Wireless Access

 View Only
  • 1.  AP not forming GRE tunnel over WAN to controller

    Posted Oct 11, 2024 08:40 AM

    Dear Experts,

    Running 8.12.0.2, Controller 7280 (HO) and AP 615 (Branch). The link between branch and ho is L3 VPN. Connectivity is through cisco routers, MTU is checked (using df bit) and its 1472. APs are registering as CAP to controllers, broadcasting SSIDs, however client cannot connect to any SSID (tried PSK and open also). Client tries to connect and almost immediately disconnects. When wireshark was used on switch with ERSPAN, we could see that AP is not forming any GRE tunnel with controller although SSIDs are being broadcasted.

    Anyone has any idea what could be the issue? 

    All this setup is provided as managed services by the ISP, they are managing the WAN link also and they have thoroughly tested it, no MTU issues. TAC was also opened and they were also not able to find any issue, so far escalations are being made but no response from TAC either.

    There is no firewall in between AP and Controllers. This is the connection from ap to controller

    AP------switch-------router----------WAN(MPLS)---------------router------------switch------------Controller



  • 2.  RE: AP not forming GRE tunnel over WAN to controller

    Posted Oct 11, 2024 09:54 AM

    That is not a supported architecture.

    APs configured for campus usage (i.e., controller based) MUST be LAN connected.  The only supported architecture in AOS 8 for a WAN connected AP is RAP.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: AP not forming GRE tunnel over WAN to controller
    Best Answer

    Posted Oct 12, 2024 09:32 AM

    I have not yet seen an Aruba Guide that states that CAPs over IPSec tunnel link are not supported. 
    Maybe @Carson can share a link?

    Also from a technical point of view the following happens:

    You write that your router uses MTU 1472. The AP uses MTU Size 1500, the packets must be fragmented, data loss occurs 

    The AP looks into the AP system profile and searches for the MTU size. By default, the values look like this:

    A CAP uses the SAP MTU value, which is empty by default. The CAP tests which MTU size it can use (some switches log the behavior, then you can see jumbo frames in the log) and uses the switch MTU, usually 1500 bytes.  A RAP uses the RAP MTU value and sends immediately with MTU 1300 bytes, the traffic is not fragmented. This is the reason why a RAP works by default without configuration settings over an IPSec link.

    Reduce the CAP MTU size to 1300, then the packets do not have to be fragmented and the CAP will also work.

    I have already written the instructions for this in this article.

    The WAN line must fulfill requirements for latency and bandwidth, details can be found here.

    If the WAN line has enough bandwidth, the WLAN can be operated in tunneld mode, which is what we do for several customers. Otherwise use bridge mode, then only CAP management traffic is transported via the WAN line.



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 4.  RE: AP not forming GRE tunnel over WAN to controller

    Posted Oct 12, 2024 02:49 PM

    That's because there's nowhere in the design guides where we ever show a CAP operating across a WAN.  All of the design guides show a controller (or gateway) local to the AP.  This goes back to AOS 6 at least.  While CAP over WAN will work in some cases, that does not mean that the setup is supported for general usage.  There is a certain amount of leeway given for non-VPN setups, but VPN tunnels using the Internet for transport are specifically not supported.

    As for that link to the user guide...thanks for pointing that out, can't say that I've ever seen that and I know that the information is out of date.  We'll investigate what needs to be done there.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 5.  RE: AP not forming GRE tunnel over WAN to controller

    Posted 28 days ago

    FWIW, we have a couple small remote sites (an athletic field and a sound stage) were we have small Palo Alto firewalls with point-to-point tunnels back to our main datacenter, and we run Aruba APs over these links. For these AP groups I have an AP-System-Profile with MTU 1200, to deal with the tunnel overhead, but that limit was more-or-less made up, rather than being measured

    Possibly a RAP setup would be a better way to do this, but we have run these both on our original AOS6 and now on 8.10.0.13, and since they seem to work, I have not dug into changing them.



    ------------------------------
    Steve Bohrer
    IT Infrastructure, Emerson College
    ------------------------------



  • 6.  RE: AP not forming GRE tunnel over WAN to controller

    Posted 30 days ago

    Hmm, not sure exactly what you mean by "LAN connected" here:

    "APs configured for campus usage (i.e., controller based) MUST be LAN connected."

    Our campus is two clusters of two each 7220s running 8.10.0.13. Some of our APs are L2 connected , on the same VLANs as their controllers; but many AP subnets are on different aggregation switches than the controllers, and are L3 routed to them. Seems something similar should be doable via MPLS? 


    (but again, I may be misunderstanding what you meant by LAN connected; you may mean something different than L2 vs L3)



    ------------------------------
    Steve Bohrer
    IT Infrastructure, Emerson College
    ------------------------------



  • 7.  RE: AP not forming GRE tunnel over WAN to controller

    Posted 30 days ago
    Edited by chulcher 30 days ago

    The connectivity between the AP and the controller needs to be all LAN, no WAN.

    Or, said a different way, the connectivity between the AP and controller needs to have performance characteristics like what is available with standard LAN connectivity, i.e., 100+ Mbps throughput, latency that is < 50 ms, MTU of 1500 or higher.

    Any deviations from those guidelines will result in a wireless network that is performing anywhere from sub-optimally to not at all.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------