Controllerless Networks

greetings,

i already established IAP VPN to controller.however user cant get i.p from dhcp server. im trying to use Centralized L2 mode but users still cant get proper I.P.

any suggestions? TIA

#AirheadsMobile

0. Good you have got the tunnel up. I hope you have verified it by show vpn tunnels on IAP and show iap table long on controller.

 

1. Best and easy way, plug a client in (say CL2 VLAN is X) VLAN X on the switch connected to controller and see if it gets an IP.

 

2. Trunk VLAN X to controller.

 

3. Create VLAN X on the controller.

 

If you have verified the above, then please share your IAP show tech and controller show run, & we will dig deeper from there.

 

Is there any design restrictions that prevent you from using a L3 DHCP at the IAP instead of Central L2 which sends all the broadcast traffic back the HQ .

Aruba recommends using the L3 option

Get Outlook for iOS

Is there any design restrictions that prevent you from using a L3 DHCP at the IAP instead of Central L2 which sends all the broadcast traffic back the HQ .

Aruba recommends using the L3 option

Get Outlook for iOS

Hi,

 

Is the issue seen while connecting to master IAP or slave IAP?

 

In multi-IAP environment, make sure the client vlan is allowed on IAP's uplink as client traffic from slave IAP to master is tagged with the client

vlan.

 

Basically, your IAP's need to be on trunk ports which allows the vlan configured in L2 centralized scope.

 

Moreover, please make sure vlan is created on the controller as well.

 

DHCP server can be on the controller or any device upstream. We just need to ensure DHCP packet from the client can reach the DHCP server.

Greetings,

Could you please share how you solved your issue ?

I meet a similar issue : IAP-VPN Centralized L2, Tunnel is UP between the Master IAP and the HW Controller.

Clients connected on the Master IAP get an IP : It works for them.

Clients connected on the other IAPs don't.

Switchports are in trunk mode with the client VLAN tagged. The VLAN is L2 active on the remote site switches.

It has worked fine...but it does not work anymore without any configuration change.

 

FYI I hit the same snag recently. After 1-2hours of checking everything under the sun.........

The tunnel built fine. Show crypto ipsec sa    looked great. show iap table long...nothing

 

MC: 8.3.0.6

IAP: 8.5.x.x

 

Yeah..make sure they're on the same code. Win.

 

I hit this same issue with 8.x as well. Aruba broke IAP VPN backwards compatibility in 8.4. So from MD 8.3 you can't use IAP VPN with the IAP at 8.4+. With MD 8.4+ and IAP at 8.3 you have to enable "iapvpn-backward-compatible". But this only works if the MD is the higher code version, not the other way around. 

 

"To seamlessly process the register requests without causing service disruption, ensure that the Instant AP and managed device are both upgraded to the 8.4.0.0 software version respectively. However, it is highly important that you first upgrade the managed device to the 8.4.0.0 software version, enable backward compatibility on the managed device using the CLI, and only then upgrade the Instant AP to the 8.4.0.0 software version.

Also, you must not upgrade the Instant AP to the 8.4.0.0 software version first when the managed device, terminating on the IAP-VPN is running an older software version."

 

https://www.arubanetworks.com/techdocs/ArubaOS_84_Web_Help/content/arubaframestyles/iap%20vpn%20support/backward_compatibility.htm