Controllerless Networks

last person joined: yesterday 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

Instant VPN to controller issue

This thread has been viewed 2 times

  • 1.  Instant VPN to controller issue

    Posted Jul 07, 2016 03:01 AM

    Hi all,

     

    I encounter a strange issue on an Instant-Controller VPN scenario:

    IAP connects via VPN Tunnel to an Aruba controller. The IAP is using centralized L2 mode to connect clients on his end. All is basically working fine.

    Now recently I upgraded the Aruba controller firmware from 6.4.3.6 to 6.4.3.9. Something must have changed between these two version, for now I can see the IAP clients in the controller monitoring section; the clients received a role called "default-iap-user-role" and they are originating from an AP name called "tunnel 18". Before I only saw the IAP in the clients section.

    Now the issue: some of the IAP clients receive the "logon" role, leaving them with no connection to the corporate network (of course the logon role has limiting firewall policies). See the screenshot here:

    IAP-client-in-logon.JPG

     

    Can anyone explain how I get these clients also in the default-iap-user-role as the other clients above? Or could this be a bug in recent controller firmware?

     

    Kind regards



  • 2.  RE: Instant VPN to controller issue

    Posted Jul 07, 2016 06:02 AM
    Can you run the following command :
    show iap trusted-branch-db | include
    and if the IAP showing up with the logon role is in the trusted list

    Get Outlook for iOS


  • 3.  RE: Instant VPN to controller issue

    Posted Jul 07, 2016 07:21 AM

    Output as follows:

     

    #show iap trusted-branch-db

Trusted Branch Validation: Disabled
IAP Trusted Branch Table
------------------------
Branch MAC
----------
(allow all as trusted branch)

     

     

    Actually, not the IAP is in logon role but one of it's clients.



  • 4.  RE: Instant VPN to controller issue

    Posted Dec 02, 2016 09:21 AM

    Dear LongIsland,

     

     is there any solution or explanation on this issue? We are facing of with similar issue and we do not understand what happening here. It will be nice if you can wrote something about the results (if any).

     

    Thanks a lot!

     

    Gaben



  • 5.  RE: Instant VPN to controller issue

    Posted Dec 02, 2016 09:26 AM

    Hello Gabor,

     

    unfortunately no real update on our side; as a workaround we stick to software version 6.4.3.6 where this issue does not occur.

    I have a ticket open with TAC, they're still investigating with engineeing.

     

    Kind regards



  • 6.  RE: Instant VPN to controller issue

    Posted Dec 27, 2016 03:09 PM

    Having the same issue.

     

    Opened a case (#1866494) months ago and was told that it would be fixed in "6.5.X". 

     

    Unfortunately I am currently stuck with 6.4.4.11 on 3200XM.

     

    Can anyone confirm that this works with 6.5.X?

     

    Thanks,

    Christian



  • 7.  RE: Instant VPN to controller issue

    Posted Dec 02, 2016 10:47 AM
    Have you tried running this command:
    (MASTER-CONTROLLER) (config) #iap trusted-branch-db ?
    add Configure an IAP trusted branch entry
    allow-all Allow all branches as trusted
    This