Controllerless Networks

Hi,

We are developing an IAP wlan solution with vpn ipsec tunnel to a controller.

When an IAP connects to a controller using ipsec vpn spends two user license. Why doesn't the IAP only spend one?

--------------

(LAB-aruba620) #show iap table

Branch Key                                             Index     Status     Inner IP        MAC Address             Subnet
----------                                             -----     ------     --------        -----------             ------
08120b490140cce5b29adc7ba5b8e931f4719caa2073fa8f2d     0         UP         172.29.254.4    00:0b:86:82:aa:66       

(LAB-aruba620) #show user

Users
-----
    IP             MAC            Name              Role      Age(d:h:m)  Auth  VPN link    AP name  Roaming  Essid/Bssid/Phy  Profile  Forward mode  Type
----------    ------------       ------             ----      ----------  ----  --------    -------  -------  ---------------  -------  ------------  ----
172.18.6.2    00:00:00:00:00:00                     logon     00:17:39    VPN               N/A                                         tunnel        
172.29.254.4  00:00:00:00:00:00  00:0b:86:82:aa:66  iaprole   00:17:39    VPN   172.18.6.2  N/A                                         tunnel        

User Entries: 2/2

(LAB-aruba620) #show license-usage user

User License Usage
------------------
Name               Value
----               -----
License Limit      256
License Usage      2
License Available  254
License Exceeded   0

(LAB-aruba620) #

In the other hand, we suppose the required licenses for this environment are:

1 x Access Points (1 AP)
1 x Policy Enforcement Firewall for VPN users (1 AP)
1 x Next Generation Policy Enforcement Firewall Module (1 AP)

Is it correct?

Many thanks.

Jose C.

P.D. IAP VPN is not working fine in ArubaOS 6.3.0.0

The "show iap table" command does not exist and the IAP doesn't come up the IPSEC tunnel.

Jose C.

Jose C,

One for inner IP and one for Outer IP however these don't count against license limit, because there is no user licenses anymore after 5.x and to form IAP VPN tunnel your controller base OS should be 6.2 and above.

About "show iap table" I would like to test in lab however could you confirm if you see "default-vpn-role" configure on controller? if yes what are the default rules in it.

I checked and it has the comamnd present.

(Aruba) #show version
Aruba Operating System Software.
ArubaOS (MODEL: Aruba3600), Version 6.3.0.0
Website: http://www.arubanetworks.com
Copyright (c) 2002-2013, Aruba Networks, Inc.
Compiled on 2013-06-12 at 21:09:29 PDT (build 38660) by p4build

ROM: System Bootstrap, Version CPBoot 1.2.0.0 (build 20527)
Built: 2009-01-20 18:56:10
Built by: p4build@re_client_20527

Switch uptime is 7 hours 56 minutes 45 seconds
Reboot Cause: User reboot.
Supervisor Card
Processor XLR 532 (revision C4) with 1980M bytes of memory.
32K bytes of non-volatile configuration memory.
512M bytes of Supervisor Card System flash (model=CF 512MB).

(Aruba) #show iap table

IAP Branch Table
----------------
Name VC MAC Address Status Inner IP Assigned Subnet Assigned Vlan
---- -------------- ------ -------- --------------- -------------
00:0b:86:82:8b:51 DOWN 0.0.0.0
d8:c7:c8:c4:51:b5 DOWN 0.0.0.0
00:0b:86:82:8b:51 DOWN 0.0.0.0
00:0b:86:82:8b:51 DOWN 0.0.0.0

Hi MKS,

Regarding the command, I was testing in an Aruba 620 and the command doesn't appear. Maybe I was doing something wrong...or maybe is an error only in this model... Let me test it again.

About license limits, the controllers have a maximum numbers of supported users, so I understand that vpn connections are hitting this user counter.

(LAB-aruba620) #show license-usage user

User License Usage
------------------
Name               Value
----               -----
License Limit      256
License Usage      2
License Available  254
License Exceeded   0

Thanks,

Jose C.

Jose C,

Even if we do not have any licenses installed in Aruba Controllers you can still configure the VPN tunnel between IAP and Controller becuase to form the VPN tunnel below are the only three requirements:

1. Create address local pool on controller for inner IP.

(Aruba)(config)# ip local pool <pool-name> <start-ipaddr> <end-ipaddr>

2. Add Mac address of the IAP to the RAP whitelist.

• Navigate to Configuration > AP Installation (under Wireless) > then click Whitelist > Remote AP > Entries "on right side" > Click New >
• IAP MAC Address: Enter the MAC address of the AP.
• AP Group: Select a group to add the AP. Select Default AP group. This option do not push the configuration to IAP
• Click the Add button to add the remote AP to the whitelist

3. Make sure that the role assigned in the “aaa authentication vpn default-iap”  has all required access list entries to allow the IAP.
NOTE: only availble after 6.2 and above.

