Controllerless Networks

Reply
MVP

6.5.x.x iAP GRE Tunnel and RAP -> migration to 8.5.x.x

I have quite a few iAP 205 and iAP 305 running 6.5.x.x. 

Internal iAP are terminating Aruba-GRE on a 6.4.x.x MC and we're preparing to use some 205H and 305H iAP as RAP for work-from-home users.

My SE tells me "6.x RAP will not be able to connect to 8.x MC and 8.x RAP can't connect to 6.x MC"

Is that accurate?
Can I get the 6.5.x.x iAP to connect to an MC running 8.5.x.x? or 
Can I get the 8.5.x.x iAP to connect to an MC running 6.5.x.x? 
I don't want to maintain two sets of MC while I migrate from 205 to 305 over the next three years.

Which should I upgrade first, the 305 iAP or the MC (understanding that the 205s will have to stay at 6.5)?

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it

Accepted Solutions
Highlighted
MVP

Re: 6.5.x.x iAP GRE Tunnel and RAP -> migration to 8.5.x.x

TAC provided the answer (super secret command at the end):

Quote:

Hello Matthew,

Instant APs running Instant 8.3.x.x or earlier versions can terminate IAP-VPN connections with controllers running ArubaOS 8.4.0.0 or later versions only if the backward compatibility feature is enabled on the controller.

Instant APs running Instant 8.4.0.0 or later versions cannot terminate IAP-VPN connections with controllers running ArubaOS 8.3.x.x or earlier versions.

So to answer your question, Yes IAP 205 running 6.5.x.x can terminate VPN connections to controller running 8.5.x.x using CLI flag on the controller as below:

 

(config) #iapvpn_backward_compatible

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it

View solution in original post


All Replies
Highlighted
MVP

Re: 6.5.x.x iAP GRE Tunnel and RAP -> migration to 8.5.x.x

TAC provided the answer (super secret command at the end):

Quote:

Hello Matthew,

Instant APs running Instant 8.3.x.x or earlier versions can terminate IAP-VPN connections with controllers running ArubaOS 8.4.0.0 or later versions only if the backward compatibility feature is enabled on the controller.

Instant APs running Instant 8.4.0.0 or later versions cannot terminate IAP-VPN connections with controllers running ArubaOS 8.3.x.x or earlier versions.

So to answer your question, Yes IAP 205 running 6.5.x.x can terminate VPN connections to controller running 8.5.x.x using CLI flag on the controller as below:

 

(config) #iapvpn_backward_compatible

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it

View solution in original post

Highlighted
Occasional Contributor II

Re: 6.5.x.x iAP GRE Tunnel and RAP -> migration to 8.5.x.x

Hi

 

Have you tested this and is it working? We did and upgrade with migration tool from 6.5.4 on a 7010 standalone Ctrl to 8.4.04. The IAP does not get traffic through the tunnel even though you can see teh tunnels are up. In the Aruba Instant user guide for 8.5 page 324, it states under point to remember:

Instant APs running 8.3.x.x or earlier versions cannot terminate IAP-VPN connections with ArubaOS controllers running 8.4.0.0 or later versions.

 

We have been on an open TAC case and the backwards compatability commands does not rectify the issue.

The following error comes up in the logs:

 

|IAP manager Process|  register_iap_bid:579 Terminating IAP-VPN on this platform (Mobility Master / Legacy Master) is not supported

Highlighted
MVP

Re: 6.5.x.x iAP GRE Tunnel and RAP -> migration to 8.5.x.x

I've got 6.5.4.11 and 8.5.0.2 iAP - both working with a 7210 running 8.5.0.2. After fixing a typo in my routing tables (elsewhere in the network) everything sems to be working.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Highlighted
Occasional Contributor II

Re: 6.5.x.x iAP GRE Tunnel and RAP -> migration to 8.5.x.x

Hi,

 

So, the tunnels were up and the only thing not working was the client was not getting an DHCP IP from external DHCP server. We could see the DHCP request from the AP but the controller was not sending it to the DHCP server.

 

We have a port channel with multiple VLANs where the Guest and BYOD VLAN is tagged. When you do a show int vlan xx<guest>, you can see the interface state is up/down. The interface state is why the controller can't send the DHCP request out the VLAN interface.

 

To fix this go under the VLAN interface and do "operstate up". You might have a duplicate BID for exisitng IAPs that you will have to delete. The logs will show - <ERRS> |IAP manager Process|  !!! Not a trusted branch - '<233nsg5364nds>';remove this entry from white-list

 

Then reboot and it worked fine.

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: