ArubaOS and Controllers

Reply
New Contributor
Posts: 2
Registered: ‎04-29-2009

unable to connect local controller from ouside of master!

I had one master controller 2400 and local controller 2400, those master-local connection fine between then.
The LMS point to local controller just work find!
But! I can't connect local controller from outside of master!
the local controller just have only one vlan connecting to master and outside the world.
the sec tunnel look fine in local :

(Aruba2400_5) # show crypto ipsec sa peer 10.10.0.254


Initiator IP: 10.10.0.5
Responder IP: 10.10.0.254
Initiator: Yes
Initiator cookie:e1845f51747e45c0 Responder cookie:5e28aa9f2ce8ac2f
Ipsec-map name: default-local-master-ipsecmap
SA Creation Date: Thu Aug 25 16:26:41 2011
Life secs: 7200
Initiator Phase2 ID: 10.10.0.5/255.255.255.255
Responder Phase2 ID: 10.10.0.4/255.255.255.255
Phase2 Transform: EncAlg:esp-3des HMAC:esp-sha-hmac
Encapsulation Mode:Tunnel
PFS: No
OUT SPI 3d0a8500, IN SPI 30c8d900
Reference count: 3

when i ping outside the master also timeout, and I trace route it don't go gateway and back to it's interface !
(Aruba2400_5) #traceroute 168.95.1.1
Press 'q' to abort.
Tracing the route to 168.95.1.1

1 10.10.0.5 0.42 msec 0.197 msec 0.193 msec
2 * * *
3 * *

when I show datapath it goes local :
(Aruba2400_5) #show datapath session table 168.95.1.1

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
I - Deep inspect, U - Locally destined

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination
TAge Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- -----------
---- -----
168.95.1.1 10.10.0.5 1 3 0 0/0 0 0 0 local
5 FYI
168.95.1.1 10.10.0.5 1 4 0 0/0 0 0 0 local
3 FYI
10.10.0.5 168.95.1.1 1 3 2048 0/0 0 0 1 local
5 FYCI
10.10.0.5 168.95.1.1 1 4 2048 0/0 0 0 1 local
3 FYCI

so, what can I do to make it possible to manage local controller form outside master?

Thank you
Guru Elite
Posts: 21,270
Registered: ‎03-29-2007

Re: unable to connect local controller from ouside of master!


I had one master controller 2400 and local controller 2400, those master-local connection fine between then.
The LMS point to local controller just work find!
But! I can't connect local controller from outside of master!
the local controller just have only one vlan connecting to master and outside the world.
the sec tunnel look fine in local :

(Aruba2400_5) # show crypto ipsec sa peer 10.10.0.254


Initiator IP: 10.10.0.5
Responder IP: 10.10.0.254
Initiator: Yes
Initiator cookie:e1845f51747e45c0 Responder cookie:5e28aa9f2ce8ac2f
Ipsec-map name: default-local-master-ipsecmap
SA Creation Date: Thu Aug 25 16:26:41 2011
Life secs: 7200
Initiator Phase2 ID: 10.10.0.5/255.255.255.255
Responder Phase2 ID: 10.10.0.4/255.255.255.255
Phase2 Transform: EncAlg:esp-3des HMAC:esp-sha-hmac
Encapsulation Mode:Tunnel
PFS: No
OUT SPI 3d0a8500, IN SPI 30c8d900
Reference count: 3

when i ping outside the master also timeout, and I trace route it don't go gateway and back to it's interface !
(Aruba2400_5) #traceroute 168.95.1.1
Press 'q' to abort.
Tracing the route to 168.95.1.1

1 10.10.0.5 0.42 msec 0.197 msec 0.193 msec
2 * * *
3 * *

when I show datapath it goes local :
(Aruba2400_5) #show datapath session table 168.95.1.1

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
I - Deep inspect, U - Locally destined

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination
TAge Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- -----------
---- -----
168.95.1.1 10.10.0.5 1 3 0 0/0 0 0 0 local
5 FYI
168.95.1.1 10.10.0.5 1 4 0 0/0 0 0 0 local
3 FYI
10.10.0.5 168.95.1.1 1 3 2048 0/0 0 0 1 local
5 FYCI
10.10.0.5 168.95.1.1 1 4 2048 0/0 0 0 1 local
3 FYCI

so, what can I do to make it possible to manage local controller form outside master?

Thank you




Diagram, please.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 2
Registered: ‎04-29-2009

Re: unable to connect local controller from ouside of master!

10.10.0.10(cisco6509)->10.10.0.254(2400master)->10.10.0.5(2400local)
10.10.0.5's gw :10.10.0.254
10.10.0.254's gw : 10.10.0.10
10.10.0.10 can access 10.10.0.5
but it other then 10.10.0.x's vlan can't access 10.10.0.5
the 10.10.0.5's routing table:

(Aruba2400_5) #show ip route

Codes: C - connected, O - OSPF, R - RIP, S - static
M - mgmt, U - route usable, * - candidate default

Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
Gateway of last resort is 10.10.0.254 to network 0.0.0.0 at cost 1
S* 0.0.0.0/0 via 10.10.0.254*
C 10.10.0.0 is directly connected, VLAN10
C 10.10.0.4 is an ipsec map default-local-master-ipsecmap
Guru Elite
Posts: 21,270
Registered: ‎03-29-2007

Re: unable to connect local controller from ouside of master!


10.10.0.10(cisco6509)->10.10.0.254(2400master)->10.10.0.5(2400local)
10.10.0.5's gw :10.10.0.254
10.10.0.254's gw : 10.10.0.10
10.10.0.10 can access 10.10.0.5
but it other then 10.10.0.x's vlan can't access 10.10.0.5
the 10.10.0.5's routing table:

(Aruba2400_5) #show ip route

Codes: C - connected, O - OSPF, R - RIP, S - static
M - mgmt, U - route usable, * - candidate default

Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
Gateway of last resort is 10.10.0.254 to network 0.0.0.0 at cost 1
S* 0.0.0.0/0 via 10.10.0.254*
C 10.10.0.0 is directly connected, VLAN10
C 10.10.0.4 is an ipsec map default-local-master-ipsecmap




Okay. I think I know the issue. The master is not bridging traffic for anything on that VLAN due to the ipsec tunnel. If it will not disrupt your network, you can change your local to a master to eliminate the ipsec tunnel to prove this... Another way is to put a route on any device that wants to connect to the local and point it to the master. The issue could be the tunnel.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: