Q:
Why do we see SSIDs getting disabled on IAP when GRE tunnel is down?
A: Starting from IAP version 8.4.0.0, By default all the SSID’s configured on the IAP (locally bridged & SSID’s used for GRE tunnel) both will be disabled when there is a failover or tunnel status goes down on the IAP( enhancement done on 8.4.0.0)
Below is the knob highlighted under gre config
# show gre config
GRE Tunnel Configuration
----------------------------------
GRE Primary Server :2222::2
GRE Primary IP :2222::2
GRE Backup Server :1111::1
GRE Backup IP :1111::1
GRE Type :25944 (0x6558)
GRE Per AP Tunnel :disable
GRE Preemption :enable
GRE Holdon Time :600
GRE Failover type :ping
GRE Ping Interval :15 (secs)
GRE Allowed Inactive Time :15 (secs)
GRE Ping Retry Count :3
GRE Reconnect User On Failover :enable
GRE Reconnect Time On Failover :60 (secs)
VPN logs to validate at the time of tunnel market down :
show log vpn :
cli_rap_send_tunnel_info(8519) send tunnel state (master) :DOWN 2020-03-05 18:26:32
cli_rap_send_tunnel_info(8523) send tunnel type (master) :GRE PRIMARY 2020-03-05 18:26:34
cli_gre_send_disable_ssid(8585) send disable ssid (master) 2020-03-05 18:26:34
cli_send_ping_to_gre_endpoint:311 primary tunnel is marked down. 2020-03-05 18:27:22
cli_gre_send_disable_ssid(8585) send disable ssid (master)
To prevent SSID’s getting disable on the IAP, need to enable below knob :
gre disable-reconnect-user-on-failover
# show gre config
GRE Tunnel Configuration
----------------------------------
GRE Primary Server :2222::2
GRE Primary IP :2222::2
GRE Backup Server :1111::1
GRE Backup IP :1111::1
GRE Type :25944 (0x6558)
GRE Per AP Tunnel :disable
GRE Preemption :enable
GRE Holdon Time :600
GRE Failover type :ping
GRE Ping Interval :15 (secs)
GRE Allowed Inactive Time :15 (secs)
GRE Ping Retry Count :3
GRE Reconnect User On Failover :disabled