Controllerless Networks

Hello,

I have the following situation and I hope you can help me.

I have several IAP clusters, which have a corporate network and this traffic is routed internally. And I have a guest network that is tunneled to a MC 7030, and this MC is only in charge of being the VPN concentrator for the exit to the Internet of that guest network. Centralized L2 is being used for DHCP.

Tunnel activation is successful between the VC and MC VPNC.

As long as I connect to a Wi-Fi network, which is radiating from the AP that is the master of the IAP Cluster, I can authenticate, get IP and browse.
If I try to connect to the same network, but on an AP that is not the master of the IAP Cluster, I pass the authentication but I can't get the IP.
Then I reversed the role of master - slave on those same APs, and I only manage to get IP and browse with the master, and I don't have that same result with the slave IAPs.

This situation is the same in the different IAP clusters that I have.


Any recommendation is welcome

------------------------------
Luis
------------------------------

are you using IPSEC or GRE tunnel?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Jul 30, 2022 05:59 PM
From: Luis Singh
Subject: IAP VC VPNC MC

Hello,

I have the following situation and I hope you can help me.

I have several IAP clusters, which have a corporate network and this traffic is routed internally. And I have a guest network that is tunneled to a MC 7030, and this MC is only in charge of being the VPN concentrator for the exit to the Internet of that guest network. Centralized L2 is being used for DHCP.

Tunnel activation is successful between the VC and MC VPNC.

As long as I connect to a Wi-Fi network, which is radiating from the AP that is the master of the IAP Cluster, I can authenticate, get IP and browse.
If I try to connect to the same network, but on an AP that is not the master of the IAP Cluster, I pass the authentication but I can't get the IP.
Then I reversed the role of master - slave on those same APs, and I only manage to get IP and browse with the master, and I don't have that same result with the slave IAPs.

This situation is the same in the different IAP clusters that I have.


Any recommendation is welcome

------------------------------
Luis
------------------------------

I am using IPSec...

------------------------------
Luis
------------------------------

Original Message:
Sent: Jul 30, 2022 08:18 PM
From: Ariya Parsamanesh
Subject: IAP VC VPNC MC

are you using IPSEC or GRE tunnel?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jul 30, 2022 05:59 PM
From: Luis Singh
Subject: IAP VC VPNC MC

Hello,

I have the following situation and I hope you can help me.

I have several IAP clusters, which have a corporate network and this traffic is routed internally. And I have a guest network that is tunneled to a MC 7030, and this MC is only in charge of being the VPN concentrator for the exit to the Internet of that guest network. Centralized L2 is being used for DHCP.

Tunnel activation is successful between the VC and MC VPNC.

As long as I connect to a Wi-Fi network, which is radiating from the AP that is the master of the IAP Cluster, I can authenticate, get IP and browse.
If I try to connect to the same network, but on an AP that is not the master of the IAP Cluster, I pass the authentication but I can't get the IP.
Then I reversed the role of master - slave on those same APs, and I only manage to get IP and browse with the master, and I don't have that same result with the slave IAPs.

This situation is the same in the different IAP clusters that I have.


Any recommendation is welcome

------------------------------
Luis
------------------------------

I am using IPSec...

------------------------------
Luis
------------------------------

Original Message:
Sent: Jul 30, 2022 08:18 PM
From: Ariya Parsamanesh
Subject: IAP VC VPNC MC

are you using IPSEC or GRE tunnel?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jul 30, 2022 05:59 PM
From: Luis Singh
Subject: IAP VC VPNC MC

Hello,

I have the following situation and I hope you can help me.

I have several IAP clusters, which have a corporate network and this traffic is routed internally. And I have a guest network that is tunneled to a MC 7030, and this MC is only in charge of being the VPN concentrator for the exit to the Internet of that guest network. Centralized L2 is being used for DHCP.

Tunnel activation is successful between the VC and MC VPNC.

As long as I connect to a Wi-Fi network, which is radiating from the AP that is the master of the IAP Cluster, I can authenticate, get IP and browse.
If I try to connect to the same network, but on an AP that is not the master of the IAP Cluster, I pass the authentication but I can't get the IP.
Then I reversed the role of master - slave on those same APs, and I only manage to get IP and browse with the master, and I don't have that same result with the slave IAPs.

This situation is the same in the different IAP clusters that I have.


Any recommendation is welcome

------------------------------
Luis
------------------------------

with Centralised L2 and IPSEC mode for IAP VPN, the IPSEC tunnel is always between the controller and IAP VC.
The Guest VLAN (Centralised L2 ) has to be created in the switch at the branch end and tagged to all of the IAPs.
does all your IAPs in the IAP cluster at the branch have the Guest VLAN tagged on their switch ports?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Jul 30, 2022 11:20 PM
From: Luis Singh
Subject: IAP VC VPNC MC

I am using IPSec...

------------------------------
Luis

Original Message:
Sent: Jul 30, 2022 08:18 PM
From: Ariya Parsamanesh
Subject: IAP VC VPNC MC

are you using IPSEC or GRE tunnel?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jul 30, 2022 05:59 PM
From: Luis Singh
Subject: IAP VC VPNC MC

Hello,

I have the following situation and I hope you can help me.

I have several IAP clusters, which have a corporate network and this traffic is routed internally. And I have a guest network that is tunneled to a MC 7030, and this MC is only in charge of being the VPN concentrator for the exit to the Internet of that guest network. Centralized L2 is being used for DHCP.

Tunnel activation is successful between the VC and MC VPNC.

As long as I connect to a Wi-Fi network, which is radiating from the AP that is the master of the IAP Cluster, I can authenticate, get IP and browse.
If I try to connect to the same network, but on an AP that is not the master of the IAP Cluster, I pass the authentication but I can't get the IP.
Then I reversed the role of master - slave on those same APs, and I only manage to get IP and browse with the master, and I don't have that same result with the slave IAPs.

This situation is the same in the different IAP clusters that I have.


Any recommendation is welcome

------------------------------
Luis
------------------------------

I really thought that it was not necessary to have the VLAN extended to the switches where the APs are, since I have the APs on different switches.
I also thought that there would be some tunnel or communication between the APs towards the VC through which all those tunneled networks would travel.
The centralized VLAN should only exist in the switches and be tagged in the ports of the APs and in the uplinks of the switches, so that it can reach the AP master?

------------------------------
Luis
------------------------------

Original Message:
Sent: Jul 31, 2022 04:13 AM
From: Ariya Parsamanesh
Subject: IAP VC VPNC MC

with Centralised L2 and IPSEC mode for IAP VPN, the IPSEC tunnel is always between the controller and IAP VC.
The Guest VLAN (Centralised L2 ) has to be created in the switch at the branch end and tagged to all of the IAPs.
does all your IAPs in the IAP cluster at the branch have the Guest VLAN tagged on their switch ports?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jul 30, 2022 11:20 PM
From: Luis Singh
Subject: IAP VC VPNC MC

I am using IPSec...

------------------------------
Luis

Original Message:
Sent: Jul 30, 2022 08:18 PM
From: Ariya Parsamanesh
Subject: IAP VC VPNC MC

are you using IPSEC or GRE tunnel?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jul 30, 2022 05:59 PM
From: Luis Singh
Subject: IAP VC VPNC MC

Hello,

I have the following situation and I hope you can help me.

I have several IAP clusters, which have a corporate network and this traffic is routed internally. And I have a guest network that is tunneled to a MC 7030, and this MC is only in charge of being the VPN concentrator for the exit to the Internet of that guest network. Centralized L2 is being used for DHCP.

Tunnel activation is successful between the VC and MC VPNC.

As long as I connect to a Wi-Fi network, which is radiating from the AP that is the master of the IAP Cluster, I can authenticate, get IP and browse.
If I try to connect to the same network, but on an AP that is not the master of the IAP Cluster, I pass the authentication but I can't get the IP.
Then I reversed the role of master - slave on those same APs, and I only manage to get IP and browse with the master, and I don't have that same result with the slave IAPs.

This situation is the same in the different IAP clusters that I have.


Any recommendation is welcome

------------------------------
Luis
------------------------------

Based on what you tell me, the VLAN must be created in the switch and tagged in the ports of the IAPs.

1. Would I then understand that the communication of the centralized VLAN in L2, between the IAP master (VC) and the rest of the IAPs (slaves) is only achieved by tagging the VLAN?

2. Is there no tunnel or something between the IAP master (VC) and the rest of the IAPs (slaves) to carry the centralized VLAN?

Thank you so much for everything.

------------------------------
Luis
------------------------------

Original Message:
Sent: Jul 31, 2022 04:13 AM
From: Ariya Parsamanesh
Subject: IAP VC VPNC MC

with Centralised L2 and IPSEC mode for IAP VPN, the IPSEC tunnel is always between the controller and IAP VC.
The Guest VLAN (Centralised L2 ) has to be created in the switch at the branch end and tagged to all of the IAPs.
does all your IAPs in the IAP cluster at the branch have the Guest VLAN tagged on their switch ports?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jul 30, 2022 11:20 PM
From: Luis Singh
Subject: IAP VC VPNC MC

I am using IPSec...

------------------------------
Luis

Original Message:
Sent: Jul 30, 2022 08:18 PM
From: Ariya Parsamanesh
Subject: IAP VC VPNC MC

are you using IPSEC or GRE tunnel?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jul 30, 2022 05:59 PM
From: Luis Singh
Subject: IAP VC VPNC MC

Hello,

I have the following situation and I hope you can help me.

I have several IAP clusters, which have a corporate network and this traffic is routed internally. And I have a guest network that is tunneled to a MC 7030, and this MC is only in charge of being the VPN concentrator for the exit to the Internet of that guest network. Centralized L2 is being used for DHCP.

Tunnel activation is successful between the VC and MC VPNC.

As long as I connect to a Wi-Fi network, which is radiating from the AP that is the master of the IAP Cluster, I can authenticate, get IP and browse.
If I try to connect to the same network, but on an AP that is not the master of the IAP Cluster, I pass the authentication but I can't get the IP.
Then I reversed the role of master - slave on those same APs, and I only manage to get IP and browse with the master, and I don't have that same result with the slave IAPs.

This situation is the same in the different IAP clusters that I have.


Any recommendation is welcome

------------------------------
Luis
------------------------------

with centralized L2 using IPSEC, the ipsec tunnel is only made between the MC and the VC
The IAPs in the branch use their mgmt VLAN to communicate with each other, they do not create any so called tunnels among themselves

here is the VRD for your reference.
https://community.arubanetworks.com/browse/articles/blogviewer?BlogKey=1f47bc48-dafb-4b48-9ff1-2973bb3c2f87

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Aug 03, 2022 12:01 AM
From: Luis Singh
Subject: IAP VC VPNC MC

Based on what you tell me, the VLAN must be created in the switch and tagged in the ports of the IAPs.

1. Would I then understand that the communication of the centralized VLAN in L2, between the IAP master (VC) and the rest of the IAPs (slaves) is only achieved by tagging the VLAN?

2. Is there no tunnel or something between the IAP master (VC) and the rest of the IAPs (slaves) to carry the centralized VLAN?

Thank you so much for everything.

------------------------------
Luis

Original Message:
Sent: Jul 31, 2022 04:13 AM
From: Ariya Parsamanesh
Subject: IAP VC VPNC MC

with Centralised L2 and IPSEC mode for IAP VPN, the IPSEC tunnel is always between the controller and IAP VC.
The Guest VLAN (Centralised L2 ) has to be created in the switch at the branch end and tagged to all of the IAPs.
does all your IAPs in the IAP cluster at the branch have the Guest VLAN tagged on their switch ports?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jul 30, 2022 11:20 PM
From: Luis Singh
Subject: IAP VC VPNC MC

I am using IPSec...

------------------------------
Luis

Original Message:
Sent: Jul 30, 2022 08:18 PM
From: Ariya Parsamanesh
Subject: IAP VC VPNC MC

are you using IPSEC or GRE tunnel?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jul 30, 2022 05:59 PM
From: Luis Singh
Subject: IAP VC VPNC MC

Hello,

I have the following situation and I hope you can help me.

I have several IAP clusters, which have a corporate network and this traffic is routed internally. And I have a guest network that is tunneled to a MC 7030, and this MC is only in charge of being the VPN concentrator for the exit to the Internet of that guest network. Centralized L2 is being used for DHCP.

Tunnel activation is successful between the VC and MC VPNC.

As long as I connect to a Wi-Fi network, which is radiating from the AP that is the master of the IAP Cluster, I can authenticate, get IP and browse.
If I try to connect to the same network, but on an AP that is not the master of the IAP Cluster, I pass the authentication but I can't get the IP.
Then I reversed the role of master - slave on those same APs, and I only manage to get IP and browse with the master, and I don't have that same result with the slave IAPs.

This situation is the same in the different IAP clusters that I have.


Any recommendation is welcome

------------------------------
Luis
------------------------------

Thank you very much for everything, now everything is clear to me.

One last question, is there any chance that this mobility controller (VPNC) can resolve DNS requests? The only function of this is to resolve the address of the Clearpass captive portal.
All other requests would go through the ISP's DNS.

------------------------------
Luis
------------------------------

Original Message:
Sent: Aug 03, 2022 02:25 AM
From: Ariya Parsamanesh
Subject: IAP VC VPNC MC

with centralized L2 using IPSEC, the ipsec tunnel is only made between the MC and the VC
The IAPs in the branch use their mgmt VLAN to communicate with each other, they do not create any so called tunnels among themselves

here is the VRD for your reference.
https://community.arubanetworks.com/browse/articles/blogviewer?BlogKey=1f47bc48-dafb-4b48-9ff1-2973bb3c2f87

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Aug 03, 2022 12:01 AM
From: Luis Singh
Subject: IAP VC VPNC MC

Based on what you tell me, the VLAN must be created in the switch and tagged in the ports of the IAPs.

1. Would I then understand that the communication of the centralized VLAN in L2, between the IAP master (VC) and the rest of the IAPs (slaves) is only achieved by tagging the VLAN?

2. Is there no tunnel or something between the IAP master (VC) and the rest of the IAPs (slaves) to carry the centralized VLAN?

Thank you so much for everything.

------------------------------
Luis

Original Message:
Sent: Jul 31, 2022 04:13 AM
From: Ariya Parsamanesh
Subject: IAP VC VPNC MC

with Centralised L2 and IPSEC mode for IAP VPN, the IPSEC tunnel is always between the controller and IAP VC.
The Guest VLAN (Centralised L2 ) has to be created in the switch at the branch end and tagged to all of the IAPs.
does all your IAPs in the IAP cluster at the branch have the Guest VLAN tagged on their switch ports?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jul 30, 2022 11:20 PM
From: Luis Singh
Subject: IAP VC VPNC MC

I am using IPSec...

------------------------------
Luis

Original Message:
Sent: Jul 30, 2022 08:18 PM
From: Ariya Parsamanesh
Subject: IAP VC VPNC MC

are you using IPSEC or GRE tunnel?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jul 30, 2022 05:59 PM
From: Luis Singh
Subject: IAP VC VPNC MC

Hello,

I have the following situation and I hope you can help me.

I have several IAP clusters, which have a corporate network and this traffic is routed internally. And I have a guest network that is tunneled to a MC 7030, and this MC is only in charge of being the VPN concentrator for the exit to the Internet of that guest network. Centralized L2 is being used for DHCP.

Tunnel activation is successful between the VC and MC VPNC.

As long as I connect to a Wi-Fi network, which is radiating from the AP that is the master of the IAP Cluster, I can authenticate, get IP and browse.
If I try to connect to the same network, but on an AP that is not the master of the IAP Cluster, I pass the authentication but I can't get the IP.
Then I reversed the role of master - slave on those same APs, and I only manage to get IP and browse with the master, and I don't have that same result with the slave IAPs.

This situation is the same in the different IAP clusters that I have.


Any recommendation is welcome

------------------------------
Luis
------------------------------

By default, all the DNS requests from a client are forwarded to the client's DNS server. In a typical Instant AP deployment without VPN configuration, client DNS requests are resolved by the DNS server of clients.

For the IAP-VPN scenario, the enterprise domain settings on the Instant AP are used to
determine how client DNS requests are routed

see this link and go down to "Configuring Enterprise Domains" which explains it.
https://www.arubanetworks.com/techdocs/Instant_810_WebHelp/Content/instant-ug/iap-vpn/iap-vpn-ops.htm

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Aug 03, 2022 10:15 AM
From: Luis Singh
Subject: IAP VC VPNC MC

Thank you very much for everything, now everything is clear to me.

One last question, is there any chance that this mobility controller (VPNC) can resolve DNS requests? The only function of this is to resolve the address of the Clearpass captive portal.
All other requests would go through the ISP's DNS.

------------------------------
Luis

Original Message:
Sent: Aug 03, 2022 02:25 AM
From: Ariya Parsamanesh
Subject: IAP VC VPNC MC

with centralized L2 using IPSEC, the ipsec tunnel is only made between the MC and the VC
The IAPs in the branch use their mgmt VLAN to communicate with each other, they do not create any so called tunnels among themselves

here is the VRD for your reference.
https://community.arubanetworks.com/browse/articles/blogviewer?BlogKey=1f47bc48-dafb-4b48-9ff1-2973bb3c2f87

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Aug 03, 2022 12:01 AM
From: Luis Singh
Subject: IAP VC VPNC MC

Based on what you tell me, the VLAN must be created in the switch and tagged in the ports of the IAPs.

1. Would I then understand that the communication of the centralized VLAN in L2, between the IAP master (VC) and the rest of the IAPs (slaves) is only achieved by tagging the VLAN?

2. Is there no tunnel or something between the IAP master (VC) and the rest of the IAPs (slaves) to carry the centralized VLAN?

Thank you so much for everything.

------------------------------
Luis

Original Message:
Sent: Jul 31, 2022 04:13 AM
From: Ariya Parsamanesh
Subject: IAP VC VPNC MC

with Centralised L2 and IPSEC mode for IAP VPN, the IPSEC tunnel is always between the controller and IAP VC.
The Guest VLAN (Centralised L2 ) has to be created in the switch at the branch end and tagged to all of the IAPs.
does all your IAPs in the IAP cluster at the branch have the Guest VLAN tagged on their switch ports?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jul 30, 2022 11:20 PM
From: Luis Singh
Subject: IAP VC VPNC MC

I am using IPSec...

------------------------------
Luis

Original Message:
Sent: Jul 30, 2022 08:18 PM
From: Ariya Parsamanesh
Subject: IAP VC VPNC MC

are you using IPSEC or GRE tunnel?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jul 30, 2022 05:59 PM
From: Luis Singh
Subject: IAP VC VPNC MC

Hello,

I have the following situation and I hope you can help me.

I have several IAP clusters, which have a corporate network and this traffic is routed internally. And I have a guest network that is tunneled to a MC 7030, and this MC is only in charge of being the VPN concentrator for the exit to the Internet of that guest network. Centralized L2 is being used for DHCP.

Tunnel activation is successful between the VC and MC VPNC.

As long as I connect to a Wi-Fi network, which is radiating from the AP that is the master of the IAP Cluster, I can authenticate, get IP and browse.
If I try to connect to the same network, but on an AP that is not the master of the IAP Cluster, I pass the authentication but I can't get the IP.
Then I reversed the role of master - slave on those same APs, and I only manage to get IP and browse with the master, and I don't have that same result with the slave IAPs.

This situation is the same in the different IAP clusters that I have.


Any recommendation is welcome

------------------------------
Luis
------------------------------

Nice.

Thank you for your Time.

------------------------------
Luis
------------------------------

Original Message:
Sent: Aug 03, 2022 07:26 PM
From: Ariya Parsamanesh
Subject: IAP VC VPNC MC

By default, all the DNS requests from a client are forwarded to the client's DNS server. In a typical Instant AP deployment without VPN configuration, client DNS requests are resolved by the DNS server of clients.

For the IAP-VPN scenario, the enterprise domain settings on the Instant AP are used to
determine how client DNS requests are routed

see this link and go down to "Configuring Enterprise Domains" which explains it.
https://www.arubanetworks.com/techdocs/Instant_810_WebHelp/Content/instant-ug/iap-vpn/iap-vpn-ops.htm

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Aug 03, 2022 10:15 AM
From: Luis Singh
Subject: IAP VC VPNC MC

Thank you very much for everything, now everything is clear to me.

One last question, is there any chance that this mobility controller (VPNC) can resolve DNS requests? The only function of this is to resolve the address of the Clearpass captive portal.
All other requests would go through the ISP's DNS.

------------------------------
Luis

Original Message:
Sent: Aug 03, 2022 02:25 AM
From: Ariya Parsamanesh
Subject: IAP VC VPNC MC

with centralized L2 using IPSEC, the ipsec tunnel is only made between the MC and the VC
The IAPs in the branch use their mgmt VLAN to communicate with each other, they do not create any so called tunnels among themselves

here is the VRD for your reference.
https://community.arubanetworks.com/browse/articles/blogviewer?BlogKey=1f47bc48-dafb-4b48-9ff1-2973bb3c2f87

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Aug 03, 2022 12:01 AM
From: Luis Singh
Subject: IAP VC VPNC MC

Based on what you tell me, the VLAN must be created in the switch and tagged in the ports of the IAPs.

1. Would I then understand that the communication of the centralized VLAN in L2, between the IAP master (VC) and the rest of the IAPs (slaves) is only achieved by tagging the VLAN?

2. Is there no tunnel or something between the IAP master (VC) and the rest of the IAPs (slaves) to carry the centralized VLAN?

Thank you so much for everything.

------------------------------
Luis

Original Message:
Sent: Jul 31, 2022 04:13 AM
From: Ariya Parsamanesh
Subject: IAP VC VPNC MC

with Centralised L2 and IPSEC mode for IAP VPN, the IPSEC tunnel is always between the controller and IAP VC.
The Guest VLAN (Centralised L2 ) has to be created in the switch at the branch end and tagged to all of the IAPs.
does all your IAPs in the IAP cluster at the branch have the Guest VLAN tagged on their switch ports?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jul 30, 2022 11:20 PM
From: Luis Singh
Subject: IAP VC VPNC MC

I am using IPSec...

------------------------------
Luis

Original Message:
Sent: Jul 30, 2022 08:18 PM
From: Ariya Parsamanesh
Subject: IAP VC VPNC MC

are you using IPSEC or GRE tunnel?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Jul 30, 2022 05:59 PM
From: Luis Singh
Subject: IAP VC VPNC MC

Hello,

I have the following situation and I hope you can help me.

I have several IAP clusters, which have a corporate network and this traffic is routed internally. And I have a guest network that is tunneled to a MC 7030, and this MC is only in charge of being the VPN concentrator for the exit to the Internet of that guest network. Centralized L2 is being used for DHCP.

Tunnel activation is successful between the VC and MC VPNC.

As long as I connect to a Wi-Fi network, which is radiating from the AP that is the master of the IAP Cluster, I can authenticate, get IP and browse.
If I try to connect to the same network, but on an AP that is not the master of the IAP Cluster, I pass the authentication but I can't get the IP.
Then I reversed the role of master - slave on those same APs, and I only manage to get IP and browse with the master, and I don't have that same result with the slave IAPs.

This situation is the same in the different IAP clusters that I have.


Any recommendation is welcome

------------------------------
Luis
------------------------------