05-03-2017 01:02 AM
Myself and several SE friends have been beating our heads against this one. Scenario:
AP-225--> Branch 7005--> LAN Switch(Simulated WAN)--> HQ 7010.
We have actually tested this between several devices terminating the IPSEC tunnel, all with the exact same result.
IPSEC between the BRANCH and HQ
CAP at the BRANCH gets a local DHCP with option 43 pointing it to the HQ controller to register
AP gets to the controller, registers, gets enough of the config to push out an SSID, but you cannot connect to the SSID. The AP is showing up Dirty intermittently on the HQ Controller. First off, FORGET that the BRANCH is a Controller, it is just used as an IPSEC termination, ADP is disabled. The 2 obviously things we see are this, PAPI is timing out causing the AP to perpetually bootstrap reboot, looks like its working, but it isn't. Next is that the largest df-flag packet-size we can ping through the tunnel is 932 EXACTLY.
- We have adjusted the MTU in the AP System SAP, and just about anywhere else, from the switch port and beyond, all to no avail and with the same results.. 932
- Enable/Disabled Jumbo frames
- Messed with the AMON msg's
- Set Bootstrap threshold to 15+
- different IPSEC versions
I mean we have tried everything we can think of. If some one out that has seen this please chime in. If you want to lab it up, it is literally 2 controllers, 1 AP, IPSEC tunnel, register the AP on the other side and make it work!!
Appreciate any assistance.
05-03-2017 01:37 AM
Does the controller have control plane security enabled?
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base