unchecking "enforce DHCP" worked. I found a bug report back in version 8.2.1.0 regarding this but never found it in any other release notes. I will be starting a new thread regarding that. thanks for the help all
Original Message:
Sent: Aug 01, 2024 07:21 AM
From: johnstonj@rowan.edu
Subject: Roaming between 2 clusters in 8.10.x.x
First - thank you so much for all of the help Colin! Much appreciated!! If I'm correct, ip-spoofing only works IF the dhcp address is known first. If someone with a static IP gets on using an address that has either never been used or not used for quite a while, it would be allowed on and the dhcp user that tries to connect later would be denied. Is that correct? We do have IP-spoofing enabled, but not ip-spoofing-all
Original Message:
Sent: Jul 31, 2024 07:48 AM
From: cjoseph
Subject: Roaming between 2 clusters in 8.10.x.x
Alternatively, you can prevent ip spoofing the firewall, so that a user cannot take the ip address of another:
Original Message:
Sent: 7/31/2024 7:45:00 AM
From: johnstonj@rowan.edu
Subject: RE: Roaming between 2 clusters in 8.10.x.x
I was under the impression that enforce dhcp should be set in order to help ensure no static IPs (and the possibility of a duplicate IP) get on. If that option is disabled, is there a better way to accomplish this? While I know that roaming between clusters is frowned upon, in this situation it can't really be helped. Our campus is split in half with controllers on each side of the street with failover redundancy (the controllers are on different management VLANs). The only way I can see getting all of the APs on 1 cluster and retain redundancy is to point all of the APs at 1 cluster and let the other sit empty as a failover and I don't believe that is the best way. As I stated - this is not a show stopper at all as it's currently only 1 outdoor AP that is close enough to bleed across the street.
Original Message:
Sent: Jul 30, 2024 12:11 PM
From: Herman Robers
Subject: Roaming between 2 clusters in 8.10.x.x
I would say that disabling that setting is worth trying.
I'm not aware of a sync of dhcp issued IP-mac mappings between controllers in different clusters. Roaming between clusters is something that should be avoided, and not a standard scenario.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jul 29, 2024 02:13 PM
From: sol_jee
Subject: Roaming between 2 clusters in 8.10.x.x
Thanks ! .. will be watching this thread :-)
An interesting observation when i did a debug for a user; the controller is dropping packets as as its not assigned via dhcp
authmgr[3964]: <522026> <3964> <INFO> |authmgr| MAC=30:d7:a1:xx.xx.xx IP=192.168.21.1 User miss: ingress=0x1091b |
authmgr[3964]: <522141> <3964> <DBUG> |authmgr| 30:d7:a1:xx.xx.xx IP 192.168.21.1: drop pkt as ip not assigned through dhcp. |
Yes i have enforce dhcp set on the aaa profile. Not too sure if i should take it out just to solve this use case.
Original Message:
Sent: Jul 26, 2024 11:51 AM
From: johnstonj@rowan.edu
Subject: Roaming between 2 clusters in 8.10.x.x
Don't hold your breath - Like I said this is a low priority for me at the moment LOL. I honestly thought enabling the GARP (Gratuitous ARP) would correct it. When looking at the controllers and airwave, I see the device roaming as it should. But it just goes to neverneverland until it is disconnected and reconnected. To me that's saying that the switch on the back side still has an incorrect path for the device and an ARP request should fix that. Like you, I'm not that sure the the preserve-vlan will help because I don't see the users vlan changing, but I'm willing to try anything if it will help.
Original Message:
Sent: Jul 26, 2024 11:08 AM
From: sol_jee
Subject: Roaming between 2 clusters in 8.10.x.x
Thank you !
In my case, everything is exactly the same! except that i have a single vlan with a single pool across both the clusters. Still i do see the same behavior. So i'm not too sure if the preserve-vlan would help. Anyways i would wait for your test results.
Original Message:
Sent: Jul 26, 2024 08:33 AM
From: johnstonj@rowan.edu
Subject: Roaming between 2 clusters in 8.10.x.x
Hello sol_jee
"hi.. did you get a solution for your original problem? i'm also facing the same one, exactly the same, even with an open ssid. It would be really helpful to know where you landed with this design of 2 clusters and roaming between them."
I did not, but I have not had a chance to try the preserve-vlan option that Colin mentioned above. This is a very low priority for me since there is only one location where the APs connected to different clusters can overlap. We are a college campus divided by a road right down the middle and we have a cluster on each side of the street serving half of the APs for redundancy (with capacity to fail over all APs to either cluster). There is only one location for now that has an outdoor AP that is close enough to the street for a user to roam. If I get a free weekend I will try the preserve-vlan option and get back to you.
Original Message:
Sent: Jul 25, 2024 04:23 PM
From: sol_jee
Subject: Roaming between 2 clusters in 8.10.x.x
hi.. did you get a solution for your original problem? i'm also facing the same one, exactly the same, even with an open ssid. It would be really helpful to know where you landed with this design of 2 clusters and roaming between them.
Original Message:
Sent: Jun 26, 2024 09:32 AM
From: johnstonj@rowan.edu
Subject: Roaming between 2 clusters in 8.10.x.x
Thanks again Colin. No worries about answering out of order - I posted multiple times out of order so replies that way are expected (my fault). Quick question - currently the VLAN pools are 4 subnets, each a /20 due to possible number of clients at a time. This was done a few years ago. Not entirely sure why it was set up this way except maybe it started to grow and additional subnets were added (and they are not all contiguous) as the population grew. Would it help to set up a single /18 vlan instead of a vlan pool? Or would that be too large for a single VLAN and cause other issues? I will be opening a TAC case in a week or so after I get the other issue under control.
Original Message:
Sent: Jun 26, 2024 09:00 AM
From: cjoseph
Subject: Roaming between 2 clusters in 8.10.x.x
I am answering your posts out of sequence so I apologize. We probably need to do debugging on the target controller for the test user to find out the sequence of events. I'm not going to bore you with detailed steps that I would take to figure this out, but in general a debug should give us some clues.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
Original Message:
Sent: Jun 26, 2024 08:52 AM
From: johnstonj@rowan.edu
Subject: Roaming between 2 clusters in 8.10.x.x
And I verified that the device IP address is not changing when roaming from one cluster to another. IP stays the same, device shows "connected no internet", and just need to disconnect/reconnect to bring it back. I will be opening a TAC case for this at some point soon, but I'm dealing with a more pressing issue with them and this is a low priority. It's currently only effecting one small area of our campus where wifi coverage overlaps from one cluster to the other. But we are expanding our outdoor wireless so this will start happening in more locations. I appreciate all of the help!!!
Original Message:
Sent: Jun 26, 2024 07:37 AM
From: cjoseph
Subject: Roaming between 2 clusters in 8.10.x.x
They do not. Try checking "show user-table verbose" on the target controller to make sure the vlans are the same
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
Original Message:
Sent: Jun 26, 2024 07:34 AM
From: johnstonj@rowan.edu
Subject: Roaming between 2 clusters in 8.10.x.x
I was finally able to get a change window for this. Unfortunately it did not correct the issue. Any chance the APs need to be re-provisioned with the VAP after making this change? I changed the VAP but did not re-provision any APs.
Original Message:
Sent: Jun 07, 2024 12:48 PM
From: cjoseph
Subject: Roaming between 2 clusters in 8.10.x.x
You can try enabling this parameter in the Virtual AP profile:
fdb-update-on-assoc
That would send out a gratuitous ARP when a client enters the forwarding table to ensure that the switch infrastructure is updated:
fdb-update-on-assoc
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
Original Message:
Sent: Jun 07, 2024 08:21 AM
From: johnstonj@rowan.edu
Subject: Roaming between 2 clusters in 8.10.x.x
Good morning all.
I have an issue that I can't seem to get to the bottom of. High level, clients cannot roam between APs on different controller clusters. Below are the gritty details.
Scenario - campus setup with 2 clusters (4 controllers on each cluster) geographically separate. Each cluster has it's own management network, but the devices (WLANs) are on the same L2 network. There are a few areas where the RF domain from APs in each cluster overlap. This is where my issue is. When a user is connected to an AP on Cluster A and walks to an area serviced by an AP on Cluster B, the device moves to the new AP but shows as "connected with no internet". The IP address of the device does not change since the L2 for that WLAN is the same across both clusters so I don't think I need to (or should) enable IP Mobility (but I could be wrong there) and I don't think 802.11k would help. The only fix for the end user is to disconnect and reconnect the wifi.
I understand that seamless roaming is only between APs in the same cluster and I'm OK if the device needs to re-authenticate (voice over IP roaming isn't a high priority in this scenario). I just need the device to connect again automatically.
Any ideas?
Thanks!
Jeff