Wireless Access

Reply
Contributor II
Posts: 36
Registered: ‎03-21-2012

Problem with Master <-> Local Communication

Hi.

I have problems getting Master and Local communicating.

Before i type in Master address on Local, ping and trace works, but once i type in ip and PSK to Master, and reboot, All communicaton stops.

On local i can see traffic to Master:

(mascotaruba02) #show datapath session | include 4500
109.247.15.82   192.168.88.1    17   4500  4500   0/0     0 0   55  local       386  FY
192.168.88.1    109.247.15.82   17   4500  4500   0/0     0 0   0   local       386  FC

 

But on Master i see nothing.

 

Nothing shows up in show crypto isakmp sa either.

 

Any ideas?

Aruba Employee
Posts: 148
Registered: ‎11-25-2009

Re: Problem with Master <-> Local Communication

Is there any firewall in between the master and local ?

 

As per your previous message, the local is initiating the IPSEC tunnel. However master didn't receive it. Please check the intermediate devices to allow UDP 4500. Sniff  the packets on different hops and you can find , where the 4500 traffic is being dropped. 

 

 

Vinod Kumaar AVM ACMX, ACDX
Principal Network Engineer
Customer Advocacy | Aruba Networks Inc.

Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the bottom right hand corner of the post.
Contributor II
Posts: 36
Registered: ‎03-21-2012

Re: Problem with Master <-> Local Communication

The two Controllers is "attached" directly to the Internet.

The only firewalls present is on the Controllers itselves..

 

Vegard

New Contributor
Posts: 1
Registered: ‎12-06-2011

Re: Problem with Master <-> Local Communication

Did you open all of these ports for controller to controller communication? This is from the user guide.

 

Communication Between Aruba Devices

This section describes the network ports that need to be configured on the firewall to allow proper

operation of the network.

Between any two controllers:

􀁺

IPSec (UDP ports 500 and 4500) and ESP (protocol 50). PAPI between a master and a local controller is

encapsulated in IPSec.

􀁺

IP-IP (protocol 94) and UDP port 443 if Layer-3 mobility is enabled.

􀁺

GRE (protocol 47) if tunneling guest traffic over GRE to DMZ controller.

􀁺

IKE (UDP 500).

􀁺

ESP (protocol 50).

􀁺

NAT-T (UDP 4500).

Contributor II
Posts: 36
Registered: ‎03-21-2012

Re: Problem with Master <-> Local Communication

Arent these ports default open on the master controller?

Do i need to add a firewall policy on the port?

No fw policy is selected now..

 

Vegard

Guru Elite
Posts: 21,530
Registered: ‎03-29-2007

Re: Problem with Master <-> Local Communication

You should not have to open anything up in terms of the firewall.  It looks like you are pointing one controller to a private address.  What routing path would the traffic take in that circumstance and is being blocked from the public side?

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 36
Registered: ‎03-21-2012

Re: Problem with Master <-> Local Communication

Hi, i have changed some details now but it still wont work.

This is the session output now from the local controller...

 

(mascotaruba02) #show datapath session | include 4500
109.247.15.82   95.34.70.39     17   4500  10000  0/0     0 0   0   local       cf58 FNY
95.34.70.39     109.247.15.82   17   4500  4500   0/0     0 0   0   local       cf58 FSC

 

Vegard

Guru Elite
Posts: 21,530
Registered: ‎03-29-2007

Re: Problem with Master <-> Local Communication

The source IP address of the traffic coming from the local is the "switch ip" or controller address.  Type "show switch ip" to determine what ip address the ipsec connection will be sent out of on the local controller.  If you ping or do traceroute, it normally goes out the egress interface, so where a ping might succeed, a master-local connection might fail, because it would be taking a different path.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee
Posts: 148
Registered: ‎11-25-2009

Re: Problem with Master <-> Local Communication

ALso i see the traffic is getting source natted. can you please give us the output od show ip interface br and

show controller-ip.

 

show runn | in localip from master 

Vinod Kumaar AVM ACMX, ACDX
Principal Network Engineer
Customer Advocacy | Aruba Networks Inc.

Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the bottom right hand corner of the post.
Contributor II
Posts: 36
Registered: ‎03-21-2012

Re: Problem with Master <-> Local Communication

Local

(mascotaruba02) #show running-config | include master
Building Configuration...
masterip 109.247.15.82 ipsec 5293af178aaa76fcb236bcdb27648003c69b26852b66cbc5

 

Master

(mascotaruba01) #show running-config | include localip
Building Configuration...
localip 0.0.0.0 ipsec e31ac2f12426982c530fb7b0d89142b62859be52d006614f
localip 212.251.188.222 ipsec 2bfa6072fca70c4fbeb86ee3a9731ee745ac4ec6ec5845d3

 

But when i portscan the master port 500 and 4500 is not showing as open..

Is that right?

 

Vegard

Search Airheads
Showing results for 
Search instead for 
Did you mean: