Controllerless Networks

last person joined: 22 hours ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

RAP-NG VPN DHCP distributed L3: returning dhcp offer does not reach IAP

This thread has been viewed 0 times

  • 1.  RAP-NG VPN DHCP distributed L3: returning dhcp offer does not reach IAP

    Posted Aug 05, 2015 10:23 AM

    Hi,

    Got a setup with a RAP-155P (v 6.4.2.6) which has a VPN to a cluster of 7010 controllers (v 6.4.2.10). Everything works fine, but I have an issue with the DHCP distributed L3:

     

    When a client connects to the SSID linked to the VLAN (2) with the distributed L3 dhcp, I see the dhcp discover packet coming out of the aruba controller in the datacenter firewall logs (there is a firewall at the datacenter where the aruba controllers and dhcp server are located), and i see a response coming from the dhcp server towards the aruba controllers.

     

    I've set up logging on the IAP as well, and the log shows that the initial dhcp packet is indeed being sent, but there is no returning traffic.

     

    I can reach the DHCP server pinging from the IAP and vice versa, so the path is OK.

    When I put a static IP on the wifi client, everything is working, I can reach the servers in the datacenter.

     

    Any ideas on how to troubleshoot this?

    My suspicion is that the returning traffic is being dropped by the aruba controller at the datacenter, as i don't see anything in the IAP logs. The datacenter is remote, so going on-site for a packet capture is an absolute last resort.

     

    Any help is appreciated!

     

    Regards,

    Dante

     



  • 2.  RE: RAP-NG VPN DHCP distributed L3: returning dhcp offer does not reach IAP

    Posted Aug 05, 2015 10:31 AM

    . Distributed L3 mode

    Contains broadcast and multicast traffic to a branch
    DHCP server for clients is the Master AP
    Even when the WAN is down, a client can renew its DHCP leases and a new clients can receive IP address
    The Master AP is also the default gateway for clients
    The traffic to datacenter is routed tunnel to the controller through the IPsec
    The traffic to internet/local destination is Scr-NATed with the local IP of master AP
    Configuring a routable VPN address pool is also essential for RFC 3576 and for 802.1X if the RADIUS traffic is not Scr-NATed at the controller


  • 3.  RE: RAP-NG VPN DHCP distributed L3: returning dhcp offer does not reach IAP

    Posted Aug 05, 2015 10:34 AM

    Of course I made a mistake in the subject of this thread:

    I meant centralized L3, not distributed L3 DHCP...

     

    So my question is still valid I suppose?

     

    I'll open a new thread, otherwise this will get confusing



  • 4.  RE: RAP-NG VPN DHCP distributed L3: returning dhcp offer does not reach IAP

    Posted Aug 05, 2015 10:53 AM
    Is the IAP pool routable in your network ?


  • 5.  RE: RAP-NG VPN DHCP distributed L3: returning dhcp offer does not reach IAP

    Posted Aug 05, 2015 10:59 AM

    Yes, it's routable.

     

    When I configure an Local L3, the traffic gets natted behind the vpn pool IP, and everything works.

    With the centralized L3, the traffic is not natted behind the vpn pool IP, but instead the configured IP on the IAP is used and is routed over the VPN. This is confirmed by what I see in the datacenter firewall logs: DHCP request coming from the relay IP of the IAP en the returning packet is also being sent to that relay IP (route on the firewall is pointing towards the VRRP IP of the aruba controller which terminates the RAP-NG VPN, so that's fine)

     

    As I said, when I set a fixed IP on the client, everything works. It's just the DHCP return traffic that isn't working...



  • 6.  RE: RAP-NG VPN DHCP distributed L3: returning dhcp offer does not reach IAP

    Posted Aug 05, 2015 11:01 AM
    Can you ping the IAP from the DHCP server ?


  • 7.  RE: RAP-NG VPN DHCP distributed L3: returning dhcp offer does not reach IAP

    Posted Aug 05, 2015 11:07 AM

    Yes, that works (actually already said that in my initial post). The other way around also. I can reach the IAP gui from the server as well.



  • 8.  RE: RAP-NG VPN DHCP distributed L3: returning dhcp offer does not reach IAP

    Posted Aug 05, 2015 11:42 AM

    Maybe it's irrelevant, but I noticed that the branch table contains the same IAP twice, only with a different name (the IAP was added twice to the white list):


    Trusted Branch Validation: Disabled
    IAP Branch Table
    ----------------
    Name              VC MAC Address     Status  Inner IP      Assigned Subnet   Assigned Vlan
    ----              --------------     ------  --------      ---------------   -------------
    shop-genval-temp  00:0b:86:9e:c6:9f  UP      172.25.0.254  172.25.254.0/24
    Instant-9E:C6:9F  00:0b:86:9e:c6:9f  DOWN    0.0.0.0

    Total No of UP Branches   : 1
    Total No of DOWN Branches : 1
    Total No of Branches      : 2

    Maybe this is an issue?

    Any idea how I clear/delete/purge the old entry?

     

    Regards,

    Dante



  • 9.  RE: RAP-NG VPN DHCP distributed L3: returning dhcp offer does not reach IAP

    Posted Aug 06, 2015 04:06 AM

    Never mind the latest update, deleted those entries, now there is only one, but the issue remains.

     

    Just saw I'm updating the wrong post.

     

    Here's the right description of the issue:

     

    http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/RAP-NG-VPN-DHCP-centralized-L3-returning-dhcp-offer-does-not/m-p/244080