Wireless Access

last person joined: 8 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Master-Local IPSec connection not happening

Jump to Best Answer
  • 1.  Master-Local IPSec connection not happening

    Posted Jun 01, 2012 12:51 PM

    Before I talk to India I thought I throw this out here.

     

    I have a site with Master/Master backup and 5 local controllers running 3.4.4FIPS.

     

    Recently had to replace a local sup card, the new one which was configured with basic IP settings to enable me to access. I have full HTTPS/SSL connectivity, was able to upgrade to current code and transfer licenses, but cannot get the Master connect to the local. I have deleted the Local Controller IPSec config and readded it on the Master to no avail. I can ping the local from any other local (or other devices), but not from either of the masters. The other locals are in other buildings and subnets, this is a layer 2 network. From the new local I can ping whatever I want, masters, locals, gateways.....

     

    Any thoughts?



  • 2.  RE: Master-Local IPSec connection not happening

    Posted Jun 01, 2012 01:42 PM

    Ping from the masters is probably not working because IPSEC is trying to get established. If you were to remove the master-local configuration from both controllers, the ping should recover.

     

    You can enable "logging level debugging security" on the master and local controller, and check "show log security 50" to understand why the IPSEC is not getting established.

     

    A few more commands to check to determine whether phase1 or phase2 is failing are:

    show crypto isakmp sa

    show crypto ipsec sa

     

     



  • 3.  RE: Master-Local IPSec connection not happening

    Posted Jun 01, 2012 04:23 PM

    I ran into something very similar, and what I found was that my pre-shared key was wrong on the local.  You've probably already checked that, but if you want to take a closer look, do a "encrypt disable" on the local and check that key.



  • 4.  RE: Master-Local IPSec connection not happening

    Posted Jan 14, 2019 11:37 AM

    Hi all,

    just on the same issue ,i`m new to aruba`s world ,we have a master controller (192.168.1.148)that`s running fine and i need to set up a local controller(192.168.1.149) and configure redundancy .the problem is that i don`t know the ipsec preshared key that is configured on the master controller . i tried to use encrypt disable but i didn`t know where to look on the running config :

    i have the below config on the master :

    Crypto Map "default-psk-redundant-master-ipsecmap" 9999 ipsec-isakmp

    Crypto Map Template"default-psk-redundant-master-ipsecmap" 9999

                     IKE Version: 1

                     IKEv1 Policy: All

                     Security association lifetime seconds : [300 -86400]

                     Security association lifetime kilobytes: N/A

                     PFS (Y/N): N

                     Transform sets={ default-ml-transform }

                     Peer gateway: 192.168.1.149

                     Interface: VLAN 0

                     Source network: 192.168.1.148/255.255.255.255

                     Destination network: 192.168.1.149/255.255.255.255

                     Pre-Connect (Y/N): Y

                     Tunnel Trusted (Y/N): Y

                     Forced NAT-T (Y/N): N

                     Uplink Failover (Y/N): N

                     Force-Tunnel-Mode (Y/N): N

                     IP Compression (Y/N): N

     

    how can i get the preshared key from the master ? if i need to use `encrypt enable `which part of the config i need to look to ?thank you in advance



  • 5.  RE: Master-Local IPSec connection not happening

    Posted Jun 08, 2012 01:56 PM

    It will be a good idea to make sure that whether the ipsec link to the master is estalished using the interface ip or loopback ip of the local.

     

    On the Master check "show running-config | include localip" and on the local check the switch ip.

     

    I have seen issue when both of them are not same.



  • 6.  RE: Master-Local IPSec connection not happening

    Posted Jan 24, 2013 01:15 PM

    I just worked through a similar issue and turned out I had the wrong switch role on my local controller.  On top of that I had a typo with the loopback IP address on my local so it didn't match the "localip x.x.x.x ipec xxx" config from the master.  I found the advice on this thread to very helpful in troubleshooting my issues. 



  • 7.  RE: Master-Local IPSec connection not happening
    Best Answer

    Posted Jun 18, 2012 11:08 AM

    Problem solved

     

    What happened was the sup card was sent out to the site (we don't have the capability of preconfiguring an RMAed card, go figure) and the local contact mistakenly set this sup card as a master. Once we realized this, set it to local everything else fell into place.

     

    Tried deleting all IPSec settings and still couldn't ping the "local" from the master till after we changed the role to local.

     

    Thanks for the suggestions.



  • 8.  RE: Master-Local IPSec connection not happening

    Posted Apr 07, 2015 12:16 PM

    I resolved the issue with the information in this thread. Thanks everyone. Below is my findings to share:

     

    For my case: there is a firewall in between the local and Master devices. Nothing is blocked, debugging on the controllers shows IPSec phase1 messages were going back and forth but no ISKMP SA established.

     

    Using "Encrypt disable" confirmed key matches. 

    By clearing the session on the firewall in between, the local and master automatically completed the IPSec negotiation successfully.

     

    In conclusion: for my case the issue appear to have the same symptoms but the root cause has nothing to do with the Local or Master configurations, but traffic in between. Thus, it's worthwhile to check all devices in between if possible.

     



  • 9.  RE: Master-Local IPSec connection not happening

    Posted Aug 02, 2016 04:41 PM

    I had a similar issue, turned out the port on my controller was not marked as 'trusted'.