SD-WAN

 View Only
  • 1.  Microbranch how to AOS 10 (behind NAT routers)

    Posted Mar 25, 2024 05:51 PM
    Edited by mvanoverbeek Mar 25, 2024 05:51 PM

    As part of a PoC I am trying to configure a Microbranch to a VPNC. I  tried to follow the AOS 8 Microbranch from scratch video's but it is kind of hard at one point because the GUI in the videos differs from what I see in Aruba Central.

    HW used:

    Gateway: 9004

    AP: 345

    SW: AOS 10 (latest version)

    I suspect I am overlooking something but it looks like there is just no attempt made to establish an IPSEC tunnel but hope some people can help, I still find troubleshooting a little hard in Aruba as I am not as familiar with troubleshooting it  as I am with some other vendors.

    What is working:

    • Both devices are online
    • System IP configured
    • SSID online on microbranch
    • Shared DHCP pool is allocating /29 networks for Microbranch

    Here are some screenshots of the environment:

      Add Attachment

    I checked my firewall but was unable to see any IKE traffic passing by as if the device is not even attempt to establish an IPSEC tunnel.

    Both Microbranch and Gateway are behind NAT but I did do a port forwarding the in Firewall for UDP 500 towards the Gateway IP

    Anyone have some suggestions, tips? I am kind of lost at the moment :(

    ------------------------------
    Martijn van Overbeek
    Architect, Netcraftsmen a BlueAlly Company
    ------------------------------



  • 2.  RE: Microbranch how to AOS 10 (behind NAT routers)

    Posted Mar 26, 2024 06:08 PM

    On the AP Group Configuration:
    Do you have the "Data Center" configuration set? This includes the Hub Group assignment. 
    Do you have the "WAN Uplink" configuration set?

    On the Global Overlay Configuration:
    Do you have your "Topology" set?



    ------------------------------
    If my post was useful, please Accept Solution and Give Kudos.
    ------------------------------
    Zak Chalupka
    Principal Engineer - HPE Aruba
    ACDX | ACMP | ACSP | ACCP
    wifizak@hpe.com
    ------------------------------
    Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
    ------------------------------



  • 3.  RE: Microbranch how to AOS 10 (behind NAT routers)

    Posted Mar 27, 2024 12:34 AM

    for any mircobranch/SD-Branch, you should be using AOS10.x the latest one is 10.5.1.0 and the LSR is 10.4.1.1



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 4.  RE: Microbranch how to AOS 10 (behind NAT routers)

    Posted Mar 27, 2024 08:43 AM

     Thanks for responding.

    I am running the latest code. See other message as well, it is working now



    ------------------------------
    Martijn van Overbeek
    Architect, Netcraftsmen a BlueAlly Company
    ------------------------------



  • 5.  RE: Microbranch how to AOS 10 (behind NAT routers)

    Posted Mar 27, 2024 08:41 AM

    Hi Zak,

    Thanks for responding, I did make some progress actually and finally have a working set up now. Maybe it was the fact that I did not have port-forwarding on to UDP port 4500. Regardless of that, the biggest challenge is finding up-to-date documentation. The link below helped me.

    https://www.arubanetworks.com/techdocs/VSG/docs/080-sd-branch-deploy/esp-sd-branch-deploy-100-L3-Microbranch/

    With regard to your questions:

    I am new to the term "configuration set", have not heard that term before. My 9004 is in a VPNC group and I did configure Uplinks for both the 9004 at the device level, and the microbranch.

    With regard to the topology, I did not specifically recall configuring it as a global parameter, but I do see the microbranch is configured as hub-spoke

    Two things currently make the whole experience challenging:

    The rapid changes in Aruba Central and the resulting journey of finding the most current documentation.

    Not being able to rely on Aruba Central to push the configuration to the device. I configured static routes on the VPNC and they just would not push to the device. I had to remove the device from the group (put it in the default), and move it back. Then as by a miracle the static routes appeared. It is these kind of things that make you doubt yourself.



    ------------------------------
    Martijn van Overbeek
    Architect, Netcraftsmen a BlueAlly Company
    ------------------------------