Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Cant get controller to join as local.

This thread has been viewed 0 times

  • 1.  Cant get controller to join as local.

    Posted Apr 21, 2014 02:39 PM
      |   view attached

    This is a lab scenerio.

     

    I am trying to create a Master-Local-Local with a 3600 and two 620's. They all have the same AOS and are plugged into the same switch with the same config on the ports. Shared keys have been checked and triple checked.

     

    Just for identification purposes 

     

    3600- .72    Master

    620- .73  

    620-.74       

     

    All on same subnet.

     

    73 joined no problem and behaves accordingly. 74 cannot reach 72 (master). All controllers can get the gateway. 73 can even reach both controllers (.72 and .74) perfectly. 

     

    What else can I check and what is going on?

     

    Thanks in advance for your help.

     

     

     Cluster problem.PNG

         

     

     


    #3600


  • 2.  RE: Cant get controller to join as local.

    Posted Apr 21, 2014 03:44 PM

    Hi, 

    Could you please verify controller-ip addresses? 

    Regards, 

     



  • 3.  RE: Cant get controller to join as local.

    Posted Apr 21, 2014 04:22 PM
      |   view attached

    3600-192.168.1 .72    Master

    620- 192.168.1.73   no problems 

    620-192.168.1.74   will not join

    verification.PNG

     

     



  • 4.  RE: Cant get controller to join as local.

    EMPLOYEE
    Posted Apr 21, 2014 04:30 PM

    What version of ArubaOS?

     

    If you have a local setup to point to a master, there is a route that is setup for all traffic to go to that master over that ipsec tunnel, even if it was not negotiated successfully.



  • 5.  RE: Cant get controller to join as local.

    Posted Apr 21, 2014 04:35 PM

    Currently on 6.3.1.3



  • 6.  RE: Cant get controller to join as local.

    Posted Apr 21, 2014 05:18 PM

    Hi, 

    Local uses its loopback (controller-ip) to estabilish IPSec to the master. Could you verify that controller-ip is correctly configured? 

    br, 



  • 7.  RE: Cant get controller to join as local.

    Posted Apr 21, 2014 07:06 PM
    Can those controller reach each other ?

    Try ping

    Show IP route

    Make sure that VLAN is trusted


  • 8.  RE: Cant get controller to join as local.

    Posted Apr 21, 2014 07:08 PM
    Also check STP on the switches and on the controller , suggest turning off STP on the controllers


  • 9.  RE: Cant get controller to join as local.

    Posted Apr 21, 2014 10:38 PM

    You may need to check the command "show datapath route-cache table | include mac address of the local" and repeat the same command on local to see the mac addres of the master and its VLAN as well.

     

    If you want to futher enable debugging for "logging level debugging system process cfgm" on both controller and security process to look for what is missing out.

     

    If you are able to ping check for phase I and Phase II ipsec traffic from show crypto isakmp sa & show crypto ipsec sa"

     

    packet-capture udp 4500 & crypto isakmp packet-dump to see for ipsec traffic on the pcap.

     

    It is worth to remove the config from both end and try to add the config of masterip back on local to reload and see how it goes.

     

    Thank you.



  • 10.  RE: Cant get controller to join as local.

    Posted Apr 22, 2014 10:30 AM

    Yes  I will tear it down the re-configure it that is the only thing I have not tried. Im hopeful this works because nothing else has.

     

    I guess the problem i am having understanding is the lack of connectivity between the controllers even though they are on the same subnet, can reach the gateway, and the sucessful local can ping both the master and the unsuccessful local.

     

    Thanks for the responses.