Wireless Access

Hi Guys,

i have a problem with master-local connectivity. i am deploying multiple controllers on multiple sites.

this problem appear on the third site where i am deploying 2 local controllers (let's call it local A and local B). at the HO i have 1 active master and 1 active local (let's call it local C).

the two controllers at HO master and local C can communicate with no problem with local A (remote site), adopted as master's local controller with IPSec key

the problem at local B (remote site) where i cannot even ping to the master at all. pinging to other devices (including local C) on the same subnet as the master is not a problem so i think it's not routing issue.

 

i tried to write erase all the local controller but same issue still happen.

debugging the network log also doesnt show anything. does anyone ever had same problem?

i'm using 6.4.2.12 ArubaOS.

 

PS: i attached my topology

 

Ricky

Hi

 

Does your local (B) have a valid gateway configured? Are you able to ping local A from B?

 

You might also want to check if the controller IP on local B is the same as for local A.

Another thing to check is the subnet mask, is it correct or is it too narrow by accident or something.

 

If you could post the interface configuration for the controllers, and explain which ones are to be used, it would be helpful.

 

Roar Fossen

 

 

Hello!

Try some troubleshooting tricks from this post:

http://community.arubanetworks.com/t5/Controller-Based-WLANs/Understanding-and-Troubleshooting-IPSec-issues/ta-p/240527

 

When the ipsec tunnel to the master from the local B was created a route was made along with it. When you ping the master it will try to ping through the ipsec-tunnel regardless of it being up or not. Since the tunnel is down - ping will fail.

 

I'm guessing you have some ACL/firewall between the sites so you might want to look there to see if those are specific to the IP of the local A.

Verify that the PSK you used for the local is correct..

#7210

Hi Mosher, thanks for your reply. my problem controller (local b) can ping to anywhere even other devices in the same network as the master. only the master that my local b cannot ping, my master also not able to ping my local b. this should excludes routing problem. all controllers are using native untagged vlan 1 in gi0/0/0. the master and local c are using vrrp and HA. i tried to delete the vrrp interface and HA but still nor working.

Hi jsolb, thanks for your reply.  i havent created the tunnel yet between my local b and master. i just finished the initial config via console, tried to ping, but all RTO. my second local though the local A, already setup the ipsec tunnel and everything works just fine. i will check with the firewall. is there any tool in the controller to debug this kind of thing? Ricky

Did you already added the local to form an IPSec from the master ?

What jsolb is saying is correct , need to make sure that tunnel is properly form before executing the ping

Hi jsolb, victor,

 

you are right. i dont know why but i tried to set up the ipsec tunnel, reboot the controller and when they comes up, the controller adopted nicely and i can ping it.

 

still doesnt make sense to me though. the icmp packets should work outside of the tunnel right? and how come a layer 3 tunnel could be established if a simple layer 3 packets such as icmp could not pass through.

 

Ricky

The ipsec tunnel with the added routing config is added when you first configure the controller as local. Do a "show ip route" and you'll find what I'm referring to. So with that - all ip traffic towards the master ip is routed through the ipsec tunnel interface.

Glad you got it working!