Wireless Access

Running into a weird issue with Master/Local controller configuration. Customer has (2) Aruba 7210 controllers. The actual master controller is configured with VLAN1 (public IP connected to DMZ) and VLAN2 (private IP internal mgmt). The local controller is configured the same, but VLAN2 does not currently exist in that network closet. Customer wants to connect controllers via VLAN1 addresses. I can ping both controllers from each other. When I configure an IPSEC key and the local controller's IP on the master, I lose connectivity (cannot ping anymore), but as soon as I delete it I can ping again. 

I just rebooted both controllers, but still happens. There is a firewall between the controllers, but UDP4500 is allowed both ways. 

Not sure what is causing the IPSEC tunnel not to build between the controllers, anybody see this before? If so, what could be the issue.

Thanks!

Code version is 6.4.2.2

mharing,

You need more than UDP 4500.  Please see the article here: https://arubapedia.arubanetworks.com/arubapedia/index.php/Ports_needed_if_a_firewalls_within_wired_infrastructure#Between_any_two_Mobility_Controllers:

CJoseph can you send me the ports or post them here? I don't have access to that link.

Between any two Mobility Controllers:

IPSec (UDP ports 500 and 4500) and ESP (protocol 50). PAPI between a master and a local controller is encapsulated in IPSec.
IP-IP (protocol 94) and UDP port 443 if Layer-3 mobility is enabled.
GRE (protocol 47) if tunneling guest traffic over GRE to DMZ controller.
IKE (UDP 500).
ESP (protocol 50).
IPSEC/NAT-T (UDP 4500).

On the master have you tried configuring the IPsec key against the IP address of 0.0.0.0 - I have seen this issue when using the local controllers correct IP address, but when using 0.0.0.0 it seems to work properly.

That was it. Not sure why it was happening, but that seemed to fix it. Thanks all for the help!

If you want them to function as master/local, it should be between two private management addresses not blocked by a firewall to start...

If you cannot ping a controller from the other, it is because it is using the route established by the local/master statement, but the tunnel is not up.  You can verify this by seeing if each controller can be pinged by other devices when this happens.

I agree that it should be between two private addresses, and at some point I can configure it that way, but temporarily it needs to be configured against the public addresses. This network is very unique and a bit challenging. 

I have the controller-ip assigned as the private IP (VLAN2). Could that have anything to do with the issue, or doesn't it matter for IPSec?

I can ping before I configure the IPSec key, but after it breaks.