Controllerless Networks

Reply
Contributor II
Posts: 106
Registered: ‎10-04-2012

iap vpn BID allocation 0 problem

antone set up a instant cluster with IPSEC Tunnel back to an Aruba controller.

config on the IAP cluster for dhcp is layer 2 distributed.

when i look on the controller "show iap table long" there is no BID(subnet name).

anu ideas?

cheers

pete

 

Aruba Employee
Posts: 95
Registered: ‎09-10-2015

Re: iap vpn BID allocation 0 problem

show iap table long should show the BID, if you have configured a distributed DHCP server on the IAP.

BID can be seen in the following logs:

IAP#show log vpn-tunnel

 

controller:

 

(Controller) #show logging level verbose

(Controller) (config) #logging level debugging system process iapmgr

After debugging remove via, (Controller) (config) #no logging level debugging system process iapmgr

 

to check logs on controller:

(Controller) #show log system 500 | include IAP <- use include to avoid chatty kernel level logs

Jan 25 12:37:50 :342006:  <DBUG> |IAP manager Pro|  papi_rcv_cb, Recvd auth Message

Jan 25 12:37:50 :342005:  <DBUG> |IAP manager Pro|  handle_iap_up:109 !!!new IAP branch up with inner IP 172.16.1.101

Jan 25 12:37:50 :342005:  <DBUG> |IAP manager Pro|  handle_auth_msg:729 tip ac100165

Jan 25 12:37:55 :342005:  <DBUG> |IAP manager Pro|  rx_raw_message:624 MASTER received reg-req, going to process itself

Jan 25 12:37:55 :342005:  <DBUG> |IAP manager Pro|  register_iap_bid:313 switch_role is 2 

Jan 25 12:37:55 :342005:  <DBUG> |IAP manager Pro|  register_iap_bid:349 Jan 25 12:37:55 :342005:  <DBUG> |IAP manager Pro|  register_iap_bid:381 Received from IAP - key='8339f2a0015feed8e090cbb79f3a7ae9204eed130c095af3ec'; ip='172.16.1.101'; mac_addr='aca31ec2d596'; subnet_count='0';  back_up='no';trusted_branch=no

Adding in inrIPandBrnchID ip 172.16.1.101 brkey 8339f2a0015feed8e090cbb79f3a7ae9204eed130c095af3ec 

Jan 25 12:37:55 :342005:  <DBUG> |IAP manager Pro|  handle_iap_dpp_branch_add: new branch 8339f2a0015feed8e090cbb79f3a7ae9204eed130c095af3ec/172.16.1.101

Jan 25 12:37:55 :342005:  <DBUG> |IAP manager Pro|  handle_iap_dpp_branch_add: added branch 8339f2a0015feed8e090cbb79f3a7ae9204eed130c095af3ec

 

however out of curiosity. why are you going for distributed L2. The same aim can be fulfilled via CL2 and DL3. Do you really want the same subnet/layer 2 domain, on all the sites?

Contributor II
Posts: 106
Registered: ‎10-04-2012

Re: iap vpn BID allocation 0 problem

hello Manishval,

thank you for your reply.

i will run these debugs and see what is going on.

With regard to using centralised L2 or distributed L3.

I have looked at L3 this morning and it would appear the guest traffic gets source natted to

the IAP management address for a local breakout.

Can guest traffic be tunnelled back to the core with the L3 method?

All traffic has to go back to the core because this is where they have their websense we filtering

happening. We cant have local breakout.

With regard to centralised L2 are we any better off with regard to containment of broadcast/multicast traffic?

cheers

pete

 

 

Aruba Employee
Posts: 95
Registered: ‎09-10-2015

Re: iap vpn BID allocation 0 problem

1. routing profile of 0.0.0.0 0.0.0.0 <VPN head end IP> is the answer to routing all traffic to controller, and having no traffic leak out via split tunnel's NAT to IAP mgmt IP. Read IAP VRD's chapter 4's section "configuring a routing profile".

 

http://community.arubanetworks.com/t5/Validated-Reference-Design/Aruba-Instant-Validated-Reference-Design/ta-p/258782

 

for centralized L2, disable split tunnel knob is present, to blindy tunnel traffic to the tunnel, irrespective of the routing profile. For ease of configuration.

 

2. in upcoming software we are coming up with a feature where broadcast from one tunnel/one site in centralized L2, will not be pushed to another tunnel/site. As of now this is not available. But soon to come.

Contributor II
Posts: 106
Registered: ‎10-04-2012

Re: iap vpn BID allocation 0 problem

thanks Manishval,

works a treat appreciate you taking the time for this one.

cheers

again

pete

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: