Wireless Access

Reply
Occasional Contributor II

ArubaOS 8.1 VMC Strange Issues

So I migrated our config from an old 620 controller to a standalone VMC, I can get a new AP-207 to join as a CAP but had a couple of very weird issues...

 

1) Cannot terminate RAPs - I can see the UDP-4500 connections in 'show datapath session', they are whitelisted and I have a RAP pool configured. I did notice this error in the logs that reoccurs:

 

stm[5469]: <399803> <5469> <ERRS> |stm| An internal system error has occurred at file sapm_fw.c function handle_nate_pool__message line 399 error NAT pools, receive error .

 

2) Traffic forwarding simply does not work with interfaces G0/0/1 and G0/0/2. Port is enabled, connected in vSphere to a working port group etc. These errors present in logs:

 

ofa[5762]: <310202> <5762> <ERRS> |ofa| ofa_netdev_set_trunk_vlan: interface (G0/0/0) not found
ofa[5762]: <310202> <5762> <ERRS> |ofa| ofa_netdev_set_trunk_vlan: interface (G0/0/1) not found
ofa[5762]: <310202> <5762> <ERRS> |ofa| ofa_netdev_set_trunk_vlan: interface (G0/0/2) not found

Aruba Employee

Re: ArubaOS 8.1 VMC Strange Issues

Did you do ´set-trust-anchor self-signed´? As VMC don´t have TPM, you need to manually trust the self signed certificate.

 

-Anders

Occasional Contributor II

Re: ArubaOS 8.1 VMC Strange Issues

Unfortunately the lab environment isn't up and running anymore - is this something that is needed to make it work? Have you seen it working before with this config?
Aruba Employee

Re: ArubaOS 8.1 VMC Strange Issues

Yes, with VMC you need to add that. For hw controllers, you don´t since they have TPM.

New Contributor

Re: ArubaOS 8.1 VMC Strange Issues

Hello Anders,

 

I am having this issue with the IAP-VPN connection not establishing the IPSEC tunnel and was hoping you could provide more information on the set-trust-anchor self-signed command. The only reference I can find in documentation is in the 8.1 CLI reference guide and it does not give any more information than a description.

 

What will the command affect? Will it interrupt service for existing campus AP's that are already attached to a VMC or is it only for IAP-VPN/RAP connections via IPSEC?

 

Re: ArubaOS 8.1 VMC Strange Issues

I don't think VMC supports IAP-VPN. The user guide should call this out. 

 

First page of Instant AP VPN Support

 

IAP VPN is supported only on hardware mobility controllers (7000 Series and 7200 Series) including controllers that

are stand-alone or managed by Mobility Master. However, IAP VPN termination is not currently supported on virtual

mobility controllers. Masters (Mobility Master and Master Controller Mode) do not support any AP termination

including campus APs, remote APs and IAP VPN tunnels.

Jerrod Howard
Sr. Technical Marketing Engineer
New Contributor

Re: ArubaOS 8.1 VMC Strange Issues

I appreciate the response; so I am getting this right that it will support RAP units but not IAP-VPN?

 

And the other portion of the first question was what implications should be drawn when executing the set-trust-anchor self-signed command?

 

Thank you for your help!

 

Justin

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: