Controllerless Networks

Reply
Occasional Contributor II
Posts: 16
Registered: ‎03-25-2013

IAP VPN issue when upgrading from 6.3.1.19 to 6.4.2.13

Hi all,

 

I have 2 x 7240 controllers which facilitate a number of VPN connections back to our central office from VC clusters and IAP devices.

 

After upgrading the 7240 controllers from 6.3.1.19 to 6.4.2.13 there is an issue with the VPN in that the tunnel remains UP but the clients can no longer obtain and IP address via DHCP. I have tried giving the client a static IP but this also has no effect.

 

Downgrading the firmware makes the VPN work without issue.

 

Nothing has changed on the VPN config. The only difference is the firmware revisions. I therefore ask if there is anything that need to be added to the controller or IAP configuration for the new 6.4.x firmware to work and successfully connect via the VPN.

 

Is there anything that would cause this?

 

Thanks,

MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: IAP VPN issue when upgrading from 6.3.1.19 to 6.4.2.13

How's the DHCP configured on the IAP? Centralize L2 , Distributed L3
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 16
Registered: ‎03-25-2013

Re: IAP VPN issue when upgrading from 6.3.1.19 to 6.4.2.13

Hi there,

 

I am using L2 Centralised. see attached.

 

ta,

 

Ed

Guru Elite
Posts: 21,517
Registered: ‎03-29-2007

Re: IAP VPN issue when upgrading from 6.3.1.19 to 6.4.2.13

edd1e_j,

 

If you have not already, please open a tac case in parallel so that they can try to replicate your issue with your config and logs..  It might be something that requires your specific configuration to experience.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 16
Registered: ‎03-25-2013

Re: IAP VPN issue when upgrading from 6.3.1.19 to 6.4.2.13

Hi yes TAC case already open;

 

1823232

 

ta,

 

Ed

Guru Elite
Posts: 21,517
Registered: ‎03-29-2007

Re: IAP VPN issue when upgrading from 6.3.1.19 to 6.4.2.13

Did you already downgrade back to 6.3.1.19 or are you still on 6.4.2.13?

Did you turn on dhcp debugging like was suggested to possibly observe the issue?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 16
Registered: ‎03-25-2013

Re: IAP VPN issue when upgrading from 6.3.1.19 to 6.4.2.13

As I have the luxury of a test device I still have the firmware on 6.4.2.13.

 

I have run DHCP debugging but do not see any DHCP traffic for the MAC address of my client.

 

(aruba-local-7240) (config) #logging level debugging network process dhcpd subcat dhcp
(aruba-local-7240) (config) #show log network all | include e8:b1:fc:60:7b:0b

(aruba-local-7240) (config) #show log network all | include e8:b1:fc:60:7b:0b

(aruba-local-7240) (config) #show log network all | include e8:b1:fc:60:7b:0b

(aruba-local-7240) (config) #tar logs tech-support
This operation may take a while, Please do not power cycle the box

 

TAC logs have been sent to Aruba TAC support.

 

thanks,

 

Ed

Guru Elite
Posts: 21,517
Registered: ‎03-29-2007

Re: IAP VPN issue when upgrading from 6.3.1.19 to 6.4.2.13

You might have to configure an external syslog server.  It is possible that if you have enough info in the syslog server that the logs might have rolled.  If you configure an external syslog server to collect the network log traffic, you might be able to see your client.  Have you tried to get a dhcp address and immediately look at the network log?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 16
Registered: ‎03-25-2013

Re: IAP VPN issue when upgrading from 6.3.1.19 to 6.4.2.13

Hi,

 

When the IAP is rebooted it briefly allows me to pickup an IP address then the gets lost as a 169.x.x.x address. It appears that the VPN tunnel is UP and working but traffic is not passing correctly.

 

The 7240 controlllers are lugged into a HP 5400zl. Firmware revision K.15.16.0009.

 

I am wondering if this could be the issue as we've had problems with Aruba connecting to HP in the past with the VRRP config.

 

Any known issues with HP and Aruba (now they are merged entities I hope not!).

 

(aruba-local-7240) #show log network all | include 7b:0b
Jan 28 11:20:06 :202541:  <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x42 opcode 0x5a ingress 0x2102 vlan 93 egress 0x5d src mac e8:b1:fc:60:7b:0b
Jan 28 11:20:06 :202536:  <DBUG> |dhcpdwrap| |dhcp| Datapath vlan93: REQUEST e8:b1:fc:60:7b:0b Transaction ID:0x8aaa151a reqIP=172.18.33.209 Options 3d:01e8b1fc607b0b 0c:484944303139323431 51:0000004849443031393234312e76616c656f66676c616d6f7267616e2e676f762e756b 3c:4d53465420352e30 37:010f03062c2e2f1f2179f92b

(aruba-local-7240) #show crypto ipsec sa

IPSEC SA Active Session Information
-----------------------------------
Initiator IP     Responder IP     InitiatorID         ResponderID         Flags    Start Time      Inner IP
------------     ------------     -----------         -----------         -----  ---------------   --------
x.x.4.118     x.x.4.117     x.x.4.118/32     x.x..4.117/32     T      Jan 28 09:42:41     -

IPSEC SA (V2) Active Session Information
-----------------------------------
Initiator IP     Responder IP     SPI(IN/OUT)        Flags Start Time        Inner IP
------------     ------------     ----------------   ----- ---------------   --------
z.z.111.110  x.x.4.118     6a810c00/311cb00   UT2   Jan 28 11:15:35   a.a.a.8
y.y.88.36    x.x.4.118     a966600 /eaa2de00  UT2   Jan 28 11:17:34   a.a.a.7

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
       L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2

Total IPSEC SAs: 3

(aruba-local-7240) #show crypto isakmp sa

ISAKMP SA Active Session Information
------------------------------------
Initiator IP     Responder IP   Flags       Start Time      Private IP
------------     ------------   -----     ---------------   ----------
x.x.4.118     x.x.4.117   i-a-p     Jan 28 09:15:07          -
y.y.88.36    x.x.4.118   r-v2-c-I  Jan 28 10:56:28   a.a.a.7
z.z.111.110  x.x.4.118   r-v2-c-I  Jan 28 11:15:36   a.a.a.8

Flags: i = Initiator; r = Responder
       m = Main Mode; a = Agressive Mode v2 = IKEv2
       p = Pre-shared key; c = Certificate/RSA Signature; e =  ECDSA Signature
       x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled
       3 = 3rd party AP; C = Campus AP; R = RAP;  Ru = Custom Certificate RAP; I = IAP
       V = VIA; S = VIA over TCP

Total ISAKMP SAs: 3

(aruba-local-7240) #

MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: IAP VPN issue when upgrading from 6.3.1.19 to 6.4.2.13

Are you able to ping IAP from the DHCP server after the upgrade and also can you ping the DHCP server from the IAP?
On that VLAN do you have the ip helper address pointing the DHCP


Sent from Outlook Mobile
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: