Controllerless Networks

Hi all,

i`m new to aruba world ,we have a master controller (192.168.1.148)that`s running fine and i need to set up a local controller(192.168.1.149) and configure redundancy .the problem is that i don`t know the ipsec preshared key that is configured on the master controller . i tried to use `encrypt disable` but i didn`t know where to look on the running config :

i have the below config on the master :

Crypto Map "default-psk-redundant-master-ipsecmap" 9999 ipsec-isakmp

Crypto Map Template"default-psk-redundant-master-ipsecmap" 9999

                 IKE Version: 1

                 IKEv1 Policy: All

                 Security association lifetime seconds : [300 -86400]

                 Security association lifetime kilobytes: N/A

                 PFS (Y/N): N

                 Transform sets={ default-ml-transform }

                 Peer gateway: 192.168.1.149

                 Interface: VLAN 0

                 Source network: 192.168.1.148/255.255.255.255

                 Destination network: 192.168.1.149/255.255.255.255

                 Pre-Connect (Y/N): Y

                 Tunnel Trusted (Y/N): Y

                 Forced NAT-T (Y/N): N

                 Uplink Failover (Y/N): N

                 Force-Tunnel-Mode (Y/N): N

                 IP Compression (Y/N): N

how can i get the preshared key from the master ? if i need to use `encrypt enable `which part of the config i need to look to ?thank you in advance

You are correct on the 'encrypt disable' to see the key, however you will need to look for the 'localip' command to find the key. Just a note, the Master-Local relationship can also be configured using MAC's of each device as well.

https://www.arubanetworks.com/techdocs/ArubaOS_61/ArubaOS_61_CLI/localip.htm

hi,

Thank you for your answer however when i do `encrypt disable` then `show localip` i got nothing :

(WW-CTRLR-BCKUP) #encrypt disable
(WW-CTRLR-BCKUP) #show localip

Local Switches configured by Local Switch IP
---------------------------------------------
Switch IP address of the Local Key
------------------------------ ---

hi zalion0,

thank you for your answer but there is already a site to site vpn configured between controllers so there must be a preshared key configured isn`t ? my question is how to get that key instead of creating new one ? if that possible 

hi Zalion0 ,

just to add one more thing ,one i check the site to site vpn configuration between the two controllers ,i can see the below :

(WW-CTRLR-BCKUP) #show crypto-local ipsec-map

Crypto Map Template"default-psk-redundant-master-ipsecmap" 9999
IKE Version: 1
IKEv1 Policy: All
Security association lifetime seconds : [300 -86400]
Security association lifetime kilobytes: N/A
PFS (Y/N): N
Transform sets={ default-ml-transform }
Peer gateway: 192.168.1.149
Interface: VLAN 0
Source network: 192.168.1.148/255.255.255.255
Destination network: 192.168.1.149/255.255.255.255
Pre-Connect (Y/N): Y
Tunnel Trusted (Y/N): Y
Forced NAT-T (Y/N): N
Uplink Failover (Y/N): N
Force-Tunnel-Mode (Y/N): N
IP Compression (Y/N): N

however when i try to display the preshared key for that vpn ,i got nothing :

(WW-CTRLR-BCKUP) #show crypto-local isakmp key

ISAKMP Local Pre-Shared keys configured for ANY FQDN
-----------------------------------------------------
Key Representation
--- --------------

ISAKMP Local Pre-Shared keys configured by FQDN
------------------------------------------------
FQDN of the host Key Representation
---------------- --- --------------

ISAKMP Local Pre-Shared keys configured by Address
---------------------------------------------------
IP address of the host Subnet Mask Length Key Representation
---------------------- ------------------ --- --------------

ISAKMP Global Pre-Shared keys configured by Address
----------------------------------------------------
IP address of the host Subnet Mask Length Key Representation
---------------------- ------------------ --- --------------

so i really not sure what to do now ,will configuring new preshared key using the localip command will overwrite the prehared key configured between the two controller and solve the connectivity issue ? thank you in advance for your answer

These might not be using a PSK for the Master-Local IPSEC, you can use a MAC (based on cert as well). So it would be worth checking this too. This command is run from the master.

(Aruba620) #show running-config | include local-factory-cert
Building Configuration...
local-factory-cert local-mac "xx:xx:xx:xx:xx:xx"
local-factory-cert local-mac "xx:xx:xx:xx:xx:xx"

To confirm you have Locals attached, you can also run the following:

#show switches

 Just a note, looking at your Crypto Map, this is showing as Master Redundancy (e.g Master/Master Backup) as opposed to Master-Local

Crypto Map Template"default-local-master-ipsecmap-xx:xx:xx:xx:xx:xx" 9999

Again, this is only based on snippets of config.

Hi Zalion0,

thank you for your answer but  they are using IPSec Key for authentication because that`s checked on the web GUI of the master controller .

Based on the show switches, you provided there is no locals connected.

This will provide you further information.

https://community.arubanetworks.com/t5/Controller-Based-WLANs/Explanation-about-quot-show-switches-summary-quot-command-and-it/ta-p/215239

On the other controller, if you run show switches do you see the same output?

If you cannot remember the key, then you will need to change it and also change it on any local controllers.

