Controllerless Networks

Frequent Contributor II

Managing IAP-VPN AP's from Airwave

I want to start deploying IAP-VPN configured Instant AP's to some of our home users.


I have been testing this in our lab and have the IAP configured to connect to our Airwave server, where the config is pushed down to it via Instant GUI config.


This all works pretty well.


The issue is that when the IAP is sent to the home user, the IAP's IP address is now different and Airwave is no longer able to contact it and classes it as down.


I am able to connect to the IAP remotely by https to the inner IP of the VPN tunnel, but I need to be able to get to it from Airwave so that if we need to push out a change across multiple IAP's it can be done one time only without the need to login to each IAP.


I woud appreciate some help in working this out




Re: Managing IAP-VPN AP's from Airwave

I'll have someone run through this in the lab and then update.

Rob Gin
Senior QA Engineer - Network Services
Aruba Networks, a Hewlett Packard Enterprise Company
Aruba Employee

Re: Managing IAP-VPN AP's from Airwave

if IAP can ping airwave? can we get IAP's running config?
Aruba Employee

Re: Managing IAP-VPN AP's from Airwave

we are trying to reproduce the issue, will update then.
Frequent Contributor II

Re: Managing IAP-VPN AP's from Airwave

Here's my IAP config


18:64:72:c5:49:c4# sh run
virtual-controller-country GB
virtual-controller-key 573d3cc301f2d17e5f2d3dcf51a7231da78b0f63e2c5b53c6b
name e17447
organization EMEA-IAP
clock timezone none 00 00
rf-band all
ams-key b6ce5a0e3999a796d6a5bf45a9a13270
ams-identity 844460756981198a0fa95e406bd32caf

allowed-ap 18:64:72:c5:49:c4

 route  <controller public IP>

snmp-server community a71f5328091c090d28b41ed6c6767d5a296fb87cc5850d5d
snmp-server community 0b0a9cf540c2c0833a4dc955c588adb92a78c2f61779b4c0

 wide-bands 5ghz
 min-tx-power 127
 max-tx-power 127
 band-steering-mode disable
 air-time-fairness-mode default-access

rf dot11g-radio-profile
 interference-immunity 3

rf dot11a-radio-profile
 interference-immunity 3


syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless


vpn primary <controller public ip>
vpn monitor-pkt-send-freq 10

mgmt-user mgmtuser

wlan access-rule default_wired_port_profile
 index 1
 rule any any match any any any permit

wlan access-rule wired-instant
 index 2
 rule match tcp 80 80 permit
 rule match tcp 4343 4343 permit
 rule any any match udp 67 68 permit
 rule any any match udp 53 53 permit

wlan access-rule testing
 index 3
 rule any any match any any any permit

wlan ssid-profile testing
 index 1
 type employee
 essid testing
 opmode wpa2-aes
 max-authentication-failures 0
 vlan 100
 auth-server radius1
 auth-server radius2
 rf-band all
 captive-portal disable
 dtim-period 1
 inactivity-timeout 1000
 broadcast-filter none
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64

auth-survivability cache-time-out 24

mgmt-auth-server mgmt-server1
mgmt-auth-server mgmt-server2


wlan auth-server mgmt-server1
 port 1812
 acctport 1813
 key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

wlan auth-server mgmt-server2
 port 1812
 acctport 1813
 key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

wlan auth-server radius1
 port 1812
 acctport 1813
 key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

wlan auth-server radius2
 port 1812
 acctport 1813
 key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

wlan external-captive-portal
 server localhost
 port 80
 url "/"
 auth-text "Authenticated"

blacklist-time 3600
auth-failure-blacklist-time 3600

 wireless-containment none

ip dhcp cl2
 server-type Centralized,L2
 server-vlan 100


wired-port-profile wired-instant
 switchport-mode access
 allowed-vlan all
 native-vlan guest
 no shutdown
 access-rule-name wired-instant
 speed auto
 duplex auto
 no poe
 type guest
 captive-portal disable
 no dot1x

wired-port-profile default_wired_port_profile
 switchport-mode trunk
 allowed-vlan all
 native-vlan 1
 access-rule-name default_wired_port_profile
 speed auto
 duplex full
 no poe
 type employee
 captive-portal disable
 no dot1x

enet0-port-profile default_wired_port_profile
enet1-port-profile default_wired_port_profile
enet2-port-profile default_wired_port_profile

 enforce none
 failover-internet-pkt-lost-cnt 10
 failover-internet-pkt-send-freq 30
 failover-vpn-timeout 180


airgroupservice airplay
 description AirPlay

airgroupservice airprint
 description AirPrint

Aruba Employee

Re: Managing IAP-VPN AP's from Airwave

after checking IAP running-config, IAP team think this scenario should work.

We suggest upgrading IAP to lastest build and get tech-support if still not work. 

Search Airheads
Showing results for 
Search instead for 
Did you mean: