Controllerless Networks

last person joined: 4 hours ago 

Aruba Instant Wi-Fi: Meet the controllerless Wi-Fi solution that's easy to set-up, is loaded with security and smarts, and won't break your budget.
Expand all | Collapse all

IAP VPN Fail Over

  • 1.  IAP VPN Fail Over

    Posted Mar 03, 2015 02:42 PM

    Hi Airheads,


    We have about 10 branch offices with IAPs that have a VPN terminating to the master controller in corporate location. We are installing a backup master in Texas location and want to have fail over capabilities of the IPSEC tunnel for users. The existing configuration is working. The two controllers will be in seperate L3 networks so VRRP is not an option.


    I have the configuration in the IAP to add the backup VPN server (backup master), fast failover is enabled and preemption is enabled as well. Under the static routes, we currently have the next hop has the primary master interface at the other end of the VPN tunnel. How will the traffic know to use the backup VPN server when the primary goes down? Is there a way to set the cost for the static routes? Not sure what the best way to get this working is?



  • 2.  RE: IAP VPN Fail Over

    Posted Mar 03, 2015 04:45 PM

    After reviewing some documents, it seems that OSPF is the only way to make sure the proper route responds to the VPN requests. Is there some documentation outlining this configuration change? We will have to enable OSPF for the network (disabled in Texas, enabled currently in Corporate). 

  • 3.  RE: IAP VPN Fail Over

    Posted Apr 29, 2015 09:18 AM

    Hi Michael!


    Have you resolved this challenge? I´m facing a similar one with one of my customers and I was thinking about using OSPF from the controllers making sure that each controller only propagate the distributed L3 scopes currently active on the controller.




  • 4.  RE: IAP VPN Fail Over

    Posted Apr 30, 2015 02:16 PM

    Hi Chris,


    Unfortunately, we were not able to resolve this due to some network infrastructure problems. OSPF did not exist in the second location and enabling it could have caused additional issues. Our resolution was to relocate both controllers to the same physical location and the same L2 network. We then enabled VRRP and pointed the RAPs to the VRRP address. 


    We were able to work with Aruba TAC and were prepared to implement the OSPF solution so that may be your best route. 


    Good luck, if you are able to complete it please let us know on here in case anyone else finds this topic.