Community Home > Discuss > Technology > Wired Intelligent Edge (Campus Switching and Routi... > Re: 7005 MD not reaching Mobility Master over VPN

Wired Intelligent Edge (Campus Switching and Routing)

Reply
GroovyGuava
Occasional Contributor I
GroovyGuava

7005 MD not reaching Mobility Master over VPN

‎09-05-2019 10:09 AM

Hello everyone-

 

I have been struggling with having a 7005 located at a banch, reach my MM over the internet via a VPNC (7205 at a datacenter) after initial provisioning.  The IPSec tunnel is successfully created, and am able to ping the VPNC interface through the tunnel from the 7005, however traffic will not go further.

 

I was able to find this presentation that spells out what needs to be done (build GRE tunnels between MD and MM though the VPNC), but unable to figure out how to define the IP's that will anchor the GRE tunnel as once the 7005 is provisioned as a MD, it cannot be modified further unless it's through the MM.  Only valid IP on the 7005 is the WAN/internet facing IP.

 

https://www.slideshare.net/ArubaNetworks/emea-airheads-manage-devices-at-branch-office-boc

 

Thanks in advance for any of your thoughts!

 

 

Alert a Moderator
Message 1 of 8
577 Views
Reply
0 Kudos
RoydeJager
Occasional Contributor II
RoydeJager

Re: 7005 MD not reaching Mobility Master over VPN

‎09-09-2019 02:30 AM

Do you have configured an controller ip?

Does the md know the route to the mm and back?

Alert a Moderator
Message 2 of 8
529 Views
Reply
0 Kudos
Heltonb
Occasional Contributor II
Heltonb

Re: 7005 MD not reaching Mobility Master over VPN

‎09-09-2019 07:54 AM

Did you add the controller IP and PSK on the MM? 

Did you add the controller on the folder structure under Managed Network? 

Alert a Moderator
Message 3 of 8
516 Views
Reply
0 Kudos
GroovyGuava
Occasional Contributor I
GroovyGuava

Re: 7005 MD not reaching Mobility Master over VPN

‎09-09-2019 09:31 AM

Hello, yes, the branch MD has a public WAN IP.

 

Regarding routes, the Branch has a route to the VPNC and the MM via "ipsec map amanagement-vpnc"

 

I [MM IP]/32 [0/256] ipsec map management-vpnc
C [WAN IP]/24 is directly connected, VLAN1
C [VPNC IP]/32 is an ipsec map management-vpnc

 

The MM, a  "show ip route" does not show a route back to the Branch MD

 

S* 0.0.0.0/0 [0/1] via [DataCenter LAN Gateway]*
C [DataCenter LAN Subnet]/24 is directly connected, VLAN1
C [VPNC-A IP]/32 is an ipsec map default-local-master-ipsecmapA
C [VPNC-B IP]/32 is an ipsec map default-local-master-ipsecmapB
C [MM Backup Peer IP]/32 is an ipsec map default-psk-redundant-master-ipsecmap

 

However there is a route statement (again output from MM config):

ip route [MD-Branch WAN IP] 255.255.255.255 ipsec default-local-master-ipsecmap-[VPNC-A MAC Address] 30
ip route [MD-Branch WAN IP] 255.255.255.255 ipsec default-local-master-ipsecmap-[VPNC-B MAC Address] 20

 

This is one of the roadblocks;

 

Thanks for all the feedback,

 

Alert a Moderator
Message 4 of 8
505 Views
Reply
0 Kudos
GroovyGuava
Occasional Contributor I
GroovyGuava

Re: 7005 MD not reaching Mobility Master over VPN

‎09-09-2019 09:36 AM

Hello -

 

I did not, the MM has the Branch MAC address and factory cert as authentcion options selected.

 

While the option to add the IP and PSK is available, the initial provisioning questions do not allow for a PSK when the factory cert is selected to peer with the VPNC (advisement from TAC is to use factory cert, not PSK).

 

Yes, the Branch controller is on the MM foldstructure under Managed Network.

 

Thanks for your ideas on this...

Alert a Moderator
Message 5 of 8
504 Views
Reply
0 Kudos
Highlighted
RoydeJager
Occasional Contributor II
RoydeJager

Re: 7005 MD not reaching Mobility Master over VPN

‎09-09-2019 11:01 PM

Hi,

 

Within the configuration did you created a controller ip pool?

 

ip vlan pool controller-ip
distributed range 10.127.0.1 10.127.1.254
!
controller-ip vlan 4000

Alert a Moderator
Message 6 of 8
471 Views
Reply
0 Kudos
GroovyGuava
Occasional Contributor I
GroovyGuava

Re: 7005 MD not reaching Mobility Master over VPN

‎09-11-2019 11:38 AM

No, don't have this configuration.  What does VLAN 4000 represent?

 

Thanks,

Alert a Moderator
Message 7 of 8
437 Views
Reply
0 Kudos
MVP Expert
MVP Expert
alagoutte

Re: 7005 MD not reaching Mobility Master over VPN

‎09-12-2019 01:27 AM

@GroovyGuava wrote:

No, don't have this configuration.  What does VLAN 4000 represent?

 

Thanks,

VLAN 40xx are often "uplink" vlan



PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)

PowerArubaIAP: Powershell Module to use Aruba Instant AP

PowerArubaMC: Powershell Module to use Mobility Controller / Master


ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP
Alert a Moderator
Message 8 of 8
396 Views
Reply
0 Kudos
Search Airheads
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

© Copyright 2019 Hewlett Packard Enterprise Development LP
All Rights Reserved.
Powered by Lithium