Wireless Access

Hi, we have our IAPs setup using the virtual controller, but we terminate them to a 7010 controller for tunnelled SSIDs. Recently one of our sites has had extra IAPs installed and when 100 are online, they drop connection from the 7010 and the VC no longer connects, other VCs on the controller aren't affected. If I power down some APs to bring it below 100, they come back online. The IAPs are 535/534. We have been told there is a limit of 128 for the VC, is there a limit of 100 IAPs to a VC on the 7010?
Thanks

------------------------------
James Davies
------------------------------

You would probably be best served by opening a technical support case with HPE.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Dec 07, 2021 04:33 AM
From: James Davies
Subject: 7010 Tunnel drops with 100 IAPs

Hi, we have our IAPs setup using the virtual controller, but we terminate them to a 7010 controller for tunnelled SSIDs. Recently one of our sites has had extra IAPs installed and when 100 are online, they drop connection from the 7010 and the VC no longer connects, other VCs on the controller aren't affected. If I power down some APs to bring it below 100, they come back online. The IAPs are 535/534. We have been told there is a limit of 128 for the VC, is there a limit of 100 IAPs to a VC on the 7010?
Thanks

------------------------------
James Davies
------------------------------

Hi James,

For my understanding you run Aruba Instant APs that use IAP-VPN to a 7010 VPN Concentrator in the DC. A VPN tunnel based on GRE or IPSEC is created from your Aruba Instant VC to the VPN 7010.

For IAP-VPN there is basically no license need on your 7010, but i could be you have custom firewall policies that required an PEFV license. So to be sure check if there are some licenses on your VPN Concentrator installed "show license summary", idem.

Another this that could happened is that local IP pool is to small configured. Check on that.
Aruba)(config)# ip local pool <pool-name> <start-ipaddr> <end-ipaddr>

From controller hardware perspective a 7010 can handle 512 GRE and 2048 IPSEC tunnels, so i don't think that is the issue.

Hope this helps! For urgent issues always call TAC support.

------------------------------
Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
------------------------------

Original Message:
Sent: Dec 07, 2021 04:33 AM
From: James Davies
Subject: 7010 Tunnel drops with 100 IAPs

Hi, we have our IAPs setup using the virtual controller, but we terminate them to a 7010 controller for tunnelled SSIDs. Recently one of our sites has had extra IAPs installed and when 100 are online, they drop connection from the 7010 and the VC no longer connects, other VCs on the controller aren't affected. If I power down some APs to bring it below 100, they come back online. The IAPs are 535/534. We have been told there is a limit of 128 for the VC, is there a limit of 100 IAPs to a VC on the 7010?
Thanks

------------------------------
James Davies
------------------------------

Hi Marcel

Yes that's correct, we use a GRE tunnel from the VC to the WLC.

We don't have a license installed as we don't use any firewall policies, so when I run that command it says it needs to be run on the conductor.

I did consider that, I increased the pool size, but I have just deleted and recreated the pool at a larger size, in case it didn't update to the larger pool size.

Thanks.

------------------------------
James Davies
------------------------------

Original Message:
Sent: Dec 07, 2021 06:20 PM
From: marcel koedijk
Subject: 7010 Tunnel drops with 100 IAPs

Hi James,

For my understanding you run Aruba Instant APs that use IAP-VPN to a 7010 VPN Concentrator in the DC. A VPN tunnel based on GRE or IPSEC is created from your Aruba Instant VC to the VPN 7010.

For IAP-VPN there is basically no license need on your 7010, but i could be you have custom firewall policies that required an PEFV license. So to be sure check if there are some licenses on your VPN Concentrator installed "show license summary", idem.

Another this that could happened is that local IP pool is to small configured. Check on that.
Aruba)(config)# ip local pool <pool-name> <start-ipaddr> <end-ipaddr>

From controller hardware perspective a 7010 can handle 512 GRE and 2048 IPSEC tunnels, so i don't think that is the issue.

Hope this helps! For urgent issues always call TAC support.

------------------------------
Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own

Original Message:
Sent: Dec 07, 2021 04:33 AM
From: James Davies
Subject: 7010 Tunnel drops with 100 IAPs

Hi, we have our IAPs setup using the virtual controller, but we terminate them to a 7010 controller for tunnelled SSIDs. Recently one of our sites has had extra IAPs installed and when 100 are online, they drop connection from the 7010 and the VC no longer connects, other VCs on the controller aren't affected. If I power down some APs to bring it below 100, they come back online. The IAPs are 535/534. We have been told there is a limit of 128 for the VC, is there a limit of 100 IAPs to a VC on the 7010?
Thanks

------------------------------
James Davies
------------------------------