Remote Networking

New Contributor

AP-105/125 as RAP through ASA5520

Hey all, I was hoping someone could help me with this issue.

I have an AP-105 and 125 configured as Remote AP's through VPN, but the problem I am experiencing is it will connect through the datapath session to the 3600 Controller for about 30-45 seconds and then drop the tunnel.

I have a 3600 Controller running I have a NAT setup from my Public IP Address to an Interface on the 3600. My NAT device is a Cisco ASA 5520. I am allowing 4500 traffic through the ASA to this Public IP Address that is NAT'd back to my 3600 controller.

The AP connects just fine on my Internal network and the tunnel builds fine and stays connected, but this is from the internal network not going through the ASA.

When I take the AP Home to test and I by pass my ASA at home and just allow the AP to get a Public Internet IP Address I can see the Connection on the ASA established on 4500 and I can see the connection sucessfully NAT to the 3600. I can go into the datapath session on the 3600 and see the connection as well from my Public IP Address of the ASA back to the 3600, but after about 30 seconds of refreshing I see the datapath session drop and never reestablish until I reboot the AP in which it connects for about 30-45 seconds to the 3600 via port 4500 then drops.

I tried this at another site I had which is a Site-To-Site VPN back to the controller and I can hit the Interface of the controller from this site so I configured the AP for VPN RAP with a connection to the Internal Interface of the Controller, but got the same reaction of the datapath session dropping the connection after about 30 seconds.

I see not errors at all in the error logs on the 3600.

Please help!!!

Aruba Employee

Re: AP-105/125 as RAP through ASA5520

Mark - What version of ASA code are running? Would you be able to post a sanitized copy of the ASA configuration on here? At least the pertinent pieces?
Aruba Employee

Re: AP-105/125 as RAP through ASA5520

Hmmm, nothing jumps out at me in that config. Would you mind posting your inspect class-map info?
New Contributor

Got it working!!

The problem was that the ap system-profile for the AP Group this remote AP was in was set to "default" which had a LMS of our Private IP scheme. This being a remote AP going over VPN it would not be able to come up with an Internal IP in the LMS.

Configured a new ap system-profile named "Remote" with no LMS address and applied it to the AP Group this Remote AP was in and the Remote AP came right up and started working like a champ.

Thanks all.

Search Airheads
Showing results for 
Search instead for 
Did you mean: