Wireless Access

Reply
MVP
Posts: 314
Registered: ‎04-03-2014

AP-103 not coming up over sites 4G uplink

Hi!

 

We´ve deployed AP105 to our sites connected with fiber and 4G redundancy for a while and it has worked great, both on fiber and through 4G. We´ve configured the SAP MTU of the AP system profile to 1300 to allow it to pass through the tunnel the provider does on their cellular interface (they have an MTU of 1340)

 

BUT, today we deployed an AP-103 on a site which is currently only running on 4G as the fiber is delayed and it´s not coming up. I´ve verified that the AP is getting an IP address, I can see the traffic from it hit the central controller (so it´s obviously discovering the master through the DNS). I see a syslog packet on port 514, then I see IPSEC on 4500. I´ve verified that the SAs for phase1 and phase2 is there but then nothing more happens. No PAPI, no GRE and then it loops.

 

We sent an AP-105 to the site, just to make sure that it was a provider issue but behold, the AP-105 comes up as normal! Same configuration as the AP-103.

 

We then sent another AP-103, figured it must be something wrong with that particular one, but also that one has the same behaviour as the first AP-103.

 

The only fitering point in play is the central firewall and we´ve checked that nothing gets dropped there. We´re running CPSEC with auto-cert provisioning and we´re on ArubaOS 6.4.2.12. We have not yet been able to console the AP, we will do that when we get the chance.

 

Does anyone have any idea what could be causing this?

 

Cheers and have a great weekend,

Christoffer Jacobsson | Aranya AB
Aruba: ACMX #537 ACCP | CWNP: CWNA CWDP CWSP
MVP
Posts: 314
Registered: ‎04-03-2014

Re: AP-103 not coming up over sites 4G uplink

What I do see is that all our APs with the above mentioned settings do build their IPSEC tunnel with MTU of 1500. The SAP MTU only seems to apply to the GRE tunnels built. Is there a way to configure the AP to always use 1300 MTU, even on the initial IPSEC tunnel?

 

CPSEC.PNG

 

My best guess so far is that the first packet with PAPI from the AP that will go through the IPSEC tunnel is dropped. Why this isn´t an issue with the AP105 is still a mystery.

Christoffer Jacobsson | Aranya AB
Aruba: ACMX #537 ACCP | CWNP: CWNA CWDP CWSP
MVP
Posts: 314
Registered: ‎04-03-2014

Re: AP-103 not coming up over sites 4G uplink

After local packet captures on the switch that terminates the APs we can see the AP-103 perform MTU discovery and recieve an answer of 1360 then right after send a packet in the tunnel with a size of 1390 and the no fragment bit set.

 

This smells like ArubaOS bug, I have opened a TAC case.

 

MTU.PNG

Christoffer Jacobsson | Aranya AB
Aruba: ACMX #537 ACCP | CWNP: CWNA CWDP CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: