ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 18
Registered: ‎07-31-2009

High bandwidth consumption in IPSEC mode

Hi,

I have been having a very strange issue over a number of months that I just cannot get to the bottom of, and would appreciate any insight from here...

We have two 3200 controllers running in failover mode on OS 6.1.0.0. There are 19 APs connected, 12 on branch sites.

When we run these APs in any mode that uses IPSEC UDP 4500 for client traffic, there is a huge amount of data being pulled from the primary WLC by individual APs in turn. We're talking in the magnitude of Gigabytes per hour here, most of the time when there are no clients connected to the particular AP. This affects our network to such an extent that we cannot run in these modes. To clarify:

APs in campus AP mode (GRE) - normal b/w used
APs in campus AP with CPSEC (IPSEC UDP 4500) - huge b/w used
APs in RAP mode, bridge or tunnel (IPSEC UDP 4500) - huge b/w used

We really want to run the branch site APs in bridge mode so clients get local addresses, but are prevented from doing so by this issue. We have moved the WLCs and APs to their own separate VLAN in HQ and upgraded the OS to 6.1.0.0 but issue still occurs (happened on OS 5 as well).

Can anyone help or suggest where the issue may lie?
Guru Elite
Posts: 21,490
Registered: ‎03-29-2007

Re: High bandwidth consumption in IPSEC mode


Hi,

I have been having a very strange issue over a number of months that I just cannot get to the bottom of, and would appreciate any insight from here...

We have two 3200 controllers running in failover mode on OS 6.1.0.0. There are 19 APs connected, 12 on branch sites.

When we run these APs in any mode that uses IPSEC UDP 4500 for client traffic, there is a huge amount of data being pulled from the primary WLC by individual APs in turn. We're talking in the magnitude of Gigabytes per hour here, most of the time when there are no clients connected to the particular AP. This affects our network to such an extent that we cannot run in these modes. To clarify:

APs in campus AP mode (GRE) - normal b/w used
APs in campus AP with CPSEC (IPSEC UDP 4500) - huge b/w used
APs in RAP mode, bridge or tunnel (IPSEC UDP 4500) - huge b/w used

We really want to run the branch site APs in bridge mode so clients get local addresses, but are prevented from doing so by this issue. We have moved the WLCs and APs to their own separate VLAN in HQ and upgraded the OS to 6.1.0.0 but issue still occurs (happened on OS 5 as well).

Can anyone help or suggest where the issue may lie?




The only true way that you can get to the bottom of this is by opening a case to see what is happening. The user in the thread here: http://airheads.arubanetworks.com/vBulletin/showthread.php?t=4143 opened a support case to have this analyzed and if possible, you should do the same.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba
Posts: 760
Registered: ‎05-31-2007

High bandwidth consumption in IPSEC mode

If you do a capture (SPAN) on the switch port that the Remote AP is plugged into at the remote site(s) what do you see in terms of non-encrypted traffic ... anything abnormal, or is it GB per hour of only UDP 4500 ?

The idea being to assess what traffic is coming 'through' the Remote AP .
Occasional Contributor II
Posts: 18
Registered: ‎07-31-2009

Re: High bandwidth consumption in IPSEC mode

Hi,

Thanks for the replies guys. Couple of issues, it's very difficult to replicate the error when I want to. Can take 2-3 days for it to start happening and then it completely swamps the network from the blue. For me to capture the traffic I will need to affect users on the network during business hours (issue does not seem to happen OOH). I can't afford to turn these modes on to do this.

Very interesting that another user has the same issue, I am going to keep a keen eye on his case and will see what they advise.

If it was something like broadcasts, is there a way switch side to prevent these from wired clients? I have had both "broadcast-filter arp" & "broadcast-filter all" enabled since day one so this does not prevent the traffic.
Search Airheads
Showing results for 
Search instead for 
Did you mean: