@Meeko wrote:
Hi RAPs are not supported in AOS Clustering when the MDs are behind a NAT device. I discovered this after testing in my lab and opening a 3 week case with Aruba TAC; which eventually was escelated and I was told it's not supported. There is currently no mechanism for the Cluster to communicate their NAT IPs to the RAPs so the RAPs have no means of establishing AAC and S-AAC tunnels.
thanks for that Meeko - i understand what you mean. To me, not having thought that through kind of defeats the whole purpose of it :( Since RAP almost always implies an inbound port NAT somewhere in the path. Sadly there are many online resources extolling the virtues of RAP + cluster, just it's missing a big caveat asterisk next to it.
I wonder if you can hack at it with DNAT and put the NAT ip in the cluster-group, so that the internally the NAT IP is dnated to the controller-ip. Ugly but might work.
to your other questions, yes, you would normally put the public ip of the nat device in lms and backup-lms. It seems to me that on the surface the bkup-lms and secondary master provide pretty similar function - the only question may be about the behavior when a controller goes away. For lms/bkup-lms, and the lms goes away, the ap will try again after 30 seconds to its primary lms, then after 20 seconds of timeout it will failover to backup. Including dhcp renewals etc., takes about 75 seconds - not sure if the secondary master is faster or slower or same.
the 2 controllers can be standlone and you can use a partial cpsec configuration in order to sync the whitelist. I am not sure how it plays with 8.x , but in 6.x you can do this and it will sync the rap whitelist
Master1
cluster-root-ip 192.168.1.10 ipsec <per-shared_key>
Master2
cluster-member-ip 192.168.2.10 ipsec <per-shared_key>
Mostly the RAP controllers I have seen have resided in a DMZ, generally with only 4500/udp port forwarded inwards and something making sure what comes out the services side is legit. Having said that, some do just bring it all the way inside the network with no additional firewall on the network side.