Wired Intelligent Edge (Campus Switching and Routing)

Reply
Occasional Contributor I

7005 MD not reaching Mobility Master over VPN

Hello everyone-

 

I have been struggling with having a 7005 located at a banch, reach my MM over the internet via a VPNC (7205 at a datacenter) after initial provisioning.  The IPSec tunnel is successfully created, and am able to ping the VPNC interface through the tunnel from the 7005, however traffic will not go further.

 

I was able to find this presentation that spells out what needs to be done (build GRE tunnels between MD and MM though the VPNC), but unable to figure out how to define the IP's that will anchor the GRE tunnel as once the 7005 is provisioned as a MD, it cannot be modified further unless it's through the MM.  Only valid IP on the 7005 is the WAN/internet facing IP.

 

https://www.slideshare.net/ArubaNetworks/emea-airheads-manage-devices-at-branch-office-boc

 

Thanks in advance for any of your thoughts!

 

 

Occasional Contributor II

Re: 7005 MD not reaching Mobility Master over VPN

Do you have configured an controller ip?

Does the md know the route to the mm and back?

Occasional Contributor II

Re: 7005 MD not reaching Mobility Master over VPN

Did you add the controller IP and PSK on the MM? 

Did you add the controller on the folder structure under Managed Network? 

Occasional Contributor I

Re: 7005 MD not reaching Mobility Master over VPN

Hello, yes, the branch MD has a public WAN IP.

 

Regarding routes, the Branch has a route to the VPNC and the MM via "ipsec map amanagement-vpnc"

 

I [MM IP]/32 [0/256] ipsec map management-vpnc
C [WAN IP]/24 is directly connected, VLAN1
C [VPNC IP]/32 is an ipsec map management-vpnc

 

The MM, a  "show ip route" does not show a route back to the Branch MD

 

S* 0.0.0.0/0 [0/1] via [DataCenter LAN Gateway]*
C [DataCenter LAN Subnet]/24 is directly connected, VLAN1
C [VPNC-A IP]/32 is an ipsec map default-local-master-ipsecmapA
C [VPNC-B IP]/32 is an ipsec map default-local-master-ipsecmapB
C [MM Backup Peer IP]/32 is an ipsec map default-psk-redundant-master-ipsecmap

 

However there is a route statement (again output from MM config):

ip route [MD-Branch WAN IP] 255.255.255.255 ipsec default-local-master-ipsecmap-[VPNC-A MAC Address] 30
ip route [MD-Branch WAN IP] 255.255.255.255 ipsec default-local-master-ipsecmap-[VPNC-B MAC Address] 20

 

This is one of the roadblocks;

 

Thanks for all the feedback,

 

Occasional Contributor I

Re: 7005 MD not reaching Mobility Master over VPN

Hello -

 

I did not, the MM has the Branch MAC address and factory cert as authentcion options selected.

 

While the option to add the IP and PSK is available, the initial provisioning questions do not allow for a PSK when the factory cert is selected to peer with the VPNC (advisement from TAC is to use factory cert, not PSK).

 

Yes, the Branch controller is on the MM foldstructure under Managed Network.

 

Thanks for your ideas on this...

Occasional Contributor II

Re: 7005 MD not reaching Mobility Master over VPN

Hi,

 

Within the configuration did you created a controller ip pool?

 

ip vlan pool controller-ip
distributed range 10.127.0.1 10.127.1.254
!
controller-ip vlan 4000

Occasional Contributor I

Re: 7005 MD not reaching Mobility Master over VPN

No, don't have this configuration.  What does VLAN 4000 represent?

 

Thanks,

MVP Expert

Re: 7005 MD not reaching Mobility Master over VPN


@GroovyGuava wrote:

No, don't have this configuration.  What does VLAN 4000 represent?

 

Thanks,


VLAN 40xx are often "uplink" vlan




PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info


PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info


PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)


PowerArubaIAP: Powershell Module to use Aruba Instant AP




ACMP 6.4 / ACMX #107 / ACCP 6.5
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: