IAP VPN Duplicate VC Key
Question Why is my new Cluster unable to form a VPN tunnel while existing one works?
Environment Any IAP Cluster which was created by moving an IAP from existing Cluster to create a new one and VPN tunnel being setup to Controller.

 

When a Cluster is originally created; the Master AP dynamically creates an VC key.  When we setup VPN tunnel; the VC key / Branch key is used  by Aruba Controller to uniquely identify the cluster. The key is distributed by Master to all Slave APs so all APs share the same VC key. In case of master failover; the new master would still be able to identified as part of same cluster and can form a tunnel to the controller.

 

rtaImage.jpg

 

When the VC sets up the tunnel; it sends a Registration message which includes the vc key / branch key. The controller would check it's database to confirm if the branch key is already in use. If confirmed to be not active; it would create a new Branch ID to the VC.

 

With logging enabled for IAP Manager; we would be able to get details of the registration in System log message (logging level debugging system process iapmgr)

 

show log system 30 | include 'IAP manager Pro'

Aug  6 18:38:02  IAP manager Process[3491]: <342006> <DBUG> |IAP manager Pro|  papi_rcv_cb, Recvd auth Message

Aug  6 18:38:02  IAP manager Process[3491]: <342005> <DBUG> |IAP manager Pro|  handle_iap_up:66 !!!new IAP branch up with inner IP 1.1.1.1

Aug  6 18:38:06  IAP manager Process[3491]: <342005> <DBUG> |IAP manager Pro|  register_iap_bid:123 Received from IAP - key='eb79d8220178bdda4697fd05a22f419b7d5e62bc44abeb8db8'; ip='1.1.1.1'; mac_addr='6cf37fc40b6a'; subnet_count='1'; subnet='Centralized,L2-1'; bid='-1'; max branch='32768';  back_up='no'

Aug  6 18:38:06  IAP manager Process[3491]: <342005> <DBUG> |IAP manager Pro|  register_iap_bid:183 Adding in inrIPandBrnchID ip 1.1.1.1 brkey eb79d8220178bdda4697fd05a22f419b7d5e62bc44abeb8db8  

Aug  6 18:38:06  IAP manager Process[3491]: <342005> <DBUG> |IAP manager Pro|  register_iap_bid:199 creating branch with key eb79d8220178bdda4697fd05a22f419b7d5e62bc44abeb8db8

Aug  6 18:38:06  IAP manager Process[3491]: <342005> <DBUG> |IAP manager Pro|  register_iap_bid:301 adding to perSubnetInfo 32768 subnet name Centralized,L2-1

Aug  6 18:38:06  IAP manager Process[3491]: <342005> <DBUG> |IAP manager Pro|  register_iap_bid:349  calling get free index

Aug  6 18:38:06  IAP manager Process[3491]: <342005> <DBUG> |IAP manager Pro|  get_free_index:499  Looking for free bid in branch_bit_map

Aug  6 18:38:06  IAP manager Process[3491]: <342005> <DBUG> |IAP manager Pro|  get_free_index:510  in free index 0

Aug  6 18:38:06  IAP manager Process[3491]: <342005> <DBUG> |IAP manager Pro|  register_iap_bid:405 bid for 'Centralized,L2-1' subnet = 0

 

 

When a new cluster is created by moving an AP from existing cluster; the VC key is carried over. The new branch would have the same key as the other branch from which it was created.

 

rtaImage2.jpg

 

rtaImage3.jpg

 

 

If the new branch VC tries to setup a tunnel; Controller would notice that the branch key is already in use for a different branch and wouldn't allow the new branch to setup tunnel.

 

show log system 30 | include 'IAP manager Pro'

Aug  6 19:10:52  IAP manager Process[3491]: <342006> <DBUG> |IAP manager Pro|  papi_rcv_cb, Recvd auth Message

Aug  6 19:10:52  IAP manager Process[3491]: <342005> <DBUG> |IAP manager Pro|  handle_iap_up:66 !!!new IAP branch up with inner IP 1.1.1.5

Aug  6 19:11:38  IAP manager Process[3491]: <342006> <DBUG> |IAP manager Pro|  papi_rcv_cb, Recvd auth Message

Aug  6 19:11:38  IAP manager Process[3491]: <342005> <DBUG> |IAP manager Pro|  handle_iap_up:66 !!!new IAP branch up with inner IP 1.1.1.6

Aug  6 19:11:44  IAP manager Process[3491]: <342006> <DBUG> |IAP manager Pro|  papi_rcv_cb, Recvd auth Message

Aug  6 19:11:44  IAP manager Process[3491]: <342005> <DBUG> |IAP manager Pro|  handle_iap_up:66 !!!new IAP branch up with inner IP 1.1.1.7

Aug  6 19:12:12  IAP manager Process[3491]: <342006> <DBUG> |IAP manager Pro|  papi_rcv_cb, Recvd auth Message

Aug  6 19:12:12  IAP manager Process[3491]: <342005> <DBUG> |IAP manager Pro|  handle_iap_up:66 !!!new IAP branch up with inner IP 1.1.1.8

 

To avoid this situation; we should reset an AP (if it was part of a cluster) before creating a new cluster. This would ensure a new VC key is generated.

Version history
Revision #:
1 of 1
Last update:
‎07-11-2014 04:49 PM
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.