Controllerless Networks

Reply
Contributor I
Posts: 34
Registered: ‎07-07-2011

Instant VPN to controller issue

Hi all,

 

I encounter a strange issue on an Instant-Controller VPN scenario:

IAP connects via VPN Tunnel to an Aruba controller. The IAP is using centralized L2 mode to connect clients on his end. All is basically working fine.

Now recently I upgraded the Aruba controller firmware from 6.4.3.6 to 6.4.3.9. Something must have changed between these two version, for now I can see the IAP clients in the controller monitoring section; the clients received a role called "default-iap-user-role" and they are originating from an AP name called "tunnel 18". Before I only saw the IAP in the clients section.

Now the issue: some of the IAP clients receive the "logon" role, leaving them with no connection to the corporate network (of course the logon role has limiting firewall policies). See the screenshot here:

IAP-client-in-logon.JPG

 

Can anyone explain how I get these clients also in the default-iap-user-role as the other clients above? Or could this be a bug in recent controller firmware?

 

Kind regards

MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: Instant VPN to controller issue

Can you run the following command :
show iap trusted-branch-db | include
and if the IAP showing up with the logon role is in the trusted list

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor I
Posts: 34
Registered: ‎07-07-2011

Re: Instant VPN to controller issue

Output as follows:

 

#show iap trusted-branch-db

Trusted Branch Validation: Disabled
IAP Trusted Branch Table
------------------------
Branch MAC
----------
(allow all as trusted branch)

 

 

Actually, not the IAP is in logon role but one of it's clients.

Occasional Contributor II
Posts: 15
Registered: ‎08-03-2009

Re: Instant VPN to controller issue

Dear LongIsland,

 

 is there any solution or explanation on this issue? We are facing of with similar issue and we do not understand what happening here. It will be nice if you can wrote something about the results (if any).

 

Thanks a lot!

 

Gaben

Contributor I
Posts: 34
Registered: ‎07-07-2011

Re: Instant VPN to controller issue

Hello Gabor,

 

unfortunately no real update on our side; as a workaround we stick to software version 6.4.3.6 where this issue does not occur.

I have a ticket open with TAC, they're still investigating with engineeing.

 

Kind regards

MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: Instant VPN to controller issue

Have you tried running this command:
(MASTER-CONTROLLER) (config) #iap trusted-branch-db ?
add Configure an IAP trusted branch entry
allow-all Allow all branches as trusted
This
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 31
Registered: ‎04-22-2016

Re: Instant VPN to controller issue

Having the same issue.

 

Opened a case (#1866494) months ago and was told that it would be fixed in "6.5.X". 

 

Unfortunately I am currently stuck with 6.4.4.11 on 3200XM.

 

Can anyone confirm that this works with 6.5.X?

 

Thanks,

Christian

Search Airheads
Showing results for 
Search instead for 
Did you mean: