Controllerless Networks

last person joined: yesterday 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

IAP-VPN Issue

This thread has been viewed 17 times

  • 1.  IAP-VPN Issue

    EMPLOYEE
    Posted Dec 20, 2019 10:29 PM

    Hi All,

     

    I have been playing around with an IAP-VPN setup that i have simulated in my lab. 

    Apparently i can see the output of "show vpn status" IAP as established to the controller.

    Also i can see "show crypto isakmp sa" and "show crypto ipsec sa" on the controller as well. 

     

    But i cannot see any output on the "show iap table" command on the controller. 

     

    (POC-VPNC) [mynode] (config) #show crypto isakmp sa

    ISAKMP SA Active Session Information
    ------------------------------------
    Initiator IP Responder IP Flags Start Time Private IP
    ------------ ------------ ----- --------------- ----------
    10.76.147.163 10.76.147.131 r-v2-c-I Dec 21 08:38:19 172.18.0.1

     

     

    (POC-VPNC) [mynode] (config) #show crypto ipsec sa


    IPSEC SA (V2) Active Session Information
    -----------------------------------
    Initiator IP Responder IP SPI(IN/OUT) Flags Start Time Inner IP
    ------------ ------------ ---------------- ----- --------------- --------
    10.76.147.163 10.76.147.131 5d0d8c00/f6761a00 UT2 Dec 21 10:22:28 172.18.0.1

     

     

    (POC-VPNC) [mynode] (config) #show iap table

    Trusted Branch Validation: Disabled
    IAP Branch Table
    ----------------
    Name VC MAC Address Status Inner IP Assigned Subnet Assigned Vlan
    ---- -------------- ------ -------- --------------- -------------

    Total No of UP Branches : 0
    Total No of DOWN Branches : 0

     

    What could i be missing ?

     

     



  • 2.  RE: IAP-VPN Issue

    Posted Dec 27, 2019 01:51 PM

    Two things spring to mind:

    one: have you whitelisted the iAP?

    two: are the iAP and controller versions the same? some version combinations aren't compatible.

     



  • 3.  RE: IAP-VPN Issue
    Best Answer

    Posted Dec 27, 2019 03:27 PM

    There are four things I know of:

    1. Add IAP to 'remote ap whitelist'

    2. Add IAP to 'trusted branch db' (or 'iap trusted-branch-db allow-all')

    3. Create 'controller cluster rap pool' on MM if using MM/AOS8

    4. IAP-VPN compatibility changed in 8.4. You can't have an IAP on 8.4+ with a controller less than 8.4. And if you have a controller at 8.4+ and an IAP less than 8.4, you have to enable backwards compatibility on the controller. I'm not sure why the notes say 'controller clusters not supported,' I'm using them and they seem fine (so far?)

    To seamlessly process the register requests without causing service disruption, ensure that the Instant AP
and managed device are both upgraded to the 8.4.0.0 software version respectively. However, it is highly
important that you first upgrade the managed device to the 8.4.0.0 software version, enable backward
compatibility on the managed device, and only then upgrade the Instant AP to the 8.4.0.0 software version.
n Also, you must not upgrade the Instant AP to the 8.4.0.0 software version first when the managed device,
terminating on the IAP-VPN is running an older software version.

IAP-VPN termination is not supported on ArubaOS Controller clusters.

Instant APs running Instant 8.3.x.x or earlier versions can terminate IAP-VPN connections with controllers
running ArubaOS 8.4.0.0 or later versions only if the backward compatibility feature is enabled on the
controller.

Instant APs running Instant 8.4.0.0 or later versions cannot terminate IAP-VPN connections with controllers
running ArubaOS 8.3.x.x or earlier versions.


  • 4.  RE: IAP-VPN Issue

    EMPLOYEE
    Posted Dec 29, 2019 07:53 AM

    Thanks both. 

     

    I upgraded the IAP version. And it seems to solve the issue . 

     

    Thanks.