Original Message:
Sent: Oct 10, 2024 01:32 PM
From: mvanoverbeek
Subject: RAP issues
I followed the guidelines and setup two controllers in a cluster with two separate IP addresses
I set the MTU on the VLAN to 1300
I used a DNS record to point to two separate Public IP addresses
When the IPSEC tunnel gets established VMC1 (Spectrum Cable Internet) seems to be fine
VMC2 (Google Fiber) however keeps flapping
I reviewed the configurations and could find a whole lot of differences
Left side is the snippet from VMC1 that is working while right side is from VMC2 that is not working.
When issueing show ap database the tunnel keeps flapping
Below a screenshot of some of the logs that might give in indication where this is coming from. Hope anyone has an idea.
Below the raw logs, appreciate some feedback
Thank you
------------------------------
Martijn van Overbeek
Architect, Netcraftsmen a BlueAlly Company
Original Message:
Sent: Oct 08, 2024 01:38 PM
From: chulcher
Subject: RAP issues
LMS/B-LMS configuration allows the administrator to move the device to other VPNCs as needed.
LMS for RAP is usually best pointed at a DNS A record configured for round robin, using all of the public IP addresses for the one cluster or all of the VPNC at a single datacenter. Utilize B-LMS if necessary to fail over to a secondary VPNC or datacenter. Use a cluster or VRRP to provide redundancy within a single datacenter.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Oct 08, 2024 01:26 PM
From: mvanoverbeek
Subject: RAP issues
Update:
I actually have it working now finally
Initially I did not have the Public IP address configured in the RAPGROUP under LMS
I also did not use the command allowlist-db rap add mac-address 90:4c:81:c0:f6:e2 ap-group RAPGROUP
Initially these commands did not do anything. Eventually I rebooted my Verizon 5G router and that did the trick. Maybe the NAT table was saturated, unclear but at least it works.
Question though, it is really necessary to configure the LMS in the RAP group? Curious how that works if you have multiple Public IP addresses. Because this only seems to store two at most.
------------------------------
Martijn van Overbeek
Architect, Netcraftsmen a BlueAlly Company
Original Message:
Sent: Oct 07, 2024 10:04 PM
From: mvanoverbeek
Subject: RAP issues
I feel kind of stupid but despite re-reading the documentation several times and keep watching the videos I just can't the remote AP to work in my setup.
All devices run: Version 8.10.0.14 LSR
Setup consists of 2x Virtual Mobility Conductors with AP capacity, MM, MC-VA-US, PEF, and 1xVMC license
The VMC has a VLAN 201 interface that is used for Campus AP termination and MM communication
I created an additional VLAN 202 for the RAP termination. The IP address is mapped to a WAN interface
There is a default route to the next hop in vlan 202 (the RAP vlan) and a route to 10.0.0.0/8 in vlan 201.
The VMC is behind a Firewall, I created port forwarding for UDP 4500
I created a RAP-POOL
Choose the option certificate based authentication
The AP is in the allowlist
When I check with show datapath session I see the traffic coming in
I did a packet capture and saw ISAKMP traffic (IKE SA init)
It doesn't go past the first two packets it seems.
I am kind of at a loss.
(VMC01) #show datapath session | include 4500
75.207.183.xxx 10.20.202.253 17 60487 4500 0/0 0 0 0 0/0/0 111 50 28686 FC 2
10.20.202.253 75.207.183.xxx 17 4500 60487 0/0 0 0 0 0/0/0 111 50 4400 F 2
show crypto ipsec sa does not show anything except for the Mobility Conductor.
What am I missing? Anyone have an idea what I can try next.
Thank you
------------------------------
Martijn van Overbeek
Architect, Netcraftsmen a BlueAlly Company
------------------------------