Wireless Access

Reply
mom
Contributor I

RAP-203RP in boot cycle if LMS is set to local controller

Hello!

 

I've converted a RAP-203RP from instant to RAP.
The RAP is allready whitelisted, VPN services are configured and the RAP comes perfectly up (ipsec terminating on master VRRP).
The inner tunnel IP is set over IPSEC address pool on the Master controller.

 

Now I have also two local controllers.
If I is set the LMS IP in the AP system profile to one of the local controllers, the RAP goes into a boot cycle.
The VPN tunnel also gets established, but only for a view seconds before the RAP boots again.

 

If I remove the LMS IP configuration RAP boots up normaly.

 

The only difference between the master and local contoller is, that the IP adress pool is not pushed down from the master to the locals.
Do I have to set the pool on the locals to?
Is it right that the RAP establishes the IPSEC tunnel to the master and the GRE/PAPI tunnels to the LMS IP?

 

Any suggestions how i can troubleshoot this behavior?

 

Thank you!

 

Best regards
Matthias
Guru Elite

Re: RAP-203RP in boot cycle if LMS is set to local controller

The LMS should only be a public ip address, because it is initiated from the br0 of the AP and not the ipsec tunnel.  (The RAP will try looking for that LMS-IP on the local network that the RAP is connected to).

 

RAPs should not terminate on a VRRP if there is a NAT firewall between the RAP and the controller.

 

The ipsec pools are configured individually on each controller.  You can name them the same thing, but the ip address range for each pool needs to be defined individually on each controller.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

mom
Contributor I

Re: RAP-203RP in boot cycle if LMS is set to local controller

Hi colin!

 

If I understand it right, the LMS shoud be a VRRP reachable over the internet without a need for tunneling.
So the LMS must match the Master Controller IP Address/DNS name in the provisioning mask under AP Installation?
If not, you got a boot cycle?

So the Backup LMS is not needet because of the master redundancy.

 

Is there a way to configure it, that the RAP build it's IPSEC to the master pair but terminates on a local?

 

Thank you for your advice!

 

Best regards
Matthias
Guru Elite

Re: RAP-203RP in boot cycle if LMS is set to local controller

- Don't use VRRP with RAP.  Having a firewall between the RAP and the VRRP somehow does not allow it to work properly.

- If you want redundancy, make the LMS a public 1:1 nat pointing to the first controller and the backup LMS a public 1:1 nat pointing to the second controller (the local)

- You can provision a RAP to point to the public ip address of the master, but have the LMS-IP point to the public address of the local.  The AP will find the master, and then switch over to the local.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

mom
Contributor I

Re: RAP-203RP in boot cycle if LMS is set to local controller

Thank you for clarifying.

Now the switchover works, i forgot to define the IP pool on the local.

In the most cases a firewall would be between ISP and controller, i will choose the two times 1:1 nat and LMS/backup LMS like you recommended.


I have read the RAP VRD, there is the design with VRRP and Firewall described.

If the firewall would bring problems, does it make sense to work routed, to give both controllers a public IP and a third for VRRP?
Is it recommended to use a controller as "border firewall"?

 

Best regards
Matthias
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: