Remote Networking

Reply
Contributor I

Bootstrap Threshold and RAPS

Funny.... I was just going to create a post asking the relationship of the following parameters relating to RAP deployments:

Number of IPSEC retries
Bootstrap threshold
Request Retry Interval
Maximum Request Retries
Keepalive Interval

I am trying to understand which of these I may need to tweek to help decrease the number of "brownouts" our user community experience. We may not receive / record "down device" alert but the users say they are losing connectivity for 2 - 4 mins (in some cases).
Guru Elite

Re: Bootstrap Threshold and RAPS

A RAP only uses the IPSEC retries parameter, which defaults to 360. This does not translate to a particular time, unfortunately. This number will only determine how many times an AP will try with the same controller before it bootstraps either to a second controller or reboots to try with the initial controller all over again. If you reduce the number, the AP will reboot more quickly, but that does not mean that users will notice a connectivity issue less, especially if you have a single controller. If you increase the number, the AP will retry more without rebooting and possibly save your users wait 2 to 4 minutes for the AP to come back up. This only works when whatever causes the loss of connectivity lasts less than the time it takes the AP to reboot.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I

Re: Bootstrap Threshold and RAPS

Colin,

Thanks for the explanation.
I am trying to come up with a set of reasonable settings that allows the RAP to survive the "quick brownouts" you might expect with Internet VPN connectivity BUT not "flip-flop" between the PRI & BACKUP controllers every time the wind changes direction.

Without detailed visibility into the "RAP to Controller" heartbeats, it is difficult to get a sense of average % of heartbeat packet (HBs) lose. In some ways you can see total HBs sent and total HBs received but that does no help you see when the packet lose occurred and for how long. :(

Without this insight, can you provide a "starting point" & guidance for for tuning the "wait a reasonable (but not too long) amount of time, then reboot and try the backup"??? :rolleyes:

Thanks

to It seems the average RAP reboot & reconnect time is 2 - 3 mins
Guru Elite

Re: Bootstrap Threshold and RAPS

The "starting point" would be the Virtual Branch Networks Reference Design guide here: http://www.arubanetworks.com/pdf/technology/VBN_VRD.pdf


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I

Re: Bootstrap Threshold and RAPS

been there....done that....

Was looking for something a little more "real world".

appreciate the insight
Guru Elite

Re: Bootstrap Threshold and RAPS

Okay,

I have seen a retry on average will take about 25-30 seconds. You should do your own testing to see how long it takes on your own setup on your build of code.

Using that number, 360*30 seconds = 180 minutes.

The goal is normally to minimize the amount of time that a user does not have contact with or notices that they do not have contact with his/her resources.

If you have a single controller and your main issue is that users have temporary internet connection issues, you should leave it at 360 to keep it retrying, so that as soon as the internet or controller issue is resolved, you don't want the AP to reboot/rebootstrap, but connect right back. The AP has nowhere to go, but back to the same controller once the internet, OR the controller comes back up, so you want to keep it retrying.

If you have two controllers, one backing up the other, and you are using external DNS to populate both controller entries, what is the likelihood that the next disruption is an internet issue, as opposed to a controller being down? If you say to yourself, that after 4 minutes, for example, that it must be the controller down, as opposed to the internet not having connectivity, set the ipsec retries to that amount of time, so that after 4 minutes, I want to stop trying because I think my controller is down and move to the next.

"Spend only IPSEC retries on each controller/resource before going onto the next"

That is my own, and not Aruba's philosophy.

You should contact TAC or your local SE to develop your own custom strategy based on applications in use, redundancy strategy, code version, etc.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: