Wireless Access

I have a controller and a set of access points located across multiple sites. Initially, there were no issues when the branches were connected to the main site via MPLS. However, after transitioning to site-to-site VPN, many problems arose: access points disconnecting, wireless networks not appearing, and sometimes access points remain offline for up to 8 hours before reconnecting.

How can I perform troubleshooting and identify the problem? Note that the VPN is stable and all other services are stable; only the controller and access points are affected. I have already updated the controller and access points, but the issue persists.

Running Campus APs with a controller over a WAN/VPN is not supported.

One difference between MPLS and a VPN is that most VPNs are configured between stateful firewalls. That means that out-of-state traffic (packets for which the firewall doesn't know an established connection) as well fragmented traffic is dropped. Some firewalls also handle/inspect IPSec traffic (udp/4500), but the traffic between AP and controller must be untouched. Make sure there is no processing/inspection on the traffic between AP and controller. The connection between AP and controller should support large MTU, low latency and high bandwidth. You probably broke one of those parameters; where it's hard to do all correct on VPN/WAN, and which is why it's unsupported.

What may help troubleshooting is to capture traffic on the port to your AP, and on the port to your gateway, then find traffic which is modified/fragmented/dropped. From there find out where that happens and remediate; which still doesn't make the solution supported, but it may work.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 13, 2024 02:55 AM
From: JordanWifi
Subject: controller and a set of access points from mpls to site to site

I have a controller and a set of access points located across multiple sites. Initially, there were no issues when the branches were connected to the main site via MPLS. However, after transitioning to site-to-site VPN, many problems arose: access points disconnecting, wireless networks not appearing, and sometimes access points remain offline for up to 8 hours before reconnecting.

How can I perform troubleshooting and identify the problem? Note that the VPN is stable and all other services are stable; only the controller and access points are affected. I have already updated the controller and access points, but the issue persists.

how can i convert from compose Compuse Ap to  remote ap ?and how i can make APs

work as controller when controller is disconnect?

Running Campus APs with a controller over a WAN/VPN is not supported.

One difference between MPLS and a VPN is that most VPNs are configured between stateful firewalls. That means that out-of-state traffic (packets for which the firewall doesn't know an established connection) as well fragmented traffic is dropped. Some firewalls also handle/inspect IPSec traffic (udp/4500), but the traffic between AP and controller must be untouched. Make sure there is no processing/inspection on the traffic between AP and controller. The connection between AP and controller should support large MTU, low latency and high bandwidth. You probably broke one of those parameters; where it's hard to do all correct on VPN/WAN, and which is why it's unsupported.

What may help troubleshooting is to capture traffic on the port to your AP, and on the port to your gateway, then find traffic which is modified/fragmented/dropped. From there find out where that happens and remediate; which still doesn't make the solution supported, but it may work.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 13, 2024 02:55 AM
From: JordanWifi
Subject: controller and a set of access points from mpls to site to site

I have a controller and a set of access points located across multiple sites. Initially, there were no issues when the branches were connected to the main site via MPLS. However, after transitioning to site-to-site VPN, many problems arose: access points disconnecting, wireless networks not appearing, and sometimes access points remain offline for up to 8 hours before reconnecting.

How can I perform troubleshooting and identify the problem? Note that the VPN is stable and all other services are stable; only the controller and access points are affected. I have already updated the controller and access points, but the issue persists.

That is a lot of questions, and moving to Aruba Instant or AOS10 may be a better solution. But the way you deploy and use your network is critical to understand in order to make the best decision. Your question could be answered, but probably will not result in the best solution without further understanding. This is where normally partners come in the picture as they can check your network and business, and map that to the optimal design.

how can i convert from compose Compuse Ap to  remote ap ?and how i can make APs

work as controller when controller is disconnect?

Running Campus APs with a controller over a WAN/VPN is not supported.

One difference between MPLS and a VPN is that most VPNs are configured between stateful firewalls. That means that out-of-state traffic (packets for which the firewall doesn't know an established connection) as well fragmented traffic is dropped. Some firewalls also handle/inspect IPSec traffic (udp/4500), but the traffic between AP and controller must be untouched. Make sure there is no processing/inspection on the traffic between AP and controller. The connection between AP and controller should support large MTU, low latency and high bandwidth. You probably broke one of those parameters; where it's hard to do all correct on VPN/WAN, and which is why it's unsupported.

What may help troubleshooting is to capture traffic on the port to your AP, and on the port to your gateway, then find traffic which is modified/fragmented/dropped. From there find out where that happens and remediate; which still doesn't make the solution supported, but it may work.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 13, 2024 02:55 AM
From: JordanWifi
Subject: controller and a set of access points from mpls to site to site

I have a controller and a set of access points located across multiple sites. Initially, there were no issues when the branches were connected to the main site via MPLS. However, after transitioning to site-to-site VPN, many problems arose: access points disconnecting, wireless networks not appearing, and sometimes access points remain offline for up to 8 hours before reconnecting.

How can I perform troubleshooting and identify the problem? Note that the VPN is stable and all other services are stable; only the controller and access points are affected. I have already updated the controller and access points, but the issue persists.

As Herman wrote, the problem is the fragmentation. We had the same problem with a customer, the solution was to reduce the MTU size.

Go to the corresponding AP system profile and set the SAP MTU to 1300.

That is a lot of questions, and moving to Aruba Instant or AOS10 may be a better solution. But the way you deploy and use your network is critical to understand in order to make the best decision. Your question could be answered, but probably will not result in the best solution without further understanding. This is where normally partners come in the picture as they can check your network and business, and map that to the optimal design.

how can i convert from compose Compuse Ap to  remote ap ?and how i can make APs

work as controller when controller is disconnect?

Running Campus APs with a controller over a WAN/VPN is not supported.

One difference between MPLS and a VPN is that most VPNs are configured between stateful firewalls. That means that out-of-state traffic (packets for which the firewall doesn't know an established connection) as well fragmented traffic is dropped. Some firewalls also handle/inspect IPSec traffic (udp/4500), but the traffic between AP and controller must be untouched. Make sure there is no processing/inspection on the traffic between AP and controller. The connection between AP and controller should support large MTU, low latency and high bandwidth. You probably broke one of those parameters; where it's hard to do all correct on VPN/WAN, and which is why it's unsupported.

What may help troubleshooting is to capture traffic on the port to your AP, and on the port to your gateway, then find traffic which is modified/fragmented/dropped. From there find out where that happens and remediate; which still doesn't make the solution supported, but it may work.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 13, 2024 02:55 AM
From: JordanWifi
Subject: controller and a set of access points from mpls to site to site

I have a controller and a set of access points located across multiple sites. Initially, there were no issues when the branches were connected to the main site via MPLS. However, after transitioning to site-to-site VPN, many problems arose: access points disconnecting, wireless networks not appearing, and sometimes access points remain offline for up to 8 hours before reconnecting.

How can I perform troubleshooting and identify the problem? Note that the VPN is stable and all other services are stable; only the controller and access points are affected. I have already updated the controller and access points, but the issue persists.

I couldn't find it. Could you show me how to access it and also how to set up a remote AP

Original Message:
Sent: Jul 16, 2024 03:54 AM
From: lord
Subject: controller and a set of access points from mpls to site to site

As Herman wrote, the problem is the fragmentation. We had the same problem with a customer, the solution was to reduce the MTU size.

Go to the corresponding AP system profile and set the SAP MTU to 1300.

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Jul 15, 2024 12:08 PM
From: Herman Robers
Subject: controller and a set of access points from mpls to site to site

That is a lot of questions, and moving to Aruba Instant or AOS10 may be a better solution. But the way you deploy and use your network is critical to understand in order to make the best decision. Your question could be answered, but probably will not result in the best solution without further understanding. This is where normally partners come in the picture as they can check your network and business, and map that to the optimal design.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 15, 2024 09:10 AM
From: JordanWifi
Subject: controller and a set of access points from mpls to site to site

how can i convert from compose Compuse Ap to  remote ap ?and how i can make APs

work as controller when controller is disconnect?

Original Message:
Sent: Jul 15, 2024 08:04 AM
From: Herman Robers
Subject: controller and a set of access points from mpls to site to site

Running Campus APs with a controller over a WAN/VPN is not supported.

One difference between MPLS and a VPN is that most VPNs are configured between stateful firewalls. That means that out-of-state traffic (packets for which the firewall doesn't know an established connection) as well fragmented traffic is dropped. Some firewalls also handle/inspect IPSec traffic (udp/4500), but the traffic between AP and controller must be untouched. Make sure there is no processing/inspection on the traffic between AP and controller. The connection between AP and controller should support large MTU, low latency and high bandwidth. You probably broke one of those parameters; where it's hard to do all correct on VPN/WAN, and which is why it's unsupported.

What may help troubleshooting is to capture traffic on the port to your AP, and on the port to your gateway, then find traffic which is modified/fragmented/dropped. From there find out where that happens and remediate; which still doesn't make the solution supported, but it may work.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 13, 2024 02:55 AM
From: JordanWifi
Subject: controller and a set of access points from mpls to site to site

I have a controller and a set of access points located across multiple sites. Initially, there were no issues when the branches were connected to the main site via MPLS. However, after transitioning to site-to-site VPN, many problems arose: access points disconnecting, wireless networks not appearing, and sometimes access points remain offline for up to 8 hours before reconnecting.

How can I perform troubleshooting and identify the problem? Note that the VPN is stable and all other services are stable; only the controller and access points are affected. I have already updated the controller and access points, but the issue persists.