Controllerless Networks

Reply

IAP VPN Fail Over

Hi Airheads,

 

We have about 10 branch offices with IAPs that have a VPN terminating to the master controller in corporate location. We are installing a backup master in Texas location and want to have fail over capabilities of the IPSEC tunnel for users. The existing configuration is working. The two controllers will be in seperate L3 networks so VRRP is not an option.

 

I have the configuration in the IAP to add the backup VPN server (backup master), fast failover is enabled and preemption is enabled as well. Under the static routes, we currently have the next hop has the primary master interface at the other end of the VPN tunnel. How will the traffic know to use the backup VPN server when the primary goes down? Is there a way to set the cost for the static routes? Not sure what the best way to get this working is?

 

Thanks.


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com

Re: IAP VPN Fail Over

After reviewing some documents, it seems that OSPF is the only way to make sure the proper route responds to the VPN requests. Is there some documentation outlining this configuration change? We will have to enable OSPF for the network (disabled in Texas, enabled currently in Corporate). 


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com

Re: IAP VPN Fail Over

Hi Michael!

 

Have you resolved this challenge? I´m facing a similar one with one of my customers and I was thinking about using OSPF from the controllers making sure that each controller only propagate the distributed L3 scopes currently active on the controller.

 

Cheers,

Chris

Christoffer Jacobsson | Aranya AB
Aruba: ACMX #537 ACCP | CWNP: CWNA CWDP CWSP CWAP

Re: IAP VPN Fail Over

Hi Chris,

 

Unfortunately, we were not able to resolve this due to some network infrastructure problems. OSPF did not exist in the second location and enabling it could have caused additional issues. Our resolution was to relocate both controllers to the same physical location and the same L2 network. We then enabled VRRP and pointed the RAPs to the VRRP address. 

 

We were able to work with Aruba TAC and were prepared to implement the OSPF solution so that may be your best route. 

 

Good luck, if you are able to complete it please let us know on here in case anyone else finds this topic.


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: