06-08-2017 07:22 AM
i have this setup, where i have small aruba IAP-205-s installed on customer premises (mostly single AP per site). All are behind in a private mpls-based routed connections. It's using controllerless setup with airwave as management portal
For guest wifi access i have set up a 7005 in a DC just for ArubaGRE tunneling (distributed L2 scenario). It sits with one leg in this private WAN and the other leg is behind separate NAT/firewall (juniper SRX240) and internet connection.
all works and customers are tunneled behind 7005 and get IP-s from the firewall. If stuff works, it works.
Now, i had 2 cases this week, where one location had 2 separate outages. one was power outage for an hour or so and for second time, customer asked to relocate AP to different spot (took maybe 20 minutes).
both times, AP came back up and is manageable (using airwave), i see a tunnel up on 7005 (show crypto isakmp sa), i can ping AP ip from my 7005 controller, clients connect to the guest network but can't get IP address (limited network with 169.254 addressing. I see no info or no tries on my SRX firewall (not even dhcp declines etc) or even customer mac addresses.
both times, i clared tunnel manually using
wgw)# clear crypto isakmp sa peer x.x.x.x
new tunnel came up a short after and working state resumed. clients got IP-s and so on. It's like old tunnel got stale but was kept in the table, but no client associations were allowed.
any explanation of fix?
IAPs are running 22.214.171.124-126.96.36.199 code.
7005 is stock 188.8.131.52 (don't have a support service for it)
7005 config is really bare, just ip-s for both physical interfaces, admin user, address pool under VPN services and whitelisted AP-s (i'm not using it for any policies, auth, wlan services etc, just plainly for L2 tunneling.