However if you don't have any liceses not even "PEFV" then you can't modify rules i.e. "default-iap" which has defualt role "default-vpn-role" and which has default allow-all rule configured.

(Aruba) #show rights default-vpn-role

Derived Role = 'default-vpn-role'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 70/0
Max Sessions = 65535

VIA Connection Profile = test

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 allowall session
2 v6-allowall session

allowall
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any any permit Low 4
v6-allowall
-----------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------

Expired Policies (due to time constraints) = 0

Hi MKS,

Thanks for your explanation. License requirements are clear.

About 6.3.0.0 issue, I have checked it again. It doesn't appear the command.

(LAB-aruba620) #show version
Aruba Operating System Software.
ArubaOS (MODEL: Aruba620), Version 6.3.0.0
Website:
Copyright (c) 2002-2013, Aruba Networks, Inc.
Compiled on 2013-06-12 at 22:09:21 PDT (build 38660) by p4build

ROM: System Bootstrap, Version CPBoot 1.0.0.0 (build 21294)
Built: 2009-05-11 16:02:29
Built by: p4build@re_client_21294


Switch uptime is 5 minutes 26 seconds
Reboot Cause: User reboot.
Supervisor Card
Processor XLS 204 (revision A1) with 929M bytes of memory.
32K bytes of non-volatile configuration memory.
256M bytes of Supervisor Card System flash (model=NAND 256MB).

(LAB-aruba620) #show iap ?

(LAB-aruba620) #show iap table
                           ^
% Invalid input detected at '^' marker.

(LAB-aruba620) #show i?
ids                     Show IDS profiles
image                   Show System image version information
interface               Interface Status and Configuration
interface-profile       Show interface profiles
inventory               Show hardware inventory
iostat                  Display the IO statistics information
ip                      IP information
ipc                     Display Inter Process Communication statistics
ipv4                    Internet Protocol Version 4
ipv6                    Internet Protocol Version 6

(LAB-aruba620) #show i

(LAB-aruba620) #show user role default-vpn-role

Users
-----
    IP           MAC       Name   Role  Age(d:h:m)  Auth  VPN link  AP name  Roaming  Essid/Bssid/Phy  Profile  Forward mode  Type  Host Name
----------  ------------  ------  ----  ----------  ----  --------  -------  -------  ---------------  -------  ------------  ----  ---------

User Entries: 0/0
 Curr/**bleep** Alloc:2/2 Free:0/0 Dyn:2 AllocErr:0 FreeErr:0

(LAB-aruba620) #show running-config | begin default-vpn-role
Building Configuration...
user-role default-vpn-role
 access-list session allowall
 access-list session v6-allowall
!


(LAB-aruba620) #show user

Users
-----
    IP             MAC            Name              Role      Age(d:h:m)  Auth  VPN link    AP name  Roaming  Essid/Bssid/Phy  Profile      Forward mode  Type  Host Name
----------    ------------       ------             ----      ----------  ----  --------    -------  -------  ---------------  -------      ------------  ----  ---------
172.29.254.1  00:00:00:00:00:00  00:0b:86:82:aa:66  iaprole   00:00:11    VPN   172.18.6.2  N/A                                default-iap  tunnel              
172.18.6.2    00:00:00:00:00:00                     logon     00:00:11    VPN               N/A                                             tunnel              

User Entries: 2/2
 Curr/**bleep** Alloc:2/2 Free:0/0 Dyn:2 AllocErr:0 FreeErr:0

As you can see, the vpn session is up but users can't receive IP address (L2 centralized dhcp mode). Testing with releases

IAP 6.2.1.0-3.3.0.2_38733

ArubaOS (MODEL: Aruba620), Version 6.2.1.2

 the environment works fine. I will use 6.2.x.x releases in the implementation.

Thanks,

Jose C.

Jose C,

There is no IAP-VPN support on 6xx series Aruba Controllers due to memory constraints.

Thanks,

Adding to above from 6.3 onwards.

Thanks,

Hi MKS,

I've just checked the 6.3 release notes

6xx is not incluced in the IAP VPN scalability limits.

Thanks for your help. We will talk with our SE about this issue.

Regards,

Jose C.

Hi Jose C!

Did you get confirmation from your local SE if the combination of 600 series and IAP is supported or not? I also struggle with same kind of combination and the documentation really doesn't state this clearly. Since "show iap table" claims all entries as down and I also don't see the routing information appearing on the controller I'd assume the 600 series is lacking this feature. I'm running AOS 6.2.1.3.

The GRE tunnel does work with the 600 controllers.  I done this exact setup before and works fine, using 6.2 and 650 controller.