You can run the below command on each of the controllers to identify if it is a Master, Master Standby or a Local

#show roleinfo

there is no connectivity right now between the two controllers because i keep entring the wrong key :
Jan 14 12:42:31 fpcli: USER:admin@192.168.18.173 COMMAND:<master-redundancy peer-ip-address 192.168.1.148 ipsec "west1234" > -- command execution failed
Jan 14 12:43:30 fpcli: USER:admin@192.168.18.173 COMMAND:<master-redundancy peer-ip-address 192.168.1.148 ipsec "west1234" > -- command execution failed

thats why i asked the question on first place so i can achieve connectivity between the controller ,now even the ping fails because of the wrong preshared key so of course it won`t be any local controllers on the show switch output .

thank you 

The command in the last post shows you trying to set up/change the Master Redundancy PSK, not the Local PSK used for local controllers. These are two different things. 

You can have a PSK for Master Redundancy and you can have another PSK for Master Local operations.

The command is failing because of another reason (no VRRP for example or device isn't a Master) not because the PSK is wrong.

Have you followed the guides to set up Master-Master Backup and also Master-Local? You might find it easier to simply overwrite the existing keys with new keys based on what you are trying to achieve. 

Do you want to provide the previously suggested commands on from each controller?

#show roleinfo
#show vrrp

Hi Zalion,

My mistake i didn`t explain the situation well ,or maybe i`m confused between master/local redundancy and vrrp redundancy 

here is the situation anyway : we have a running master controller (which also have a vrrp configuration on it )

I have a second controller whcih is on factory default state so i need to configure it then set up redanduncy .

i still on the basic setup ,still didn`t configure vrrp on local controller when i set the second controller as local ,i enter the master ip(as master ip address) address but for authentication ,i need to entern the IPsec key so it can connect to the master .

i don`t have that key and that`s what i need to know .

or let me ask the question differently :when i do the basic config ,when i need to enter the master ip address and then the ipsec key ,which key i need to use ,is it the vrrp authentication key ,is it the site to site vpn preshared key ?

Thank you 

If you have no Local controllers already configured, there will be no Master-Local PSK set so this is why you cannot find one :)

To set up a Master-Local for example: 

On the Master :

(host) (config) #localip 0.0.0.0 ipsec gw1234567

On the Local:

(host) (config) #masterip 10.1.1.250 ipsec gw1234567

Might be worth reading the VRD for WLAN Redundancy as this explains it far better then me. In short, these are different.

A IPSEC tunnel is used for Master-Local communications.

A IPSEC tunnel is used for Master-Master Backup communications (which also uses VRRP).

A IPSEC tunnel can also be used to establish a traditional tunnel between controllers. 

Master-Master Backup needs to be in the same L2 broadcast domain due to using VRRP.

Master-Local can be L2/L3 separated as no VRRP is required.

hi Zalion ,

Thank you for your help .

so as you recomended,this is what i did :

on the master controller :

localip 0.0.0.0 ipsec *******

on the local :

masterip 192.168.1.148 ipsec*******

>>everything works fine and connectivity between controller is working and on show switches i can see both the master and the local

(WW-CTRLR-BCKUP) #show switches

All Switches
------------
IP Address Name Location Type Model Version D
---------- ---- -------- ---- ----- ------- -
192.168.1.148 WW-CTRLR-BCKUP Building1.floor1 master OAW-4450 6.5.4.9_67122
192.168.1.149 OAW-4450-local Building1.floor1 local OAW-4450 6.5.4.9_67122

however when i start configuring  vrrp ,issues  start happening :(

so can you please help me understanding the below:

- after setting up master-local ,can i set up vrrp because i think vrrp can only be used with master-master setup?if i can`t use vrrp ,then does the setup i made ,the master-local setup will be enough to acheive redundancy or in other word does redundancy achieved by vrrp or by master-local setup ?thank you so much

You can set up VRRP between a Master-Local providing they are in the same L2. What type of redundancy are you looking to use? AP, controller, interface etc? Each of these have different options based on your network design.

HI Zalion,

first of all ,thank you for all the help and i`m sorry for all the questions 

i need to steup redundancy between the two controllers(the master and the local ) so when the master fails ,the standby controller can take over and the APs connecting to the master can switchover to the standbye .

i have this config on the master :

master-redundancy
master-vrrp 150
peer-ip-address 192.168.1.149 
!
vrrp 150
priority 110
authentication west1234
ip address 192.168.1.150
description "Preferred-Standby"
vlan 1
tracking master-up-time 30 add 20
no shutdown
!

then when i try configuring redundancy on the local controller ,when i type :

`master-redundancy` i got an error`Error: Master IP 192.168.1.148 is configured`  so i just ignore that command and enter the below :

vrrp 150
priority 110
authentication west1234
ip address 192.168.1.150
description "Preferred-Standby"
vlan 1
tracking master-up-time 30 add 20
no shutdown 

then the ping times out between the controller and i can`t change the master ip on the local controller to the virtual ip >

in the guide you sent me its mentioned that we can use vrrp either with master-master setup or local-local steup

thank you in advance

If you have configured this as Master-Local you cannot configure Master-Master redundancy as well, these are different controller roles. You're best bet is to configure a VRRP for AP Discovery and use HA Groups for AP redundancy. These are detailed in the VRD's.

Do you have an Aruba partner you can work with? 

hi Zalion,

Thank you for your answer and honestly don`t know about aruba partner because i`m new at the company and need to check that .

i have a last question if you don`t mind .

right now i have master-local setup working fine and i have all the AP connected to the master controller 

if i go to the LMS  AP and do the following :

LMS ip= ip add of the master 

Backup LMS IP=ip add of the local 

does that mean if the master fails ,the APs will reboot and switchover to the local controller ?thank you so much

ok ,thank you so much for all the help :) much appreciated 

You're welcome :)

from CLI

encrypt disable

show runn

masterip is listed.

encrypt disable

show crypto-local isakmp key