Controllerless Networks

 View Only
Expand all | Collapse all

IAP 205 can't reach devices on same VLAN sometimes

This thread has been viewed 5 times
  • 1.  IAP 205 can't reach devices on same VLAN sometimes

    Posted Jul 24, 2016 08:01 AM
      |   view attached

    Hello,


    I have a problem, that sometimes I'm unable to reach IAPs or IAP loses connection with other devices on management subnet.

     

    Situation: we have a several subnets & VLANs. The most important is VLAN 2 (subnet 10.0.2.0/24), this a management subnet and also space, where all IAPs are located + several services, such as FreeRadius, LDAP and other servers.


    IPs:
    10.0.2.1 - gateway (router)
    10.0.2.10 - Radius 1 (master)
    10.0.2.11 - Radius 2 (slave / backup)
    10.0.2.[101-126] - IAPs

     

    When I turn on IAPs everything works just fine, but after 30 - 60 minutes, the IAPs lose connection to all other devices on management subnet & they are able to reach only gateway.

     

    This is a very big problem, because not just that I'm unnable to display webGUI, ssh or even ping IAPs (from PC in the same subnet), but also authentification agains Radius servers will stop working, so users are not able to connect to SSID HK-Member (on which Radius authentification is set).

     

    I'm a newbie to Aruba, so maybe I've configured IAPs incorrecly, but It's really strange. Radius servers can communicate between them without a problem even with LDAP server, wich is also on the same subnet, but all devices are unnable to reach IAPs (except gateway).

     

    Within some intervals, the IAPs are again reachable, but most of the time it just doesn't work.
    I've tried already everything and only reboot of IAPs works, but after 30-60 minutes the problem occures again.

     

    For now I've configured dst-nat to Radius 1/2 port's on router & set public Radius IP to IAPs, so at least users are able to connect to HK-Member SSID (because gateway is always reachable), but this is not a solution for the main problem.

     

    Another solution should be to create another VLAN & subnet just for IAPs, so if the will want to contact Radius server on different subnet, they will have to go over gateway (which seems to be always reachable), so it should work, but it will mean, that I'll have to register another VLAN on each switch we have etc.

     

    I've added my current configuration to attachments, so you can check it.

     

    Thanks for help.

    Attachment(s)

    txt
    instant.txt   4 KB 1 version


  • 2.  RE: IAP 205 can't reach devices on same VLAN sometimes

    Posted Jul 24, 2016 02:17 PM

    How many devices are on that subnet?  Is it possible to move the IAPs to a subnet will little broadcast traffic?



  • 3.  RE: IAP 205 can't reach devices on same VLAN sometimes

    Posted Jul 24, 2016 03:22 PM

    Right now, I'm working on a brand new network, which is for now completely isolated from the running one, except internet access, so the traffic is for now minimal with only up to 2 users (admins) connected at a moment.

     

    In a new network there is in a management subnet (VLAN) with exactly 25 IAPs (Aruba IAP 205), 8x floor Switch, 2x DHCP, 2x DNS, 2x MX, 2x (Radius + LDAP) servers and 2x website server (one for intranet, one for internet).

     

    We have 2 PCs, with KVM installed on them, one acts as a master and the secon one as a slave, so if one PC goes down, there is allways backup of each important service & network will stay functional + all trafic is balanced between them.

     

    Access to management VLAN is forbidden from outside "world", and you can access only exact server on exact ports (e.g. DNS on port 53, etc.) using dst-nat / src-nat.

     

    As I've mentioned earlier I can create another VLAN & put all IAPs into it, but is it really necessary?

     

    In our facility we have alreary up to 239 VLANs, and because ours floow switches are Cisco Catalyst 2960, which can handle only up to 255 VLANs I really don't want to add another VLAN if it is not necessary.

     

    Thank you for reply.



  • 4.  RE: IAP 205 can't reach devices on same VLAN sometimes

    Posted Jul 24, 2016 03:43 PM

    I don't know exactly what your problem is;  I'm just trying to eliminate the possibility of alot of broadcast traffic on your management (not user) subnet, as being the possible issue.  You are also free to open a case with TAC if you would like them to look at your logs to determine what could be the problem.



  • 5.  RE: IAP 205 can't reach devices on same VLAN sometimes

    Posted Jul 25, 2016 10:17 AM

    1) If the ports on the switch are port access - then you don't need to define the vlan in the config for VC.

    2) If the ports are trunk for the iAP's and the default is different from vlan 2 please make sure you define the management vlan on each iAP.

    3) If the ports are trunk but you have default vlan 2 - there is no need to specify it in either VC config or iAP config.

    4) Are you able to reach the RADIUS IP's when from the workstation connected on the same vlan when you are not able to get to the iAP's? (If the answer is no then it's a problem layer2 or 3).



  • 6.  RE: IAP 205 can't reach devices on same VLAN sometimes

    Posted Jul 25, 2016 04:17 PM

    Thank you for reply.

     

    All ports on switch where IAPs are connected are trunk ports, because users connected to SSID HK-Member are casted to theirs VLAN (decided by Radius which sends Aruba-User-VLAN attribute in reply).

     

    So answers are:
    1) no, trunk

    2) yes, default is VLAN 1, all IAPs are set to be on VLAN 2 (management network)

    3) no

    4) yes, I'm able to reach all RADIUS IP's & also all other devices on VLAN2 from workstation in this subnet, but not IAPs. When I restart IAPs, then I'm ABLE to reach them (from RADIUS etc.), but within 30-60 minutes I'll LOSE contact with them. After that, in some intervals I'm able to reconnect to IAP, but after a while I'll lose connection with them again.

     

    In a shortcut, connection on VLAN 2 between:
    Gateway <=> Any device (including IAPs) / workstation = works
    Any device (except IAPs) / workstation <=> Any device (except IAPs) / workstation = works

    Any device / workstation <=> IAPs = within some intervals works, but most of the time doesn't work



  • 7.  RE: IAP 205 can't reach devices on same VLAN sometimes

    Posted Jul 25, 2016 10:54 AM

    What switch model are the IAPs plugged into ?
    Can you paste the "show run interface" output of one switchport where an IAP is connected ?

    Any port-security ?

    Also, Wireshark a port-mirroring from virtual controller port would be interesting.



  • 8.  RE: IAP 205 can't reach devices on same VLAN sometimes

    Posted Jul 25, 2016 04:37 PM
      |   view attached

    We have Cisco SG300-52P 52-Port Gigabit PoE Managed Switch.

     

    Running config is in attachment, ports are configured:

    1 - 36 are TRUNK ports for IAPs (only up to 25 should be userd) / other devices.

    37 - 48 are ACCESS ports with port-control (RADIUS controlled, with dynamic VLAN cast, mac-bypass & fail -> guest VLAN), for users.

    49 - 50 are uplink TRUNK ports (only 1 used at a time).

    51 - 52 are ACCESS ports for admin assigned to VLAN 2 (management VLAN).

     

    Switch has for now minimal configuration, I'm just trying to get it working.

     

    I'm unnable to do Wireshark log for now, sorry & thank you for reply.

    Attachment(s)

    txt
    running-config.txt   8 KB 1 version


  • 9.  RE: IAP 205 can't reach devices on same VLAN sometimes

    Posted Jul 25, 2016 04:51 PM

    Ok, since you are trunked with native VLAN as 1, then your management needs to be tagged. From looking at the config I couldn't tell if it was properly configured but I suspect this is the problem.

     

    To verify current config SSH to IAP and type 

    (Instant Access Point)# show uplink-vlan

     

    If it's 0 or 1, then enter the following command to tag management with VLAN 2
    (Instant Access Point)# uplink-vlan 2

     

     



  • 10.  RE: IAP 205 can't reach devices on same VLAN sometimes

    Posted Jul 25, 2016 05:05 PM

    I'll dissapoint you, but configuration seems to be ok:

    70:3a:0e:c7:1f:b2# show uplink-vlan

    Uplink Vlan Current :2
    Uplink Vlan Provisioned :2

    Also, it doesn't explains why it is sometimes working and sometimes not.

    If IAPs will be in wrong VLAN, then I'll be never able to contact them, not only sometimes.



  • 11.  RE: IAP 205 can't reach devices on same VLAN sometimes

    Posted Jul 26, 2016 08:59 AM

    Silly question, but... could it be because, the IP of Virtual Controller (in System > Virtual Controller IP) is the same as IP of one (preferred master) IAP?

     

    For now I've set to Virtual Controller IP which nobody is using (even any IAP) & It seems, that It's working finally, but I'll have to test It more... If the problem will not show up again.

     

    Thank you for your advices.

     

    Edited:

    So even this doesn't help me.

     

    I've created new VLAN 3, with subnet 10.0.3.0/24 & put all IAPs into it. For now It seems, that it is finally working just as it should be. I'll do some more testing & let you know.