Wired Intelligent Edge

Hi All, trying to set up tunneled node between an S1500 MAS and a 7030 controller over the internet. The tunnel shows complete on the 7030, but in progress on the switch. My first thought was firewall problems, so I opened up the firewall between those IPs, with no change. Any suggestions on what to try next? Config and status follow:

Switch:

(ArubaS1500-24P) #show tunneled-node state                             

Tunneled Node State
-------------------
IP            MAC                Port     state        vlan  tunnel  inactive-time
--            ---                ----     -----        ----  ------  -------------
12.345.6.789  00:0b:86:90:a4:f7  GE0/0/1  in-progress  0100  4094    0000


(ArubaS1500-24P) #show tunneled-node config 

Tunneled Node Client: Enabled
Tunneled Node Server: 12.345.6.789
Tunneled Node Loop Prevention: Disabled

(ArubaS1500-24P) #show interface-profile tunneled-node-profile TNP

Tunneled Node Server profile "TNP"
---------------------------------------
Parameter                     Value
---------                     -----
Controller IP Address         12.345.6.789
Backup Controller IP Address  N/A
Keepalive timeout in seconds  10
MTU on path to controller     1400

(ArubaS1500-24P) #show interface-profile switching-profile VLAN100

switching profile "VLAN100"
---------------------------
Parameter                                             Value
---------                                             -----
Switchport mode                                       access
Access mode VLAN                                      100
Trunk mode native VLAN                                1
Enable broadcast traffic rate limiting                Enabled
Enable multicast traffic rate limiting                Disabled
Enable unknown unicast traffic rate limiting          Enabled
Max allowed rate limit traffic on port in percentage  50
Trunk mode allowed VLANs                              1-4094

(ArubaS1500-24P) #show interface-group-config gigabitethernet "TNP_VLAN100"

gigabitethernet "TNP_VLAN100"
----------------------------------
Parameter                                        Value
---------                                        -----
Interface group members                          0/0/1-0/0/2
...
Interface Tunneled Node profile                  TNP
...
Interface switching profile                      VLAN100

Controller:

(Aruba7030) (config) #show tunneled-node state  

Tunneled Node State
-------------------
IP              MAC                port                  state     vlan  tunnel  inactive-time
--              ---                ----                  -----     ----  ------  -------------
123.45.678.901  00:0b:86:90:a4:f7  gigabitethernet0/0/1  complete  100   51      1

(Aruba7030) #show tunneled-node config 

Tunneled node Server:Enabled
Tunnel Loop Prevention:Disabled

Make sure you have enough licenses on the controller.

Tunneled node takes up 1 AP license per Switch / Stack of switches

Also your tunneled node config on the controller should be set to "tunneled-node-address 0.0.0.0"

Hi,

Do you see PAPI (UDP 8211), GRE and ICMP passing between the two IP addresses on the firewall?

This may occur when the Mobility Access Switch is sourcing the GRE tunnel from the wrong IP interface and there is asymmetrical routing in the network. Make sure to use the 'controller-ip' command under 'ip-profile' to specifically chose the interface the Mobility Access Switch should be using to source it's traffic.

Thanks,
Rajaguru Vincent