Wireless Access

Reply
MVP
Posts: 360
Registered: ‎05-09-2013

Local Controller Loses Connectivity

Running into a weird issue with Master/Local controller configuration. Customer has (2) Aruba 7210 controllers. The actual master controller is configured with VLAN1 (public IP connected to DMZ) and VLAN2 (private IP internal mgmt). The local controller is configured the same, but VLAN2 does not currently exist in that network closet. Customer wants to connect controllers via VLAN1 addresses. I can ping both controllers from each other. When I configure an IPSEC key and the local controller's IP on the master, I lose connectivity (cannot ping anymore), but as soon as I delete it I can ping again. 

 

I just rebooted both controllers, but still happens. There is a firewall between the controllers, but UDP4500 is allowed both ways. 

 

Not sure what is causing the IPSEC tunnel not to build between the controllers, anybody see this before? If so, what could be the issue.

 

Thanks!


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Guru Elite
Posts: 8,323
Registered: ‎09-08-2010

Re: Local Controller Loses Connectivity

What version of code? I’ve seen this in earlier version of 6.4, but it was fixed by a reboot.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 20,787
Registered: ‎03-29-2007

Re: Local Controller Loses Connectivity

[ Edited ]

If you want them to function as master/local, it should be between two private management addresses not blocked by a firewall to start...

 

If you cannot ping a controller from the other, it is because it is using the route established by the local/master statement, but the tunnel is not up.  You can verify this by seeing if each controller can be pinged by other devices when this happens.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 360
Registered: ‎05-09-2013

Re: Local Controller Loses Connectivity

Code version is 6.4.2.2


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Guru Elite
Posts: 20,787
Registered: ‎03-29-2007

Re: Local Controller Loses Connectivity

mharing,

 

You need more than UDP 4500.  Please see the article here: https://arubapedia.arubanetworks.com/arubapedia/index.php/Ports_needed_if_a_firewalls_within_wired_infrastructure#Between_any_two_Mobility_Controllers:



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 360
Registered: ‎05-09-2013

Re: Local Controller Loses Connectivity

I agree that it should be between two private addresses, and at some point I can configure it that way, but temporarily it needs to be configured against the public addresses. This network is very unique and a bit challenging. 

 

I have the controller-ip assigned as the private IP (VLAN2). Could that have anything to do with the issue, or doesn't it matter for IPSec?

 

I can ping before I configure the IPSec key, but after it breaks. 


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
MVP
Posts: 360
Registered: ‎05-09-2013

Re: Local Controller Loses Connectivity

CJoseph can you send me the ports or post them here? I don't have access to that link.


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Guru Elite
Posts: 20,787
Registered: ‎03-29-2007

Re: Local Controller Loses Connectivity

Between any two Mobility Controllers:

IPSec (UDP ports 500 and 4500) and ESP (protocol 50). PAPI between a master and a local controller is encapsulated in IPSec.
IP-IP (protocol 94) and UDP port 443 if Layer-3 mobility is enabled.
GRE (protocol 47) if tunneling guest traffic over GRE to DMZ controller.
IKE (UDP 500).
ESP (protocol 50).
IPSEC/NAT-T (UDP 4500).


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 114
Registered: ‎05-31-2015

Re: Local Controller Loses Connectivity

On the master have you tried configuring the IPsec key against the IP address of 0.0.0.0 - I have seen this issue when using the local controllers correct IP address, but when using 0.0.0.0 it seems to work properly.

MVP
Posts: 360
Registered: ‎05-09-2013

Re: Local Controller Loses Connectivity

That was it. Not sure why it was happening, but that seemed to fix it. Thanks all for the help!


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Search Airheads
Showing results for 
Search instead for 
Did you mean: