Wireless Access

last person joined: 11 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

ArubaOS8 and Aruba Activate

This thread has been viewed 6 times

  • 1.  ArubaOS8 and Aruba Activate

    Posted Mar 11, 2020 06:09 AM

    Hi!

     

    I'm trying to implement a migration strategy from aos6 to aos8. I trying to use aruba activate for migration of local controllers at branches.

     

    I've added a provisioning rule in activate and added the MM with whitelist sync.

     

    The device connects to activate and it triggers the provisioning rule. Then contacts the MM I can see ipsec in the firewall.

     

    But the controller never shows up when doing "show switches" in MM cli.

     

    Also the system logs shows that the ipsec keeps going down - up over and over again.

     

    I've added the controller manually under MM node and also added the controller in correct folder in MD node. I've assigned a ipsec settings at the MD level also. (I assume both of these steps are still required ? )

     

    Is there a document showing all required steps ? I feel that maybe I'm missing something.



  • 2.  RE: ArubaOS8 and Aruba Activate

    MVP GURU
    Posted Mar 11, 2020 03:54 PM

    Have you checked your licensing on the MM? Also can you confirm that IPSec is getting to the MMs by doing a "show datapath session table <IP of MD>" when the MD is booting/connecting?

     

    As long as you have the proper Firewall/ACL entries in between the devices, and you are provisioning the MDs to communicate to the MM with the proper Pre-Shared Key, they should show up. Also check that You have the Controllers added at the MD level in a folder with the proper controller MAC Address, and Model Number.



  • 3.  RE: ArubaOS8 and Aruba Activate

    Posted Mar 12, 2020 05:09 AM

    I've added the MD with correct model and mac-adress that shows up in activate EDIT:  Labeled eth0 in activate.

     

    I've used factory cert as ipsec security, seems I cannot add PSK into activate ?

     

    show datapath:

    Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags CPU ID
    --------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- --------- --------- --------------- -------
    branch-ip mm-ip 17 4500 4500 0/0 0 0 1 0/0/0 479 1791 1426432 FC 7
    mm-ip branch-ip 17 4500 4500 0/0 0 0 0 0/0/0 479 738 209831 F 7

     

    #show crypto ipsec sa


    IPSEC SA (V2) Active Session Information
    -----------------------------------
    Initiator IP Responder IP SPI(IN/OUT) Flags Start Time Inner IP
    ------------ ------------ ---------------- ----- --------------- --------
    branch-ip mm-ip 4e65ea00/5f836600 UT2 Mar 12 10:05:40 -

     

     

    Here is some log entry's when connecting the branchcontroller:

     

    Mar 12 09:59:26 fpapps[5120]: <399815> <5123> <INFO> |fpapps| Added ipsec map default-local-master-ipsecmap-xx:xx:xx:xx:xx:xx
    Mar 12 09:59:26 fpapps[5120]: <399815> <5123> <INFO> |fpapps| Deleting ipsec map default-local-master-ipsecmap-xx:xx:xx:xx:xx:xx
    Mar 12 09:59:26 fpapps[5120]: <399815> <5123> <INFO> |fpapps| Duplicate MAP_ADD from IKE for default-local-master-ipsecmap-xx:xx:xx:xx:xx:xx (gw x.x.x.x) mapid 17570 vlanid 0 flags 0x0 addr x.x.x.x mask 255.255.255.255 prio 0
    Mar 12 09:59:26 fpapps[5120]: <399838> <5123> <WARN> |fpapps| Received TUN_DOWN from IKE for default-local-master-ipsecmap-xx:xx:xx:xx:xx:xx
    Mar 12 09:59:26 fpapps[5120]: <399838> <5123> <WARN> |fpapps| Received TUN_UP from IKE for default-local-master-ipsecmap-xx:xx:xx:xx:xx:xx mapid 0x44a2, vlanid 0, flags = 0x0 uplink_priority 0
    Mar 12 09:59:26 isakmpd[5139]: <103076> <5139> <INFO> |ike| IKEv2 IPSEC Tunnel created for peer x.x.x.x:4500
    Mar 12 09:59:26 isakmpd[5139]: <103077> <5139> <INFO> |ike| IKEv2 IKE_SA succeeded for peer x.x.x.x:4500
    Mar 12 09:59:26 isakmpd[5139]: <103078> <5139> <INFO> |ike| IKEv2 CHILD_SA successful for peer x.x.x.x:4500
    Mar 12 09:59:26 isakmpd[5139]: <103101> <5139> <INFO> |ike| IPSEC SA deleted for peer x.x.x.x
    Mar 12 09:59:26 isakmpd[5139]: <103102> <5139> <INFO> |ike| IKE SA deleted for peer x.x.x.x



  • 4.  RE: ArubaOS8 and Aruba Activate

    Posted Mar 12, 2020 05:13 AM

    Also I've added a eval MM license. MD is hardware so I don't need any MC-licenses correct ?



  • 5.  RE: ArubaOS8 and Aruba Activate

    MVP GURU


  • 6.  RE: ArubaOS8 and Aruba Activate

    Posted Mar 12, 2020 09:47 AM
    Are these branch devices communicating with the MM via a VPNC ? The activate rule is meant to be used that way



    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 7.  RE: ArubaOS8 and Aruba Activate

    Posted Mar 13, 2020 03:18 AM

    Hi!

    Thanks for the guide, that one makes the steps much clearer!

    Now the device automatically gets added when syncing with activate. However, still the same issue as the ipsec will not connect.... I see nothing blocked in the firewall between the devices.

     

    Victor not sure that's true the link above says nothing about VPNC.

    Also Arubaos8 fundamentals guide says vpnc's are optional. (see attached image)

    Gonz_0-1584083851582.png