03-18-2013 06:31 AM
We have set up a RAP-3 with a client to provide connectivity on a local site.
The rap is configured in split-tunnel mode. Internet traffic has a local breakout while the rest will be tunneled.
Is there a way for the clients connected to the RAP (wired) to keep their internet connection when the controller fails?
03-18-2013 06:49 AM - edited 03-18-2013 06:53 AM
The fallback mode (also known as backup configuration) operates the remote AP if the master controlleror the configured primary and backup LMS are unreachable. The remote AP saves configuration information that allows it to operate autonomously using one or more SSIDs in local bridging mode while supporting open association or encryption with PSKs. You can also use the backup configuration if you experience network connectivity issues, such as the WAN link or the central data center becomes unavailable. With the backup configuration, the remote site does not go down if the WAN link fails or the data center is unavailable.
You define the backup configuration in the virtual AP profile on the controller. The remote AP checks for configuration updates each time it establishes a connection with the controller. If the remote AP detects a change, it downloads the configuration changes.
The following remote AP backup configuration options define when the SSID is advertised
Always—Permanently enables the virtual AP. Recommended for bridge SSIDs.
Backup—Enables the virtual AP if the remote AP cannot connect to the controller. This SSID is advertised until the controller is reachable. Recommended for bridge SSIDs.
Persistent—Permanently enables the virtual AP after the remote AP initially connects to the controller. Recommended for 802.1x SSIDs.
Standard—Enables the virtual AP when the remote AP connects to the controller. Recommended for 802.1x, tunneled, and split-tunneled SSIDs. This is the default behavior.
You can configure you VAP profile that this RAP3 unit is connected to - to a diffrent Remote-AP operation mode:
*just be aware ,some service like DNS/DHCP come directly trought the tunnel...so if no controller - no users or release/renew will not work*
More info regarding all the rap workng opertaion methods can be found here: (TABLE 38)
have a lovley day.
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
03-25-2013 08:22 AM - edited 03-25-2013 08:23 AM
I'm currently facing a similar issue. I think as far as the wired access ports are concerned, the following part from the manual holds the solution:
Backup Configuration Behavior for Wired Ports If the connection between remote AP and the controller is disconnected, the remote AP will be exhibit the following behavior:
- All access ports on the remote AP, irrespective of their original forwarding mode will be moved to bridge forwarding mode.
- Clients will receive IP address from the remote AP's DHCP server.
- Client will have complete access to Remote AP's uplink network. You cannot enforce or modify any access control policies on the clients connected in this mode.
As you are using a split tunnel config, the first aspect of the behavior seems important, as the RAP will change to bridge-mode. The connected client will then possibly have a DHCP address from it's original server and may not recognize that the IP range has changed due to the loss of the controller connection (as the RAP will now be the DHCP server). Maybe a reduction of the lease time on the original DHCP server can do the trick ...
03-25-2013 08:33 AM
If you have the "Remote-AP Backup" enabled in the enet profile of that ethernet port:
The client traffic will survive, regardless of how the wired profile was configured when connected to the controller. When the AP is coming up, before it connects to the controller, if remote-ap backup is configured, it will automatically give a client an ip address out of its pool in the ap system profile and source-nat all traffic out. Even if the client is hardcoded with an address that does not match that pool, it will source nat all of its traffic out with no ACL.
Long story short, with that parameter enabled, it does not matter what ip address the wired client has. If the access point is up, and has an ip address, but cannot contact the controller, it will source-nat and forward all wired client traffic out of its routed interface. Many times there is a switch between the wired client and RAP, so the client does not "see" the interface go down and retains its existing wired ip address. That traffic will be forwarded out of the RAP to the internet.
The idea is to allow any wired device access to the internet, even though the AP does not have connectivity to the controller. It would be for devices that need internet connectivity, even though the controller is down.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base