Having problem with a master-local setup.
Have read this post and the problem is very similar
http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Master-Local-communication/td-p/6669
As there is no solution provided with the post, i have to ask the airheads community before a case is made with Aruba TAC.
The problem is similar, i have 2x3400 controllers in VRRP. The controller with problems is a 620, which is to be connected over the internet to the master controllers. This has work without a problem in a pilot face of the project, but in my lab and at the customers site.
Suddenly one Sunday, the local lost contact, and have not been able to get it to connect again.
I do have a second 620 in my lab, that has no problems connection.
I have been thru the troubleshooting guide on Airheads, but it does not provide any solution if you can't get the same results as the guide.
The local controller that is not work does not have a IPSec SA up and running, and i'm unable to find out why.
The IPSec key is correct, checked it several times, the controller that is working uses the same key.
As the post talks about, there is a difference in the default-local-master-ipsecmap of the two local controllers.
Here is the MAP from the controller that is working
Crypto Map Template"default-local-master-ipsecmap" 9999
IKE Version: 1
lifetime: [300 - 86400] seconds, no volume limit
PFS (Y/N): N
Transform sets={ default-ml-transform }
Peer gateway: 89.248.4.37
Interface: VLAN 0
Source network: 195.1.55.125/255.255.255.255
Destination network: 192.168.205.4/255.255.255.255
Pre-Connect (Y/N): Y
Tunnel Trusted (Y/N): Y
Forced NAT-T (Y/N): N
The destination network is the network at the customers site, peer gateway is a FW. This firewall is NAT'ing to the master, master has already 50 RAP's connected thru the same gateway/FW, so there is no problem there.
Here is the controller that has problem connecting
Crypto Map Template"default-local-master-ipsecmap" 9999
IKE Version: 1
lifetime: [300 - 86400] seconds, no volume limit
PFS (Y/N): N
Transform sets={ default-ml-transform }
Peer gateway: 89.248.4.37
Interface: VLAN 0
Source network: 10.10.1.250/255.255.255.255
Destination network: 89.248.4.37/255.255.255.255
Pre-Connect (Y/N): Y
Tunnel Trusted (Y/N): Y
Forced NAT-T (Y/N): N
Notice the difference in the destination network, here it is the same as the peer gateway, but this might change when the controller successfully connects to the master, i don't know.
All controllers ( 2x3400 and 2x620) are running the same software version (6.1.3.4).
On the controller that is not work i get this
(Riis-Lade_620) #show crypto ipsec sa
% No active IPSEC SA
The other 620 gives me this
(Riis-Hvam_620) #show crypto ipsec sa
IPSEC SA Active Session Information
-----------------------------------
Initiator IP Responder IP InitiatorID ResponderID Flags Start Time Inner IP
------------ ------------ ----------- ----------- ----- --------------- --------
195.1.55.125 89.248.4.37 195.1.55.125/32 192.168.205.4/32 T Feb 21 12:18:25 -
Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2
Total IPSEC SAs: 1
They are obviously not connected on the same line, but they try to connect to the same peer gateway.
The controller that is not working is connected to a broadband line that today are running 4-5 RAP's, giving them access. These RAP's are connecting to the same public IP as the controller is trying. Why the controller can't connect, but the RAP's can, beats me.
I would like to resolve this problem not involving Aruba TAC as the TAC tends to take a lot of time. At the same time TAC tends to ask a lot of questions, questions they usually can find the answer to just by reading what i have written.
This is the main problem of Aruba TAC in my experience atm.
Roar