Wireless Access

Reply
Occasional Contributor II

RAPs, NATs and LMS Settings

OK so I know this has been discussed before on here but reading each post I have more questions so created a new thread.

 

Firstly, I have a master-standby solution using VRRP, where campus APs failover to the second controller but RAPs cannot (due to having a NAT on the firewall which points to the VRRP address).   My question is without giving a public IP to each controller is there no work around for this? We do not want to have the controller on an interface on our firewall to the internet for security reasons.

 

Secondly, the LMS settings under AP Configuration>AP Groups> AP system: Do we need to set these for RAPs? If we do set this for a RAP will the RAP then go down as it cannot directly hit the local address of the controller as it is using a NAT currently to get back to the firewall and then the controller?  Is it best to leave these settings blank for the current setup I have?

 

Thanks

Frequent Contributor II

Re: RAPs, NATs and LMS Settings

if you already have the inbound port nat on the firewall from the public IP x.x.x.x to the VRRP IP for udp/4500, then in the ap system profile, put the public ip x.x.x.x in the lms-ip field, leave the backup lms field empty.

 

 

Occasional Contributor II

Re: RAPs, NATs and LMS Settings

HI

 

I currently have the public IP nat'd to the IP of the VRRP - however not sure that it is allowed over port 4500 UDP.  It currently works before failover it is just once it fails over to the second controller the RAPS don't move over.  Why would I need port 4500 UDP opened what is it that uses this protocol is it the LMS?

Do you think doing this and adding the LMS field as the public IP would make the failover work?

Frequent Contributor II

Re: RAPs, NATs and LMS Settings

 


@wrote:

 

I currently have the public IP nat'd to the IP of the VRRP - however not sure that it is allowed over port 4500 UDP.  It currently works before failover it is just once it fails over to the second controller the RAPS don't move over.


How long did you wait for it to move over ?

 


@wrote:

Why would I need port 4500 UDP opened what is it that uses this protocol is it the LMS?

RAPs use ipsec over udp port 4500 to communicate with the controller

 


@wrote:

Do you think doing this and adding the LMS field as the public IP would make the failover work?


The public IP of the firewall is what should be in the LMS field anyways, try putting it there and then test your failover.

 

Alternatively, there is another way if you have a 2nd available public IP on the firewall. You can change the PNAT to point udp/4500 to the primary controller mgmt IP rather than the VRRP, then configure a second IP on the firewall, PNAT udp/4500 to the secondary controller mgmt IP. Then put the first public ip as LMS, the second public IP as backup LMS IP in the ap system profile.

 

For your reference, the timings are generally as follows after the controller goes away if there is a LMS and backup LMS IP configured

 

1) heartbeat failure detected after 30 seconds

2) RAP will re-do DHCP, takes around 10 seconds

3) RAP will try to re-connect first to the primary LMS IP, takes 20sec to give up

4) RAP re-does DHCP again (~10 seconds)

5) Connect to the backup LMS IP

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: