Wireless Access

Reply
Super Contributor II
Posts: 429
Registered: ‎01-19-2011

master-local IPSec

Hi,

have just setup a connection between a master and a local controller (3200's) in different subnets. The devices would not connect - not even ping when I defined the locals IP address and key on the master using the exact IP address. When I used 0.0.0.0 as the IP address this worked. Why did it not work with the specific IP address?

 

Matt

MVP
Posts: 4,266
Registered: ‎07-20-2011

Re: master-local IPSec

Can you do show switches to see what IP address is using to do the tunnel ?

And confirm is the same you were trying to point to in the ipsec tunnel command ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Super Contributor II
Posts: 429
Registered: ‎01-19-2011

Re: master-local IPSec

I have done a show switches and this was the IP address I was using for defining the local on the master. As soon as I configured with the specific IP address, pings between the two devices failed.

MVP
Posts: 4,266
Registered: ‎07-20-2011

Re: master-local IPSec

[ Edited ]

 

Can you do a show ip route ?

 

Also do a "encrypt disable" and make sure that the key match between the two :

 

show  running-config  | include ipsec

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Super Contributor II
Posts: 429
Registered: ‎01-19-2011

Re: master-local IPSec

Yes, I checked this a few times and even defaulted the local and started again, connectivity only when I used the 0.0.0.0 address.

MVP
Posts: 4,266
Registered: ‎07-20-2011

Re: master-local IPSec

 

I seen this before when you try to ping the IP address identified in the ipsec command and for some reason it goes through the ipsec tunnel instead of the default gateway and that why I think it fails .

 

But not 100% sure on that.

 

That's why I asked you to see if you can look at your ip route

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Super Contributor II
Posts: 429
Registered: ‎01-19-2011

Re: master-local IPSec

I imagine this is the case because pings work to other devices in the subnets at either end but not the host IP addresses of each of the controllers.

Aruba
Posts: 1,287
Registered: ‎08-29-2007

Re: master-local IPSec

Are you using the vlan interface ip for the localip on the master?

 

If there is any ipsec relationship between the two, then it will use that tunnel for pings and any other communication.  If the ipsec is down, you won't be able to ping it from the master, though you will be able to from another device.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Super Contributor II
Posts: 429
Registered: ‎01-19-2011

Re: master-local IPSec

Yes, so I suppose another way of looking at the question is, why doees the tunnel not form when using the host address, only when using the 0.0.0.0 address.

Aruba
Posts: 1,643
Registered: ‎04-13-2009

Re: master-local IPSec

The tunnel should form when using either the host address or 0.0.0.0.  Assuming the host address you put in can be reached and is not NAT'd somewhere along the line.  

 

Run the following from the master when it is succesfully connected using the 0.0.0.0 parameter to see if you can confirm the IP it is coming from.

 

show crypto isakmp sa

or

show datapath session table | include 4500

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
Showing results for 
Search instead for 
Did you mean: