Controllerless Networks

Client is using IAP +VPN as a home office / vpn solution for users.  Has been working for years on a single 3400 controller.  They have just replaced the single 3400 with a redundant pair of 7205 controllers, using VRRP for master redundancy.  VRRP is tested and works.  The VIP fails over and back as expected.

They are NATing a single public IP address to the VIP of the controllers. 

When the preferred master is up, everything works as expected.  IAP +VPN connects, no problems.

But when they fail over to the backup master, the IAP +VPN never connects.

The firewall logs show the traffic being passed to the VIP.

"show datapath session" on the backup master seems to show udp 4500 reaching the controller.

"show iap table" lists all branches as "down".

"show crypto isakmp sa" and "show crypto ipsec sa" return no results.

Called Aruba TAC but no engineers were available.  Our maintenance window expired with no callback :/

Anyone have any ideas why failover isn't happening for the instant VPN?

Make sure that database syncronization is enabled and make sure there´s a VPN IP Pool configured on the secondary master. Also, verify your default gateway on the secondary controller to make sure internet sourced traffic find its way back out.

Cheers,

You might also need to check that you have this command (or trusted branches individually added) to your secondary master:

iap trusted-branch-db allow-all

Cheers,

Yes, it was the missing IP pool on the secondary node.

I thought that would have synchronized across nodes but I was wrong.