Wireless Access

Reply
MVP
Posts: 301
Registered: ‎04-03-2014

Local controller to master over internet

[ Edited ]

Hi!

 

I´m setting up a lab scenario with a central controller with UDP 4500 only port forwarded to it from the public facing firewall and a branch office controller with internet only access that should connect as a local to the central master. I think I´m missing something simple so please help me take an extra look :)

 

Configuration on master:

local-factory-cert local-mac "00:0b:86:xx:xx:xx"

controller-ip 192.168.230.3 (this one has UDP 4500 port forwarded to it from 1.1.1.1)

crypto isakmp udpencap-behind-natdevice enable

 

Configuration on brach local: 

masterip 1.1.1.1 ipsec-factory-cert master-mac-1 00:0b:86:yy:yy:yy

!

interface vlan 4094 (internetfacing accessport)
ip address dhcp-client
ip nat outside
!

interface vlan 5
ip address 172.22.5.10 255.255.255.0
ip nat inside
!

controller-ip vlan 5

 

I can see successful isapmp SA and ipsec SA on both controllers and the routes are successfully implemented in the IPSEC maps.

 

On Master:

C    172.22.5.10/32 is an ipsec map default-local-master-ipsecmap-00:0b:86:xx:xx:xx

 

On Local:

C    192.168.230.3/32 is an ipsec map default-local-master-ipsecmap

 

If I ping from the master to 172.22.5.10 I can see this in the datapath session table of the local:

192.168.230.3 172.22.5.10 1 55 2048 0/0 0 0 1 tunnel 10 8 1 120 FSCI
172.22.5.10 1.1.1.1 1 58 0 0/0 0 0 1 tunnel 10 6 1 120 FNI

(Also in the datapath I see the local trying to answer PAPI traffic back to the public IP of 1.1.1.1 instead of the masters controller-ip which I think it should be)

 

If I ping from the local to the 192.168.230.3 address I see nothing in the datapath of the master.

 

In the logs of the local I just see that it tries to send things directly to the public IP of the master, shouldn´t it understand that it needs to communicate through the tunnel?

 

Jul 14 15:33:21 cfgm[3468]: <307025> <DBUG> |cfgm| local:Sending heartbeat message to MMS
Jul 14 15:33:21 cfgm[3468]: <307103> <INFO> |cfgm| send_tcp_hb_master 196 Connection to the master failed, Will retry socket ID 20 state CONFIG_SOCKET_NOTCONNECTED
Jul 14 15:33:21 cfgm[3468]: <307240> <DBUG> |cfgm| Connecting the Local CFGM socket, state 1
Jul 14 15:33:21 cfgm[3468]: <307242> <INFO> |cfgm| Failed to connect to the Master (1.1.1.1),Configuration socket will try again: Connection timed out
Jul 14 15:33:21 cfgm[3468]: <399814> <DBUG> |cfgm| Checking if the regulatory file is modified
Jul 14 15:33:21 cfgm[3468]: <399814> <DBUG> |cfgm| Sending the heartbeat message. Not Responding counter=7
Jul 14 15:33:21 cfgm[3468]: <399815> <INFO> |cfgm| Cannot connect to the master 1.1.1.1 error Connection timed out errno 145 socket id 20

 

I´ve also put up a local using certificate based authentication on the same subnet as the master and it works like a charm. I´d like this to work with only the UDP4500 port forward.

 

Please help me put some extra eyes on this dear Airheaders :) I´m running ArubaOS 6.4.4.8

 

Cheers,

Christoffer Jacobsson | Aranya AB
Aruba: ACMX #537 ACCP | CWNP: CWNA CWDP CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: