Wireless Access

Reply
DNe
Contributor II

AOS 8.2 Config Rollback and VPNC

Hi,

 

i updated my AOS Design to 8.2 and i noticed that i can only user 7-8 Chars for the PSK IPSEC Connection instead of many more before. So i changed the PSK on the MM for both sides. But the worst happens.. the MM changed the PSK and lost connection to the MD. So i connect to the MD and did a change with disaster recovery in fact i canged both in the MM. The MD comes back but has a Config Rollback Flag and a different Config ID. So i troubleshoot everything and nothing helps. I delete the MD in the MM and configured back the MD - same result- Config Rollback state and not updated.

 

Do you have any suggestions for me ??

 

Nother question: If i use a Controller for VPNC i connect my MDs to the VPNC under the Config-Controllers state. I have looked for any documentation on this but i can't find something for VPNCs Configs. Thanks in advance!

 

ACMP
Guru Elite

Re: AOS 8.2 Config Rollback and VPNC

Here is what one of our team members said about your post:

 

 

"I can see how the ipsec psk change could cause issues. Once the MD receives a change and is still unable to connect to the MM, the rollback mechanism gets triggered.

Therefore we should go through the right steps to make the change.

 

If we are pushing the MDs change in masterip, the change should be done from each node device on the MM. Example:

         ‘(SLR-MM82) [00:50:56:ae:69:14] #’

Then make the change on the MM from the /mm folder or where we initially configured localip.

 

As far as the claim that in 8.2 the ipsec psk length changed to 8 characters or less, I have just tested with base 8.2 code, and I am able to configure an ipsec psk with 15 characters.

 

(SLR-MM82) [mynode] (config) #show running-config | include localip

Building Configuration...

localip 0.0.0.0 ipsec aruba123

localip 1.1.1.1 ipsec aruba1234567890

(SLR-MM82) [mynode] (config) #"



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

DNe
Contributor II

Re: AOS 8.2 Config Rollback and VPNC

Hi!

thanks for Feedback. Ive checked the config again and i got a difference in MM and MD config. After the Change it was fine and iam with you, the order is important. The GUI will not check the order for you it just pushes and you got the trouble :-)

 

With the PSK, ill got the error Message in the GUI. If i change a VMC to a VPNC (Hooked checkbox) and type in my Mac and Auth of the MD it errors me the PSK field above PSK to MM " Need to be 7-8 Chars long" - before i had about 15.

 

Maybe i've to setup all VMCs with 8.2 and not with 8.1 and upgrade them to 8.2. Could be a migration issue if you don't have it.

 

Currently i search for documentation of the VPNC (DMZ VMC for Secure MM Access) because i only found in the ASE some Documentation because i got some issues to connect a MD (Hardware) to the VPNC. This feature is very nice but currently really undocumentated.

ACMP
Contributor I

Re: AOS 8.2 Config Rollback and VPNC

I did success with MM->MD-HQ(VPNC)->MD-Branch in previous a few days

 

Cause Config rollback for MD-Branch because Controller cannot connected to the MM

 

This's my configuration for MD-HQ(VPNC), I Choose to use fact-cert to authentication btw MD-HQ and MD-Branch

Screen Shot 2560-11-09 at 12.02.01 PM.png

 

MD-Branch Configuration

Screen Shot 2560-11-09 at 12.02.12 PM.png

Result

1510051508487.jpg1510051466460.jpg1510051531740.jpg

When an IPsec up you don't need to do anything, routing will be bring up by automaticly on MM, MD-HQ(VPNC), MD-Branch

 

But main issues what i facing is when IPsec up and routing are added sometime traffic not traveling into tunnel, I need to reboot all of them so then will bring back to working fine.

DNe
Contributor II

Re: AOS 8.2 Config Rollback and VPNC

Hi,

 

thanks for sharing your informations. Currently i play around with the ipsec ways. I noticed a lot of confusing circumstances.

 

Let me explain in detail:

 

My VPNC and MM are on different Networks with a firewall in between (2 DMZ). My test-MDs are in the LAN. If i setup the VPNC with now 8.2.0.1 and use the setup with "this is a vpn concentrator" and i am adding the macs of the MM and BMM and the VRRP Adress of both as "Master Switch" nothing works. Tunnel won't came up. If i connect them as MD and use IPSEC PSK and not as VPNC they came up. When i configure now the VPNC checkbox in Gui and add the mac of the MD for Fac-MAC Auth my MD want's to reach the MM directly with PAPI which is dropped on the firewall.

To enable the debugging i have to distaster recovery my MD and do many many reloads which takes combined hours to knew a little bit more.

Today i will use your config with Fac-cert+mac and see if i get my MDs connected...

I also expected some strange errors in the GUI where i can't delete a MD (in my case a VPNC) which promts me with Exception raised while processing request.... 

In the CLI it works fine ... 

 

Before i connect a customer to it i will check all of the strange stuff to get a better feeling :)

 

One thing: Could you please share your MD Controller Setup Config Steps to get the GUI output that you share with us ?

 

Thanks in advance!

ACMP
Contributor I

Re: AOS 8.2 Config Rollback and VPNC

Hi 

 

I did sync MD-HQ with MM by using pre-shared key and the same subnet also but for MD-Branch I was separated to behind NAT firewall.

From some of topics said cert-fact will not work with VM version. it's not contain cert with in the OS.

Anyway First time i use VPNC as VMC version and did not success ,So i have decide to using appliance instead and it did work, But i have no any refference from the issue document i just tested and found

DNe
Contributor II

Re: AOS 8.2 Config Rollback and VPNC

Okay. You set up a VRRP with MM and with VPNC to connect MDs ? Or did you connect MD direct to both of the VPNCs ? 2 Tunnels ? In the ASE is a scenario described where they use 2 or more tunnels to VPNCs but the steps to do that is not really clear for me.

ACMP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: