Remote Networking

Reply
New Contributor
Posts: 2
Registered: ‎05-26-2009

VPN configuration tools and methods

Hello Aruba RAP experts,

Running 3.3.2.x with RAP.

Out of a bunch of RAP users, one in particular is having a hard time maintaining a tunnel. AB/G lights go off, tunnel breaks, AP reauths in the Radius logs, etc.
The one thing I can see is that this user has an average timeout of 400-700ms RTT pinging to the VPN address of the RAP.
I realize this is extreme, but not outside of the possibility of a stable VPN. (Standard Nortel and Cisco IPsec solutions are currently stable and can run a VoIP IP softphone connection (albeit with patchy quality) with this much latency).
One difference, I imagine, is in the tuning of Nortel and Cisco IPsec tunnel timeouts.
I realize that the cause of the problem is not the source of the problem. But let's assume that the user cannot do anything to improve his latency to the Aruba Internet switch he needs to get to from his home broadband CPE.

What would the Aruba recommended approach to an issue like this?

What CLI tools are available to troubleshoot and pinpoint this problem?

What recommended debug subproc or services will show the exact reason why a RAP breaks its tunnel? (or why the last reason was for losing tunnel connection, or CLI to query the last tunnel loss reason for an ap-name, etc.)

What CLI options are available to tune the RAP VPN tunnel thresholds for considering a tunnel inactive? The desire would be to increase the durability of the tunnel and decrease the sensitivity timeout threshold.

What are the caveats and pitfalls of taking this approach with the RAP solution?

Many thanks for any guidance.
Guru Elite
Posts: 20,788
Registered: ‎03-29-2007

Bootstrap threshold


Hello Aruba RAP experts,

Running 3.3.2.x with RAP.

Out of a bunch of RAP users, one in particular is having a hard time maintaining a tunnel. AB/G lights go off, tunnel breaks, AP reauths in the Radius logs, etc.
The one thing I can see is that this user has an average timeout of 400-700ms RTT pinging to the VPN address of the RAP.
I realize this is extreme, but not outside of the possibility of a stable VPN. (Standard Nortel and Cisco IPsec solutions are currently stable and can run a VoIP IP softphone connection (albeit with patchy quality) with this much latency).
One difference, I imagine, is in the tuning of Nortel and Cisco IPsec tunnel timeouts.
I realize that the cause of the problem is not the source of the problem. But let's assume that the user cannot do anything to improve his latency to the Aruba Internet switch he needs to get to from his home broadband CPE.

What would the Aruba recommended approach to an issue like this?

What CLI tools are available to troubleshoot and pinpoint this problem?

What recommended debug subproc or services will show the exact reason why a RAP breaks its tunnel? (or why the last reason was for losing tunnel connection, or CLI to query the last tunnel loss reason for an ap-name, etc.)

What CLI options are available to tune the RAP VPN tunnel thresholds for considering a tunnel inactive? The desire would be to increase the durability of the tunnel and decrease the sensitivity timeout threshold.

What are the caveats and pitfalls of taking this approach with the RAP solution?

Many thanks for any guidance.




In the AP system profile of that AP-group, there is something called a bootstrap threshold which determines how many missed heartbeats would make the AP re-bootstrap or try to reconnect to the controller. If you increase that number, it would make the APs in that group more resilient to bootstraps.

If you do "show log system x", you will see messages that would tell you that an AP lost connectivity like:

Missed 30 heartbeats on radio 0 VAP 0; rebootstrapping


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: