Wireless Access

Hi.

I have problems getting Master and Local communicating.

Before i type in Master address on Local, ping and trace works, but once i type in ip and PSK to Master, and reboot, All communicaton stops.

On local i can see traffic to Master:

(mascotaruba02) #show datapath session | include 4500
109.247.15.82   192.168.88.1    17   4500  4500   0/0     0 0   55  local       386  FY
192.168.88.1    109.247.15.82   17   4500  4500   0/0     0 0   0   local       386  FC

But on Master i see nothing.

Nothing shows up in show crypto isakmp sa either.

Any ideas?

Is there any firewall in between the master and local ?

As per your previous message, the local is initiating the IPSEC tunnel. However master didn't receive it. Please check the intermediate devices to allow UDP 4500. Sniff  the packets on different hops and you can find , where the 4500 traffic is being dropped. 

The two Controllers is "attached" directly to the Internet.

The only firewalls present is on the Controllers itselves..

Vegard

Did you open all of these ports for controller to controller communication? This is from the user guide.

Communication Between Aruba Devices

This section describes the network ports that need to be configured on the firewall to allow proper

operation of the network.

Between any two controllers:

􀁺

IPSec (UDP ports 500 and 4500) and ESP (protocol 50). PAPI between a master and a local controller is

encapsulated in IPSec.

􀁺

IP-IP (protocol 94) and UDP port 443 if Layer-3 mobility is enabled.

􀁺

GRE (protocol 47) if tunneling guest traffic over GRE to DMZ controller.

􀁺

IKE (UDP 500).

􀁺

ESP (protocol 50).

􀁺

NAT-T (UDP 4500).

Arent these ports default open on the master controller?

Do i need to add a firewall policy on the port?

No fw policy is selected now..

Vegard

You should not have to open anything up in terms of the firewall.  It looks like you are pointing one controller to a private address.  What routing path would the traffic take in that circumstance and is being blocked from the public side?

Hi, i have changed some details now but it still wont work.

This is the session output now from the local controller...

(mascotaruba02) #show datapath session | include 4500
109.247.15.82   95.34.70.39     17   4500  10000  0/0     0 0   0   local       cf58 FNY
95.34.70.39     109.247.15.82   17   4500  4500   0/0     0 0   0   local       cf58 FSC

Vegard

The source IP address of the traffic coming from the local is the "switch ip" or controller address.  Type "show switch ip" to determine what ip address the ipsec connection will be sent out of on the local controller.  If you ping or do traceroute, it normally goes out the egress interface, so where a ping might succeed, a master-local connection might fail, because it would be taking a different path.

ALso i see the traffic is getting source natted. can you please give us the output od show ip interface br and

show controller-ip.

show runn | in localip from master 

Local

(mascotaruba02) #show running-config | include master
Building Configuration...
masterip 109.247.15.82 ipsec 5293af178aaa76fcb236bcdb27648003c69b26852b66cbc5

Master

(mascotaruba01) #show running-config | include localip
Building Configuration...
localip 0.0.0.0 ipsec e31ac2f12426982c530fb7b0d89142b62859be52d006614f
localip 212.251.188.222 ipsec 2bfa6072fca70c4fbeb86ee3a9731ee745ac4ec6ec5845d3

But when i portscan the master port 500 and 4500 is not showing as open..

Is that right?

Vegard

Master

(mascotaruba01) #show ip interface br

Interface                   IP Address / IP Netmask        Admin   Protocol
vlan 102                 109.247.15.82 / 255.255.255.240   up      up
vlan 1                    172.18.1.101 / 255.255.255.0     up      up
vlan 250                172.18.250.254 / 255.255.255.0     up      up
loopback                    unassigned / unassigned        up      up
mgmt                        unassigned / unassigned        down    down

(mascotaruba01) #show controller-ip

Switch IP Address: 109.247.15.82

Switch IP is configured to be Vlan Interface: 102

Switch IPv6 address is not configured.

Local

(mascotaruba02) #show ip interface br

Interface                   IP Address / IP Netmask        Admin   Protocol
vlan 100                   212.251.188.222 / 255.255.255.0     up      up
vlan 1                    192.168.88.1 / 255.255.255.0     up      up
vlan 8                     172.18.81.1 / 255.255.255.0     up      down
loopback                    unassigned / unassigned        up      up
mgmt                        unassigned / unassigned        down    down

(mascotaruba02) #show controller-ip

Switch IP Address: 212.251.188.222

Switch IP is configured to be Vlan Interface: 1

Switch IPv6 address is not configured.

When you do a "show ip route" is the default gateway next hop a public address?

Also can you tell me what is this 95.34.70.39 Ip is ?

(mascotaruba02) #show datapath session | include 4500
109.247.15.82   95.34.70.39     17   4500  10000  0/0     0 0   0   local       cf58 FNY
95.34.70.39     109.247.15.82   17   4500  4500   0/0     0 0   0   local       cf58 FSC