Wireless Access

 View Only
last person joined: 21 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

MD only reachable over MM's IPSec channel??

This thread has been viewed 26 times

  • 1.  MD only reachable over MM's IPSec channel??

    Posted Apr 23, 2021 01:50 AM

    I have a fresh cluster of 2x 7205 managed by MM.
    ArubaOS (MODEL: Aruba7205), Version 8.5.0.12

    Actually I don't have a cluster yet, I was trying to troubleshoot the cluster formation so I rebooted both devices.
    After reboot, they show as 'up' in MM but are not reachable or manageable from anywhere else besides MM

    MM can ping both devices (I assume over the IPSec management tunnel)
    MM can be used as a jumpbox to SSH to both devices (I assume over the IPSec management tunnel)
    The devices are in same subnet, even on the same L2 switch but can't reach each other or anyone else - prior to reboot they could be reached from anywhere
    I have another cluster of 2x 7210 in the same subnet with (as far as I can tell) the same configuration, which is working fine
    I have removed lc-cluster and VRRP config and rebooted again - no change in reachablity
    I have rebooted several times
    Switch config is fine as it is unchanged from before the issue. If I try to ping the 7205s from the switch it will learn the ARP but get no ping response

    The worst part is that I know I've seen this problem before, many years ago, but I don't remember the fix!


    Edit1: It seems similar to this issue (see link), but that was traced to a VMM issue, mine relates to hardware controllers

    Airheads Community

    Edit2: More strangeness, the 7205 can initiate traffic to the outside world, works for same subnet or beyond default gateway





  • 2.  RE: MD only reachable over MM's IPSec channel??

    EMPLOYEE
    Posted Apr 24, 2021 10:35 PM
    You should mdc into the MD and type "show datapath session table <ip address of device trying to reach it" to see if anything is being inadvertently blocked.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message


  • 3.  RE: MD only reachable over MM's IPSec channel??

    Posted Apr 26, 2021 06:41 PM
    Looking into the datapath has led me to the workaround, but still don't understand the cause

    Findings
    1. datapath session table showed Deny flag all over the place   
    2. acl hits showed as below (everything is being blocked by "sdn-acl") (I assume it is blocked/dropped, I did not see a listing of what ofaction 14, 11 or 1 means)   
    3. sdn-acl is not used anywhere and also has zero rules configured in it   
    4. The only acl applied was per-session global-sacl on Port Channel (global-sacl also has zero rules)       
    5. unable to change config on port channel to 'not defined' (error message: "deletion will not occur as the item is inherited", but unable to change it even at the top level)   
    6a. changed per-session acl on port channel to allowall   
    6b. all came to life, got VRRP, got lc-cluster, got remote reachability   




    ACL Hits during issue:

    #show acl hits

User Role ACL Hits
------------------
Role  Policy  Src  Dst  Service/Application  Action  Dest/Opcode  New Hits  Total Hits  Index  Ipv4/Ipv6
----  ------  ---  ---  -------------------  ------  -----------  --------  ----------  -----  ---------

Port Based Session/Route ACL
----------------------------
Policy   Src  Dst  Service/Application  Action       Dest/Opcode  New Hits  Total Hits  Index  Ipv4/Ipv6
------   ---  ---  -------------------  ------       -----------  --------  ----------  -----  ---------
sdn-acl  any  any  any                  ofaction 14               144597    144597      8353   ipv4
sdn-acl  any  any  17 0-65535           ofaction 11               2         2           8373   ipv4
sdn-acl  any  any  any                  ofaction 1                2184305   2184305     8375   ipv4

Port ACL Hits
-------------
ACL  ACE  New Hits  Total Hits  Index  Ipv4/Ipv6
---  ---  --------  ----------  -----  ---------​


    ACL hits after workaround applied:

    Port Based Session/Route ACL
----------------------------
Policy    Src  Dst  Service/Application  Action       Dest/Opcode  New Hits  Total Hits  Index  Ipv4/Ipv6
------    ---  ---  -------------------  ------       -----------  --------  ----------  -----  ---------
sdn-acl   any  any  any                  ofaction 14               274       144883      8353   ipv4
sdn-acl   any  any  17 0-65535           ofaction 11               0         2           8373   ipv4
sdn-acl   any  any  any                  ofaction 1                5176      2189731     8375   ipv4
allowall  any  any  any                  permit                    256       256         7895   ipv4​



  • 4.  RE: MD only reachable over MM's IPSec channel??

    EMPLOYEE
    Posted Apr 26, 2021 08:04 PM
    Make sure the port channel is trusted.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message


  • 5.  RE: MD only reachable over MM's IPSec channel??

    Posted Apr 26, 2021 08:26 PM
    OK good idea but no luck:
    The port channel is trusted
    Also, the port members are both trusted and all the VLANs on the port channel's trunk are trusted
    Original Message