03-12-2015 06:34 AM
I am trying to configure IAP with anchor controllers in the DMZ to tunnel guest traffic out to the internet.
For our network we have two SSID, a corporate SSID which is bridged locally form the IAP to the upstream VLAN, and a Guest network which utilizes Centralized,L2 VPN tunnel back to the controllers in the DMZ.
We have two DMZ for redundancy, and if the VPN fails to DMZ1, the IAPs switch their VPN over to DMZ2 controllers. DMZ2 has a different VLAN for the guest users, and a different subnet.
In the IAP VPN configuraiton there is an option 'Reconnect Users on Failover. When this option is enabled, the IAP will bring down its SSIDs on failover. The issue is that this brings down all of the SSIDs. The corporate SSIDs which do not utilize the VPN tunnel for anything are also brought offline.
I have tested disabling the 'Reconnect Users on Failover' option and the corporate network works fine with this. However in this case Guest lose access until they re-associate since the IP lease they have is no longer valid.
So, is there any way to limit which SSIDs are effected by this option? I have submitted a feature request https://arubanetworkskb.secure.force.com/prm/ideas
Pending that being approved and implemented, does anyone have any workaround for this?
ACDX, ACCP, CISSP, CWNA
03-12-2015 10:05 AM
I can't think of anything to help in this case
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
03-13-2015 05:11 AM
It would be nice if Aruba would implement this feature, but till then I would recommend you to try to do the following:
- on DMZ2 replicate the VLAN that users have
- install a dedicated DHCP server
This might provide you a way arround till the feature.