Wireless Access

Reply
MVP
Posts: 289
Registered: ‎11-04-2008

RAP and Controller Flooding Network with IPsec Nat-traversal

[ Edited ]

 

Hello all,

 

This problem has been trouble us for a while.  After many changes in the switches and routers configuration without success, I posted the problem here to see if anyone has any advices, not just in Aruba RAP but in network general:  how can we troubleshoot this problem (or if it is the problem):

 

Controller 3600, 6.1.3.2, and later upgraded to 6.1.3.5, both AOS showed the same issue.  Unlike others, the controller for IPsec VPN locates at the DMZ; our controller locates behide the FW.

APs involve: two RAP-5WNs at two locations, two separate ISPs.  They both act at the same time.

 

Problem: randomly our network is flooding with “UDP IPsec Nat-traversal (4500)”.  These packets origin from inside port of the controller and flooding out to all switchports those are in the same broadcast domain.  These are large packets up to 100 Mbps can last from minutes to hours. 

 

A Wireshark capture all traffic from this controller 172.18.254.96 to two ISPs where RAP5s were installed. I am talking about 100s of MB of repeated data look like these flooding at every switchports:

 

1916       0.164238              172.18.254.96     67.55.236.105     ESP         178         ESP (SPI=0xe49e0f00)
1917       0.164254              172.18.254.96     67.55.236.105     ESP         178         ESP (SPI=0xe49e0f00)
1918       0.164305              172.18.254.96     108.244.151.186 ESP        178         ESP (SPI=0xe77ed500)
1919       0.164321              172.18.254.96     108.244.151.186 ESP        178         ESP (SPI=0xe77ed500)

 

Any advices are much appreciated!

 

Best regards!

 

Peter Trinh Nguyen

~Trinh Nguyen~
Boys Town
Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: RAP and Controller Flooding Network with IPsec Nat-traversal

Turn on broadcast-multicast optimization on the wired VLAN number you are having the problem with.  If you are extending VLAN 20 on a wired port on a RAP, you do this:

 

config t

interface vlan 20

bcmc-optimization  



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 289
Registered: ‎11-04-2008

Re: RAP and Controller Flooding Network with IPsec Nat-traversal

Thanks Collin for quick response.  I'll you know if this trick will solve our problem.

~Trinh Nguyen~
Boys Town
MVP
Posts: 289
Registered: ‎11-04-2008

Re: RAP and Controller Flooding Network with IPsec Nat-traversal

 

I think my flooding problem improves significantly, but not eliminate totally.  I am still watching.  It is not clear in the 6.1 user manual about this command; is it ok to use this in all Vlans and for all controllers? 

 

This command BCMC-Optimization needs a good COTD article.

 

 

 

~Trinh Nguyen~
Boys Town
Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: RAP and Controller Flooding Network with IPsec Nat-traversal

Ngutri,

If you can open a support case so that they can look into the details of your design that could be helpful.

Bcmc optimization on a vlan will stop downstream broadcasts both on the wired and wireless side on that vlan. Even if you do not have broadcast filter all on the Virtual Ap of a wlan it will also stop downstream broadcasts on your wireless network for that vlan. Useful broadcast protocols like ARP are allowed, however.

This is best used to stop propagating wired broadcasts on a RAP.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 289
Registered: ‎11-04-2008

Re: RAP and Controller Flooding Network with IPsec Nat-traversal

Case opened and resolved.  Thanks to TAC.

 

RAP users should be terminated to their own RAP-vlan and enable bcmc-optimization on this RAP-vlan only.  Also it is helpful to enable “BC/MC Rate Optimization” in RAP ssid-profile.   Again, only enable this optimization in RAP profile.

 

 

~Trinh Nguyen~
Boys Town
Search Airheads
Showing results for 
Search instead for 
Did you mean: