
The Master AP is also the default gateway for clients
The traffic to datacenter is routed tunnel to the controller through the IPsec
The traffic to internet/local destination is Scr-NATed with the local IP of master AP
Configuring a routable VPN address pool is also essential for RFC 3576 and for 802.1X if the RADIUS traffic is not Scr-NATed at the controller
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor I
Posts: 27
Registered: ‎03-12-2015

Re: RAP-NG VPN DHCP centralized L3: returning dhcp offer does not reach IAP

[ Edited ]

Of course I made a mistake in the subject of this thread:

I meant centralized L3, not distributed L3 DHCP...

 

So my question is still valid I suppose?

 

I'll open a new thread, otherwise this will get confusing

MVP
Posts: 4,008
Registered: ‎07-20-2011

Re: RAP-NG VPN DHCP distributed L3: returning dhcp offer does not reach IAP

Is the IAP pool routable in your network ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor I
Posts: 27
Registered: ‎03-12-2015

Re: RAP-NG VPN DHCP distributed L3: returning dhcp offer does not reach IAP

Yes, it's routable.

 

When I configure an Local L3, the traffic gets natted behind the vpn pool IP, and everything works.

With the centralized L3, the traffic is not natted behind the vpn pool IP, but instead the configured IP on the IAP is used and is routed over the VPN. This is confirmed by what I see in the datacenter firewall logs: DHCP request coming from the relay IP of the IAP en the returning packet is also being sent to that relay IP (route on the firewall is pointing towards the VRRP IP of the aruba controller which terminates the RAP-NG VPN, so that's fine)

 

As I said, when I set a fixed IP on the client, everything works. It's just the DHCP return traffic that isn't working...

MVP
Posts: 4,008
Registered: ‎07-20-2011

Re: RAP-NG VPN DHCP distributed L3: returning dhcp offer does not reach IAP

Can you ping the IAP from the DHCP server ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor I
Posts: 27
Registered: ‎03-12-2015

Re: RAP-NG VPN DHCP distributed L3: returning dhcp offer does not reach IAP

Yes, that works (actually already said that in my initial post). The other way around also. I can reach the IAP gui from the server as well.

Contributor I
Posts: 27
Registered: ‎03-12-2015

Re: RAP-NG VPN DHCP distributed L3: returning dhcp offer does not reach IAP

Maybe it's irrelevant, but I noticed that the branch table contains the same IAP twice, only with a different name (the IAP was added twice to the white list):


Trusted Branch Validation: Disabled
IAP Branch Table
----------------
Name              VC MAC Address     Status  Inner IP      Assigned Subnet   Assigned Vlan
----              --------------     ------  --------      ---------------   -------------
shop-genval-temp  00:0b:86:9e:c6:9f  UP      172.25.0.254  172.25.254.0/24
Instant-9E:C6:9F  00:0b:86:9e:c6:9f  DOWN    0.0.0.0

Total No of UP Branches   : 1
Total No of DOWN Branches : 1
Total No of Branches      : 2

Maybe this is an issue?

Any idea how I clear/delete/purge the old entry?

 

Regards,

Dante

Contributor I
Posts: 27
Registered: ‎03-12-2015

Re: RAP-NG VPN DHCP distributed L3: returning dhcp offer does not reach IAP

Never mind the latest update, deleted those entries, now there is only one, but the issue remains.

 

Just saw I'm updating the wrong post.

 

Here's the right description of the issue:

 

http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/RAP-NG-VPN-DHCP-centralized-L3-returning-dhcp-offer-does-not/m-p/244080

 

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: