Wireless Access

Reply
Community Administrator
Posts: 2,280
Registered: ‎12-03-2013

Cant get controller to join as local.

[ Edited ]

This is a lab scenerio.

 

I am trying to create a Master-Local-Local with a 3600 and two 620's. They all have the same AOS and are plugged into the same switch with the same config on the ports. Shared keys have been checked and triple checked.

 

Just for identification purposes 

 

3600- .72    Master

620- .73  

620-.74       

 

All on same subnet.

 

73 joined no problem and behaves accordingly. 74 cannot reach 72 (master). All controllers can get the gateway. 73 can even reach both controllers (.72 and .74) perfectly. 

 

What else can I check and what is going on?

 

Thanks in advance for your help.

 

 

 Cluster problem.PNG

     

 

 

CWNA, ACMP, Security +
Frequent Contributor I
Posts: 97
Registered: ‎04-13-2009

Re: Cant get controller to join as local.

Hi, 

Could you please verify controller-ip addresses? 

Regards, 

 

Marek Krauze, CWNE# 174, ACMX #295, ACDX #356
Something cool, helpful or interesting in my post - click the Kudos Star.
Helped to solve your problem - Click Accept as Solution
Community Administrator
Posts: 2,280
Registered: ‎12-03-2013

Re: Cant get controller to join as local.

[ Edited ]

3600-192.168.1 .72    Master

620- 192.168.1.73   no problems 

620-192.168.1.74   will not join

verification.PNG

 

 

CWNA, ACMP, Security +
Guru Elite
Posts: 21,279
Registered: ‎03-29-2007

Re: Cant get controller to join as local.

What version of ArubaOS?

 

If you have a local setup to point to a master, there is a route that is setup for all traffic to go to that master over that ipsec tunnel, even if it was not negotiated successfully.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Community Administrator
Posts: 2,280
Registered: ‎12-03-2013

Re: Cant get controller to join as local.

Currently on 6.3.1.3

CWNA, ACMP, Security +
Frequent Contributor I
Posts: 97
Registered: ‎04-13-2009

Re: Cant get controller to join as local.

Hi, 

Local uses its loopback (controller-ip) to estabilish IPSec to the master. Could you verify that controller-ip is correctly configured? 

br, 

Marek Krauze, CWNE# 174, ACMX #295, ACDX #356
Something cool, helpful or interesting in my post - click the Kudos Star.
Helped to solve your problem - Click Accept as Solution
MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: Cant get controller to join as local.

Can those controller reach each other ?

Try ping

Show IP route

Make sure that VLAN is trusted
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: Cant get controller to join as local.

Also check STP on the switches and on the controller , suggest turning off STP on the controllers
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Aruba
Posts: 233
Registered: ‎11-19-2009

Re: Cant get controller to join as local.

You may need to check the command "show datapath route-cache table | include mac address of the local" and repeat the same command on local to see the mac addres of the master and its VLAN as well.

 

If you want to futher enable debugging for "logging level debugging system process cfgm" on both controller and security process to look for what is missing out.

 

If you are able to ping check for phase I and Phase II ipsec traffic from show crypto isakmp sa & show crypto ipsec sa"

 

packet-capture udp 4500 & crypto isakmp packet-dump to see for ipsec traffic on the pcap.

 

It is worth to remove the config from both end and try to add the config of masterip back on local to reload and see how it goes.

 

Thank you.

Community Administrator
Posts: 2,280
Registered: ‎12-03-2013

Re: Cant get controller to join as local.

Yes  I will tear it down the re-configure it that is the only thing I have not tried. Im hopeful this works because nothing else has.

 

I guess the problem i am having understanding is the lack of connectivity between the controllers even though they are on the same subnet, can reach the gateway, and the sucessful local can ping both the master and the unsuccessful local.

 

Thanks for the responses.

CWNA, ACMP, Security +
Search Airheads
Showing results for 
Search instead for 
Did you mean: