ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 11
Registered: ‎06-03-2009

Master Local communication

I have a 3400 setup as a master, and I am trying to configure a 620 as a local. I had it working fine, then messed with using cellular as the primary uplink, and since then I cannot get it to talk to the master, wired or cellular.

Both controllers are running 5.0.1.0. PSK matches, I'm sure of it. I wiped the 620 and started over too. The odd thing is that I can monitor activity on the wired uplink side, and I cannot see any traffic initiating from the local 620. I can however, see ping traffic if I ping from the controller, so I am pretty sure the monitoring is working, and for some reason, the controller just will not initiate the VPN to its master.

Any help or ideas would be appreciated. Probably something simple I missed from exhaustion looking at it....

John
Guru Elite
Posts: 21,583
Registered: ‎03-29-2007

A number of things


I have a 3400 setup as a master, and I am trying to configure a 620 as a local. I had it working fine, then messed with using cellular as the primary uplink, and since then I cannot get it to talk to the master, wired or cellular.

Both controllers are running 5.0.1.0. PSK matches, I'm sure of it. I wiped the 620 and started over too. The odd thing is that I can monitor activity on the wired uplink side, and I cannot see any traffic initiating from the local 620. I can however, see ping traffic if I ping from the controller, so I am pretty sure the monitoring is working, and for some reason, the controller just will not initiate the VPN to its master.

Any help or ideas would be appreciated. Probably something simple I missed from exhaustion looking at it....

John




John,

A number of questions here: Are you doing Site to Site VPN, on top of this, or are you just pointing to the public address of the headend controller as the "master" of the 620? Did you do a "show datapath session table " on the master to see if the IPSEC traffic is even making it to the headend controller? If you do see a session, did you do a "show log security 50" on the master to see the negotiation taking place? Did you then do a "show crypto ipsec sa peer to see if a legit IPSEC tunnel is being setup?

If your answer is no, you should do those three things, in that order to see what's up...


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 11
Registered: ‎06-03-2009

Re: Master Local communication

good troubleshooting stuff, but I already know for a fact that the traffic is not reaching the master. I am not doing an IPSec tunnel just yet, only trying to get the master-local tunnel to talk.

I am sure the problem lies somewhere in the 620. It seems that the 620 does not know it is supposed to initiate a tunnel, or can't for some reason. I have the 620 behind a firewall, on which I can packet trace for all UDP 4500, and there is no traffic on 4500 leaving the 620. I also have a second 620 that is configured as a local to a different master. When I swap that one in, it finds its master and I see the 4500 traffic on the firewall between the 620 and the Internet.

Could it be a license that is missing? I have a 620-4 with 4 WIP and 4 PEFNG, but no PEFV.

What about IPSec settings? Do I need to create an IKE Shared Secret or Policy? I don't think so, since this is configured as a Local, I cannot even add IKE secrets.

I have been messing with this for days, and I am stumped. Crazy thing is the first time I set this up, I make the connection just fine. Its when I tried to use cellular as a primary connectivity that it all went haywire.

Another symptom that seems odd to me is that when I am wired behind this 620, I can reach the Internet just fine, EXCEPT for the GUI of the Master controller, (which is exposed to the Internet at this time.) Here is my route table on the 620. Obviously there is a /32 route for the master, which is the problem but could this also be why the controller cannot build the tunnel? I would think this route would not appear until the tunnel is built, which at this point it is not :

#show ip route

Codes: C - connected, O - OSPF, R - RIP, S - static
M - mgmt, U - route usable, * - candidate default

Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
S* 0.0.0.0/0 via 192.168.1.1*
C 192.168.253.0 is directly connected, VLAN1
C 192.168.1.0 is directly connected, VLAN4000
C is an ipsec map default-local-master-ipsecmap

John
Guru Elite
Posts: 21,583
Registered: ‎03-29-2007

Tunnel


good troubleshooting stuff, but I already know for a fact that the traffic is not reaching the master. I am not doing an IPSec tunnel just yet, only trying to get the master-local tunnel to talk.

I am sure the problem lies somewhere in the 620. It seems that the 620 does not know it is supposed to initiate a tunnel, or can't for some reason. I have the 620 behind a firewall, on which I can packet trace for all UDP 4500, and there is no traffic on 4500 leaving the 620. I also have a second 620 that is configured as a local to a different master. When I swap that one in, it finds its master and I see the 4500 traffic on the firewall between the 620 and the Internet.

Could it be a license that is missing? I have a 620-4 with 4 WIP and 4 PEFNG, but no PEFV.

What about IPSec settings? Do I need to create an IKE Shared Secret or Policy? I don't think so, since this is configured as a Local, I cannot even add IKE secrets.

I have been messing with this for days, and I am stumped. Crazy thing is the first time I set this up, I make the connection just fine. Its when I tried to use cellular as a primary connectivity that it all went haywire.

Another symptom that seems odd to me is that when I am wired behind this 620, I can reach the Internet just fine, EXCEPT for the GUI of the Master controller, (which is exposed to the Internet at this time.) Here is my route table on the 620. Obviously there is a /32 route for the master, which is the problem but could this also be why the controller cannot build the tunnel? I would think this route would not appear until the tunnel is built, which at this point it is not :

#show ip route

Codes: C - connected, O - OSPF, R - RIP, S - static
M - mgmt, U - route usable, * - candidate default

Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
S* 0.0.0.0/0 via 192.168.1.1*
C 192.168.253.0 is directly connected, VLAN1
C 192.168.1.0 is directly connected, VLAN4000
C is an ipsec map default-local-master-ipsecmap

John




The Master-Local tunnel is setup over IPSEC (you probably knew that already). The route to the master, is always inserted when you have a master ip entered, with a preshared key that must match on the master (more stuff you probably know). To troubleshoot things, please uncheck the gateways of last resort for the DHCP, CELL and PPPoe networks in configuration> network> ip> ip routes so that we are only doing wired, to that default gateway for now. Also, go to configuration> Network> Uplink and make sure the uplink manager is disabled for now. We're just trying to get traffic to flow deterministically, at this point.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 11
Registered: ‎06-03-2009

Re: Master Local communication

So I setup two of the 620s in parallel at home. Both are on the same LAN to get their WAN address, each connecting to a different master. Both have the same version and build of code.

I am packet capturing on the firewall that serves DHCP to the WAN. Only one is sending any traffic out the WAN. The do connect to two different masters.

I was looking at the GUI configs side by side and did notice something. In VPN Services --> Site to Site, each has a defaut-local-master-ipsecmap setting, that cannot be edited. However, the controller that works uses the private IP of the master in the "subnet" field, while the other controller uses the public IP. But again I cannot edit it.

This is consistent with the routing tables. One shows "10.4.1.12 is an ipsec map default-local-master-ipsecmap" and the other shows "x.x.x.248 is an ipsec map default-local-master-ipsecmap". This is the routing table, so I am convinced its not just the GUI, but some other thing. Right? Why would one use a private IP and the other public.

I am thinking that the default ipsec map entry is creating some type of routing loop. Its trying to find its master by routing through the very IPsec tunnel it is trying to build to the master.
Guru Elite
Posts: 21,583
Registered: ‎03-29-2007

Public Address?


So I setup two of the 620s in parallel at home. Both are on the same LAN to get their WAN address, each connecting to a different master. Both have the same version and build of code.

I am packet capturing on the firewall that serves DHCP to the WAN. Only one is sending any traffic out the WAN. The do connect to two different masters.

I was looking at the GUI configs side by side and did notice something. In VPN Services --> Site to Site, each has a defaut-local-master-ipsecmap setting, that cannot be edited. However, the controller that works uses the private IP of the master in the "subnet" field, while the other controller uses the public IP. But again I cannot edit it.

This is consistent with the routing tables. One shows "10.4.1.12 is an ipsec map default-local-master-ipsecmap" and the other shows "x.x.x.248 is an ipsec map default-local-master-ipsecmap". This is the routing table, so I am convinced its not just the GUI, but some other thing. Right? Why would one use a private IP and the other public.

I am thinking that the default ipsec map entry is creating some type of routing loop. Its trying to find its master by routing through the very IPsec tunnel it is trying to build to the master.





Separately, when you create a site to site VPN configuration, whether using traditional site to site VPN, or creating a master-local connection, a route is created automatically for that endpoint, whether the tunnel is up or not. You will see a route to that network or that host address added to the routing table, pointing to an IPSEC MAP that is not editable. You will have to troubleshoot network connectivity from the local controller to the master controller's IP address first, to ensure it is reachable over UDP 4500 (ipsec) in order to be successful creating a master/local relationship. Is there any way that you can test connectivity to the master controller's public ip address from the local using ping or traceroute? Is the firewall on the master's side allowing UDP 4500?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 11
Registered: ‎06-03-2009

Re: Master Local communication

I hear what you are saying, but I think you missed my point:

Why, on one controller is the default-local-master-ipsecmap pointed to the PRIVATE address of the master controller in its routing table, and on the other one the PUBLIC address. Both controllers are configured in the master-local settings with the public address of the master. Furthermore, the one that has the route pointing to the private address of the controller is the one that works, while the one with the route to the public IP does not.

I think this is the most odd thing I have found, and likely the source of the problem.

I am going to try to take the one that does not work, and point it to the master of the one that does just as a test.

Separately, I have confirmed that UDP 4500 works on the master, using IKEProbe.
Guru Elite
Posts: 21,583
Registered: ‎03-29-2007

Master, Local, IKEprobe


I hear what you are saying, but I think you missed my point:

Why, on one controller is the default-local-master-ipsecmap pointed to the PRIVATE address of the master controller in its routing table, and on the other one the PUBLIC address. Both controllers are configured in the master-local settings with the public address of the master. Furthermore, the one that has the route pointing to the private address of the controller is the one that works, while the one with the route to the public IP does not.

I think this is the most odd thing I have found, and likely the source of the problem.

I am going to try to take the one that does not work, and point it to the master of the one that does just as a test.

Separately, I have confirmed that UDP 4500 works on the master, using IKEProbe.




We realize that this is a public forum, so information that can usually be obtained by opening a ticket, cannot be obtained here. With complicated issues that have a multitude of dependencies, like VPN, master-local connectivity, routing, and IKE combined, getting to the root of a problem will seem like a guessing game, due to the limited information provided. If you need to get immediate assistance please open a case, so that you are not frustrated by this process.

With that being said, there are a couple of variables that influence master-local connectivity on the public internet. One of those variables is the "switch ip". You can obtain this ip address by executing a "show switchip" on the commandline of each controller. That switchip is the source ip address of every management packet that originates from the controller, regardless of other ip addresses. By default, this is the lowest numbered VLAN on the controller (usually VLAN 1). In ArubaOS 3.4.x and above, you can change the switchIP to be a VLAN OTHER than VLAN1. If one controller is working, but the other is not, change the switchIP vlan (you have to reboot) to be the VLAN that works by doing "controller-ip VLAN x". You can also change this by going to configuration, and you can see it under controller IP details. If the VLAN selected has a public address, change it to a private address, and see if that works.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: