Wired Intelligent Edge

Hello everyone-

I have been struggling with having a 7005 located at a banch, reach my MM over the internet via a VPNC (7205 at a datacenter) after initial provisioning.  The IPSec tunnel is successfully created, and am able to ping the VPNC interface through the tunnel from the 7005, however traffic will not go further.

I was able to find this presentation that spells out what needs to be done (build GRE tunnels between MD and MM though the VPNC), but unable to figure out how to define the IP's that will anchor the GRE tunnel as once the 7005 is provisioned as a MD, it cannot be modified further unless it's through the MM.  Only valid IP on the 7005 is the WAN/internet facing IP.

https://www.slideshare.net/ArubaNetworks/emea-airheads-manage-devices-at-branch-office-boc

Thanks in advance for any of your thoughts!

Do you have configured an controller ip?

Does the md know the route to the mm and back?

Hello, yes, the branch MD has a public WAN IP.

Regarding routes, the Branch has a route to the VPNC and the MM via "ipsec map amanagement-vpnc"

I [MM IP]/32 [0/256] ipsec map management-vpnc
C [WAN IP]/24 is directly connected, VLAN1
C [VPNC IP]/32 is an ipsec map management-vpnc

The MM, a  "show ip route" does not show a route back to the Branch MD

S* 0.0.0.0/0 [0/1] via [DataCenter LAN Gateway]*
C [DataCenter LAN Subnet]/24 is directly connected, VLAN1
C [VPNC-A IP]/32 is an ipsec map default-local-master-ipsecmapA
C [VPNC-B IP]/32 is an ipsec map default-local-master-ipsecmapB
C [MM Backup Peer IP]/32 is an ipsec map default-psk-redundant-master-ipsecmap

However there is a route statement (again output from MM config):

ip route [MD-Branch WAN IP] 255.255.255.255 ipsec default-local-master-ipsecmap-[VPNC-A MAC Address] 30
ip route [MD-Branch WAN IP] 255.255.255.255 ipsec default-local-master-ipsecmap-[VPNC-B MAC Address] 20

This is one of the roadblocks;

Thanks for all the feedback,

Did you add the controller IP and PSK on the MM? 

Did you add the controller on the folder structure under Managed Network? 

Hello -

I did not, the MM has the Branch MAC address and factory cert as authentcion options selected.

While the option to add the IP and PSK is available, the initial provisioning questions do not allow for a PSK when the factory cert is selected to peer with the VPNC (advisement from TAC is to use factory cert, not PSK).

Yes, the Branch controller is on the MM foldstructure under Managed Network.

Thanks for your ideas on this...

Hi,

Within the configuration did you created a controller ip pool?

ip vlan pool controller-ip
distributed range 10.127.0.1 10.127.1.254
!
controller-ip vlan 4000

No, don't have this configuration.  What does VLAN 4000 represent?

Thanks,

---

@GroovyGuava wrote:

No, don't have this configuration.  What does VLAN 4000 represent?

 

Thanks,

---

VLAN 40xx are often "uplink" vlan