We have a problem that needs to be solved.
We have deployed Tunneled-Node (per port, not user-based) on our network and in most cases everything works fine.
Our setup is 2920 and 2930 Aruba Switches, authenticating through a Clearpass Cluster, gets a role that is assigned through a Mobility Master to Mobility Devices that is the tunnel host.
Computers authenticate with a computer certificate and this works perfect.
The problem is with devices that we don't have control of, like building automations and more old devices. With these, we have made a static host list (SHL) where we simply permit the devices in a list and assigns a VLAN based of that list.
This works, we can see devices come up and create a tunnel, the devices is pingable and so on, but randomly, these type of devices stops answer to ping and appears to be offline.
They have previously been assigned to VLAN 574 but with PPTN enabled, VLAN 10 has been assigned to all ports across the network.
If we turn off tunneled-node on the access ports an assign vlan 574 untagged to these ports again, they come online. We can then turn on tunneled-node again and they authenticate to clearpass and comes online again. Why?
Our configuration on the switches:
Spoilertunneled-node-server
controller-ip 10.208.10.8
backup-controller-ip 10.208.10.9
exit
interface 1/10
name "PPTN"
tunneled-node-server
exit
vlan 10
name "PPTN-DUMMY"
untagged 1/10
no ip address
jumbo
exit
This is a live and working tunnel:
Spoiler10.10.74.50 00:05:7c:00:5e:24 00057c005e24 ROLE-BMS-574 63:03:51 MAC tunnel 2877 Tunneled 10.208.10.146:15/b8:83:03:e4:4c:80 PPTN-Profile tunnel
When the device stops answering, the device is not responding to ping, not accessible through the management software, no arp, nothing!
It appears that only some devices have this behaviour while other devices on the exact same switch is working fine.
Have we implemented this in the correct way or are we missing something?