Wireless Access

Reply
Occasional Contributor I

IAP auto GRE tunnel to Master and Local controller

I am trying to create an auto gre tunnel from an Instant cluster between a master and a local controller. The controllers were initially set up as a master and standby master and this works fine.

 

When I change to master local the GRE tunnel fails when trying to connect to the local. 

 

Can auto gre work between a master and a local? Should the IAP pool be different on the master and the local? I notice that under access control this is grey'd out on the local which I would expect. But there there is no option for the vpn pool reference. So does the vpn pool need to be the same name and address scheme? or is this configuration not supported?

 

This is the debug from the IAP

1970-01-02 02:17:04 [backup tunnel] tunnel_retry(222): setting up tunnel to backup tunnel, retry=21
1970-01-02 02:17:04 [backup tunnel] ipsec_tunnel_connect(1384): connect to backup tunnel, peer address 10.10.10.2.
1970-01-02 02:17:04 [backup tunnel] ipsec_tunnel_connect(1390): stop backup tunnel first before connect to it
1970-01-02 02:17:04 [backup tunnel] stop_rapper: client->pid=0, tunnel public ip 0.0.0.0, peer tunnel ip 0.0.0.0, tunnel ip 0.0.0.0, port 8424
1970-01-02 02:17:04 [backup tunnel] ipsec_tunnel_connect(1410): backup tunnel, cli_local_ip 10.11.8.12 netmask 255.255.255.0
1970-01-02 02:17:04 addroute(490):Dst 4fd0a0a mask 0 gw 1080b0a
1970-01-02 02:17:04 [backup tunnel] ipsec_tunnel_connect(1431): add route table destination 10.10.10.2, gw 10.11.8.1, interface br0.
1970-01-02 02:17:04 [backup tunnel] Starting rapper with lifetime p1 = 28000 p2 = 7200
1970-01-02 02:17:04 [backup tunnel] Starting IAP rapper 1 to 10.10.10.2:8424 attmpt 0
1970-01-02 02:17:04 [backup tunnel] lauch rapper command: rapper -c 10.10.10.2 -b 1 -i br0 -x -G 0 -r 8424 -l 28000 -L 7200 -w 1 -o /tmp/rapper.txt
1970-01-02 02:17:04 [backup tunnel] Eth - Populate the PID 21024 in file /tmp/rapper_pid_2
1970-01-02 02:17:04 [backup tunnel] tunnel_retry(277): setting up tunnel to backup tunnel, success.
1970-01-02 02:17:04 [backup tunnel] tunnel_start_up_timer(786): tunnel backup tunnel start up timer
1970-01-02 02:17:04 [backup tunnel] tunnel_stop_up_timer(651): stop up timer.
1970-01-02 02:17:04 [primary tunnel] tunnel_down(464): primary tunnel keep tunnel down.
1970-01-02 02:17:26 [backup tunnel] cli_proc_rapper_msg(864): Receive rapper msg from 59424 port.
1970-01-02 02:17:26 [backup tunnel] Error!!!: Received RC_OPCODE_ERROR lms 10.10.10.2 tunnel 0.0.0.0 RC_ERROR_IKEP2_PKT1 debug-error:-8949
1970-01-02 02:17:26 [backup tunnel] tunnel_err_msg_recv(1602): Error!!! Received RC_OPCODE_ERROR peer public ip 10.10.10.2 tunnel ip 0.0.0.0, controller ip 0.0.0.0, RC_ERROR_IKEP2_PKT1 debug-error:-8949
1970-01-02 02:17:26 tunnel_err_msg_recv 1624: Cause tunnel down by ipsec error, index backup tunnel
1970-01-02 02:17:35 [backup tunnel] tunnel_up_timeout(723): tunnel backup tunnel up timeout.
1970-01-02 02:17:35 [backup tunnel] tunnel_up_timeout(769): backup tunnel tunnel is not up by retry 21 times, the max retry times on one tunnel is 2.  try itself
1970-01-02 02:17:35 [backup tunnel] State TUNNEL_STATE_RETRY Event TUNNEL_EVENT_TUNNEL_RETRY Next state TUNNEL_STATE_RETRY
1970-01-02 02:17:35 [backup tunnel] tunnel_retry(201): tunnel backup tunnel, type ipsec tunnel, peer public address 10.10.10.2
1970-01-02 02:17:35 [backup tunnel] tunnel_retry(222): setting up tunnel to backup tunnel, retry=22
1970-01-02 02:17:35 [backup tunnel] ipsec_tunnel_connect(1384): connect to backup tunnel, peer address 10.10.10.2.
1970-01-02 02:17:35 [backup tunnel] ipsec_tunnel_connect(1390): stop backup tunnel first before connect to it
1970-01-02 02:17:35 [backup tunnel] stop_rapper: client->pid=21024, tunnel public ip 0.0.0.0, peer tunnel ip 0.0.0.0, tunnel ip 0.0.0.0, port 8424
1970-01-02 02:17:35 [backup tunnel] stop_rapper(1324): Kill client->pid=21024.
1970-01-02 02:17:35 [backup tunnel] stop_rapper(1345): Waiting until the client 21024 is killed
1970-01-02 02:17:36 [backup tunnel] stop_rapper(1357): result of wait4 21024 for pid (client->pid) 21024
1970-01-02 02:17:36 [backup tunnel] ipsec_tunnel_connect(1410): backup tunnel, cli_local_ip 10.11.8.12 netmask 255.255.255.0
1970-01-02 02:17:36 addroute(490):Dst 4fd0a0a mask 0 gw 1080b0a
1970-01-02 02:17:36 set_route_af: ioctl (SIOCADDRT) failed error no(17)
1970-01-02 02:17:36 [backup tunnel] ipsec_tunnel_connect(1431): add route table destination 10.10.10.2, gw 10.11.8.1, interface br0.
1970-01-02 02:17:36 [backup tunnel] Starting rapper with lifetime p1 = 28000 p2 = 7200
1970-01-02 02:17:36 [backup tunnel] Starting IAP rapper 1 to 10.10.10.2:8424 attmpt 0
1970-01-02 02:17:36 [backup tunnel] lauch rapper command: rapper -c 10.10.253.4 -b 1 -i br0 -x -G 0 -r 8424 -l 28000 -L 7200 -w 1 -o /tmp/rapper.txt

 

 

Guru Elite

Re: IAP auto GRE tunnel to Master and Local controller

Are you sure it is a local?  You should be able to create a VPN pool on a local...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: IAP auto GRE tunnel to Master and Local controller

Hi Colin,

 

I hve created the vpn pool on the local.  I intially set this as a different name iap-pool-2 with a different subnet range. I have now changed this to iap-pool-1 so that the its has the same reference as the master. But under the access control the option default-vpn-profile the l2tp pool is grey'd out so this cannot be configured to point to the vpn-pool.

 

Thanks

Scott

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: