Wireless Access

I have a master/local setup.  Two 3600 controllers running 6.4.2.14 and housing only 105 and 205 APs.  All of the APs terminate on the local which is located at the data center.  The master is at our corporate office.

 

Can someone explain what these errors mean?  (see attached)  They were pulled from my master controller for a specific AP however this is affecting all APs at a particular office (5 total).  We are having no other problems elsewhere.

#AP205

never seen it myself but i could imagine that you are blocking some traffic which the AP requires to build its tunnel (are you using control plane security)? so look at the firewall rules / networks in between.

I figured it out.  We use UTMs at small remote sites for our Firwalls and routing.  They build their own VPN tunnel back to our data center over a standard Cable or DSL ISP.  The APs have trouble holding the GRE tunnels over UTMs and the tunnels break. 

 

In this particular instance, the local AP would reach back to the master controller via DNS under the default profile.  The master controller would give it it's AP Group and reboot the AP extablishing it's GRE tunnel and pointing it to a local LMS controller.   The AP was having trouble establishing a GRE tunnel through the UTM and would revert back to the master controller.

 

Once I rebooted the UTM, all of the APs came back online.

If the traffic is traversing another IPSec tunnel, you should consider using decrypt tunnel forwarding at the site.

Is that done on the AP profile?

http://community.arubanetworks.com/t5/Controller-Based-WLANs/What-is-decrypt-tunnel-mode-and-how-does-it-work/ta-p/179466

 

http://www.arubanetworks.com/techdocs/ArubaOS_6.4.4.x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/VirtualAPs/Virtual_AP_Profiles.htm%3FTocPath%3DVirtual%2520APs|_____2

Aruba TAC is telling me that decrypt-tunnel mode will not help because all it does is decrease the packet size.  They are suggesting disabling Control Plane Security in order to disable to the IPSec tunnel that the AP pins up to the controller thus only having the GRE tunnels to traverse the IPSec tunnel coming from the local UTM.  The other option they gave me was to change the APs to a RAP.  Can someone help me understand these a little more?

isn't size exactly your issue? if you can get it to become lower your might be able to go through the other tunnel.

 

also understand what exactly? RAPs you mean?

 

first of all if TAC advises this then they should also be able to explain why and how.

 

they might mean you don't use the UTM at all but use remote AP (RAP) which sets up a full IPsec tunnel to the controller. but it remains guessing as i can't exactly see what they said.

The main issue is the UTM, which is located at a remote site, is pinning up its own IPSec tunnel back to our data center. Through that tunnel, the Campus AP pins up its own IPSec tunnel to the controller which is also has GRE tunnels for the SSIDs.  The IPSec tunnel traversing another IPSec tunnel is creating instability at the remote site. 

 

The only suggestion TAC had to disable the AP's IPSec tunnel was to disable Control Plane security which is a global setting.  We have other sites that go over an MPLS that work just fine.