Controllerless Networks

Hi,
i have a new constellation where the IAP need to connect the internal Airwave. For the setup i have a IAP in the Internet, a VPN-Controller and a Airwave Server which is reachable behind the VPN-Controller Inside Connection.

If i take a look into the IAP VPN Guides or ASE i only see a VPN for the Clients on the IAP Cloud but not only for the Airwave. Does that mean that "you" always connect Airwave to the internet and make them reachable directly ?

OR does anyone have a config example for my setup?

Thanks in advance

 

There is a new model possible now. where the IAP first builds the tunnel with controller. and then puts a route for Airwave, so that Airwave is reachable via the tunnel.

 

I am attaching a sample lab example for your purview.

 

 

Hi,

thanks for the feedback! I will test this and come back here.

 

Thanks in advance

 

 

 

Hi,

 

in my setup the AP gets the Airwave Server and want to connect to it:

 

ac:a3:1e:xx:xx:xx# show log provision

Mon May 9 09:54:34 2016 Airwave In progress Connecting to primary AMP server at 212.xxxxx...
Mon May 9 09:54:44 2016 Airwave Debug Received auth pending status from primary AMP server 212.xxxxx, cmd is 'state-connected'
Mon May 9 09:54:44 2016 Airwave Failed Could not establish TCP connection to AMP server at 212.xxxxx

 

But the vpn config is empty - even if i set it in the airwave prov. rule :(

 

ac:a3:1e:xx:xx:xx# show vpn config

Concentrator
------------
Type Value
---- -----
VPN Primary Server
VPN Backup Server

 

 

but ap-debug shows that it was transfered:

X-Type: provision-update^M X-Vpn-Server: 212.xx.xx.xx^M ^M ", AWC response: (null)

 

Hmm.... Using an IAP-215 in my setup with 4.1.1.4 -> Update will follow :)

 

 

Thanks for Feedback

upgrade to latest please. 4.2.3.1

Done! It works!  -IAP with Activate to Internal Airwave with VPN Tunnel. Thanks!!! Nice solution!

 

What i need to find now is the role in which IAPs blong on the controller. I've created a now role with new Pool for the IAPs. Currently they get the default VPN Role and also a IP out of the "default" for the tunnel. I need to find the config for that to change the Pool. 

 

Thanks!

 

 

Edit: found: "default-iap" L3-Auth under VPN Authentication -> Setting to my new Role. Done! 

 

But my new Question: How authenticate the controller the IAP ? Using Aruba Cert and MAC ? the only security step here is the MAC of the IAP wich is not really "secure". So how can this be pushed a little bit higher ? 

---

 

But my new Question: How authenticate the controller the IAP ? Using Aruba Cert and MAC ? the only security step here is the MAC of the IAP wich is not really "secure". So how can this be pushed a little bit higher ? 

---

Hi Dennis,

Aruba use Certificat, each controller or acess point have a certificat with CommonName use the MAC address.

When you autorize a MAC Address, you autorize the certificat with this MAC Address 

So my installation is partly working.

 

Currently i get the IAP IP form a VPN Pool of the Controller. I see that the IP from the pool is changing every some minutes to a newer IP. In the meantime the devices get unreachable in Airwave. If iam on the console and pinging Airwave the tunnel seems so stay up so i can have them in Airwave. Maybe there is a missmatch in config or Image between IAP and controller. Both are the new: ArubaOS (MODEL: 215), Version 6.4.4.4-4.2.3.1 - Controller has 6.4.4.5. 

 

Thanks for Suggestions on this

 

here are some examples in the ap-debug log:

 

May 17 12:09:13 awc[3450]: awc_init_connection: 2129: connecting to 212.x.x.x:443
May 17 12:09:23 awc[3450]: tcp_connect: 132: select return: 0
May 17 12:09:23 awc[3450May 17 12:10:24 awc[3450]: awc_connect to 212.x.x.x
May 17 12:10:34 awc[3450]: tcp_connect: 132: select return: 0
May 17 12:10:34 awc[3450]: tcp_connect: 150: failed to connect, close the fd
May 17 12:10:34 awc[3450]: awc_connect: 2633: failed to connect to 212.x.x.x Error: Operation now in progress
May 17 12:11:25 awc[3450]: awc_connect to 212.x.x.x
May 17 12:11:35 awc[3450]: tcp_connect: 132: select return: 0
May 17 12:11:35 awc[3450]: tcp_connect: 150: failed to connect, close the fd
May 17 12:11:35 awc[3450]: awc_connect: 2633: failed to connect to 212.x.x.x Error: Operation now in progress
]: tcp_connect: 150: failed to connect, close the fd

 

and here some out of the vpn log:

 

 

2016-05-17 12:14:20 cli_rap_reg_request(2921) sending reg-request to 10.x.x.x (internal IP of DMZ Controller: iap/register.....  retry-counter 1, not-trusted: amp-not-login

this happens every 3 seconds.. so i think thats why the IAP gets always new pool ip adress.

 

 

hmmmm......

 

 

 

 

 

 

You have create a RAP Pool on Controller ?

Do you AMP IAP whitelist enabled in AirWave?

Make sure your IAP Pool is a routable network in your infrastructure

Do you have the MAC address of the IAP in the rap whitelist ?

Can you see the IAP on the controller "show IAP table"


Get Outlook for iOS

Hi,

 

- I've created a routed VPN Pool for the IAPS

-> AMP is pinable from the IAP !

Do you AMP IAP whitelist enabled in AirWave?

-> Ive enabled the OU Group in AMP-Setup-> Roles.

Make sure your IAP Pool is a routable network in your infrastructure

Can you see the IAP on the controller "show IAP table"

Yes it it -> AMP Pinable from AP on DSL
Do you have the MAC address of the IAP in the rap whitelist ?
Of course, Tunnel is up

 

 

Here some more output:

 

ac:a3:1e:xx:xx:xx# sh vpn status

profile name:default
--------------------------------------------------
current using tunnel :primary tunnel
current tunnel using time :25 seconds
ipsec is preempt status :disable
ipsec is fast failover status :disable
ipsec hold on period :600s
ipsec tunnel monitor frequency (seconds/packet) :5
ipsec tunnel monitor timeout by lost packet cnt :6

ipsec primary tunnel crypto type :Cert
ipsec primary tunnel peer address :212.x.x.x
ipsec primary tunnel peer tunnel ip :10.x.x.x
ipsec primary tunnel ap tunnel ip :10.x.x.251
ipsec primary tunnel using interface :tun0
ipsec primary tunnel using MTU :1230
ipsec primary tunnel current sm status :Up
ipsec primary tunnel tunnel status :Up
ipsec primary tunnel tunnel retry times :2
ipsec primary tunnel tunnel uptime :25 seconds

ipsec backup tunnel crypto type :Cert
ipsec backup tunnel peer address :N/A
ipsec backup tunnel peer tunnel ip :N/A
ipsec backup tunnel ap tunnel ip :N/A
ipsec backup tunnel using interface :N/A
ipsec backup tunnel using MTU :N/A
ipsec backup tunnel current sm status :Init
ipsec backup tunnel tunnel status :Down
ipsec backup tunnel tunnel retry times :0
ipsec backup tunnel tunnel uptime :0

short later

 

ipsec primary tunnel peer address :212.x.x.x
ipsec primary tunnel peer tunnel ip :0.0.0.0
ipsec primary tunnel ap tunnel ip :0.0.0.0

ipsec primary tunnel current sm status :Retrying

 

 

short later

 

ipsec primary tunnel crypto type :Cert
ipsec primary tunnel peer address :212.x.x.x
ipsec primary tunnel peer tunnel ip :10.x.x.x
ipsec primary tunnel ap tunnel ip :10.x.x.253
ipsec primary tunnel using interface :tun0

 

short later

ipsec primary tunnel peer address :212.x.x.x
ipsec primary tunnel peer tunnel ip :0.0.0.0
ipsec primary tunnel ap tunnel ip :0.0.0.0

ipsec primary tunnel current sm status :Retrying

 

ipsec primary tunnel crypto type :Cert
ipsec primary tunnel peer address :212.x.x.x
ipsec primary tunnel peer tunnel ip :10.x.x.x
ipsec primary tunnel ap tunnel ip :10.x.x.254
ipsec primary tunnel using interface :tun0

 

if i pining the AMP the VPN stays online.

 

ipsec     primary tunnel tunnel uptime          :1 minute 21 seconds

 

in Idle time it will continue to reset the tunnel.

 

What is the AMP IP and what is the routing-profile configured?

 

Get the running config and if domain name is used for AMP which can resolve private IP when the tunnel is UP and public IP when tunnel is down, this kind of things can occur.

 

I don’t think it is a tunnel flap, after the tunnel is UP, IAP will periodically try sync the config and if AMP is not reachable (when the tunnel became UP), IAP will revert the config. This causes losing the config and again when it fetches config from AMP tunnel comes UP and later not able to reach AMP after tunnel UP…

 

Check “show ap debug airwave-config-received”

 

So totally it looks like a problem where AMP is not reachable when tunnel is UP and so config reverts. This repeats. Check “show datapath session” before/after tunnel flap.