So I migrated our config from an old 620 controller to a standalone VMC, I can get a new AP-207 to join as a CAP but had a couple of very weird issues...
1) Cannot terminate RAPs - I can see the UDP-4500 connections in 'show datapath session', they are whitelisted and I have a RAP pool configured. I did notice this error in the logs that reoccurs:
stm: <399803> <5469> <ERRS> |stm| An internal system error has occurred at file sapm_fw.c function handle_nate_pool__message line 399 error NAT pools, receive error .
2) Traffic forwarding simply does not work with interfaces G0/0/1 and G0/0/2. Port is enabled, connected in vSphere to a working port group etc. These errors present in logs:
ofa: <310202> <5762> <ERRS> |ofa| ofa_netdev_set_trunk_vlan: interface (G0/0/0) not foundofa: <310202> <5762> <ERRS> |ofa| ofa_netdev_set_trunk_vlan: interface (G0/0/1) not foundofa: <310202> <5762> <ERRS> |ofa| ofa_netdev_set_trunk_vlan: interface (G0/0/2) not found
Did you do ´set-trust-anchor self-signed´? As VMC don´t have TPM, you need to manually trust the self signed certificate.
Yes, with VMC you need to add that. For hw controllers, you don´t since they have TPM.
I am having this issue with the IAP-VPN connection not establishing the IPSEC tunnel and was hoping you could provide more information on the set-trust-anchor self-signed command. The only reference I can find in documentation is in the 8.1 CLI reference guide and it does not give any more information than a description.
What will the command affect? Will it interrupt service for existing campus AP's that are already attached to a VMC or is it only for IAP-VPN/RAP connections via IPSEC?
I don't think VMC supports IAP-VPN. The user guide should call this out.
First page of Instant AP VPN Support
IAP VPN is supported only on hardware mobility controllers (7000 Series and 7200 Series) including controllers that
are stand-alone or managed by Mobility Master. However, IAP VPN termination is not currently supported on virtual
mobility controllers. Masters (Mobility Master and Master Controller Mode) do not support any AP termination
including campus APs, remote APs and IAP VPN tunnels.
I appreciate the response; so I am getting this right that it will support RAP units but not IAP-VPN?
And the other portion of the first question was what implications should be drawn when executing the set-trust-anchor self-signed command?
Thank you for your help!
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.