Wireless Access

last person joined: 22 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Local/Master Communication Problem

This thread has been viewed 2 times

  • 1.  Local/Master Communication Problem

    Posted Nov 14, 2012 03:31 PM

    I've had a local 620 & a master 3200 in place for several months with no problems whatsoever. All of a sudden, I no longer have my IPSEC tunnel between the two. I have confirmed that both sites have full internet connectivity and clients at either end are able to access external resources.

     

    Here is Topology Below:

    620 > VLAN1 DHCP 192.168.0.2 > Modem 192.168.0.1 > Public IP > INTERNET > Router doing NAT > 3200

     

    Local 620 Config:

     masterip ipsec ****** interface vlan 1

    !

    interface vlan 31 ip address 192.168.31.1 255.255.255.0

    ip nat inside operstate up description "LAN"

    !

    ip default gateway 192.168.0.1

     

    Debug: Nov 14 21:27:52 :103060: |ike| exchange.c:exchange_negotiation_state_inprog:2708 Ipsec map default-local-master-ipsecmap is marked negotiation-inprogress

    Nov 14 21:27:52 :103060: |ike| exchange.c:exchange_start_pre_connect:3225 IKE negotiation in progress for map default-local-master-ipsecmap

    Nov 14 21:28:12 :103063: |ike| ->Delete AGGRESSIVE Exchange ic de0f30e6fe652351 rc 0000000000000000

    Nov 14 21:28:12 :103063: |ike| modp_free entered

    Nov 14 21:28:12 :103060: |ike| exchange.c:exchange_negotiation_state_done:2724 Ipsec map default-local-master-ipsecmap is marked negotiation-done

    Nov 14 21:28:13 :103060: |ike| if.c:GetIPAddrByVlanId:209 vlan 1 ip 192.168.0.2

    Nov 14 21:28:13 :103060: |ike| ipc.c:controlplaneArpModify:4012 Failed to Delete ARP error No such device or address

    Nov 14 21:28:13 :103063: |ike| New(1) AGGRESSIVE Exchange ic e06241d1b84b40e0 rc 0000000000000000

    Nov 14 21:28:13 :103063: |ike| ike_phase_1_initiator_send_SA policy:10001 enc:5 hmac:2 auth:1 group:2

    Nov 14 21:28:13 :103063: |ike| group_get entered id:2 Nov 14 21:28:13 :103063: |ike| group_get ike_group:0x10000178

    Nov 14 21:28:13 :103063: |ike| modp_init entered Nov 14 21:28:13 :103063: |ike| group_get group:0x101d1c3c

    Nov 14 21:28:13 :103060: |ike| ike_phase_1.c:ike_phase_1_initiator_send_SA:415 peer:

    Nov 14 21:28:13 :103063: |ike| ike_phase_1_send_KE_NONCE caCert:none Nov 14 21:28:13 :103063: |ike| ike_phase_1_send_KE_NONCE

    Nov 14 21:28:13 :103060: |ike| if.c:GetIPAddrByVlanId:209 vlan 0 ip 192.168.31.1

    Nov 14 21:28:13 :103060: |ike| ike_phase_1.c:ike_phase_1_send_ID:1744 with SwitchIP 192.168.31.1

    Nov 14 21:28:13 :103063: |ike| ike_phase_1_send_ID Nov 14 21:28:13 :103060: |ike| exchange.c:exchange_negotiation_state_inprog:2708 Ipsec map default-local-master-ipsecmap is marked negotiation-inprogress

     

    Local Show Datapath Session 4500:

    (aructrl-la) #show datapath session | include 4500
    68.99.67.221    192.168.0.2     17   4500  10000  0/0     0 0   0   local       400  FNY
    192.168.0.2     68.99.67.221    17   4500  4500   0/0     0 0   1   local       400  FSC

     

    On the Master show datapath session, I only see 4500 for my other functioning local controllers. Thoughts?


    #3200


  • 2.  RE: Local/Master Communication Problem

    Posted Nov 14, 2012 05:47 PM

    In the datapath session table you posted, the destination port from 68.99.67.221 to 192.168.0.2 doesn't look right. I'm sure that should also read 4500. Are you sure the dst port isn't being translated somewhere? If not, my first thought would be to check the datapath at the other end?



  • 3.  RE: Local/Master Communication Problem

    Posted Nov 14, 2012 05:48 PM

    Actually scratch that, you said you don't see it the other end. However, there is a NAT marker against that same session. Are you sure the full config of that controller isn't NAT'ing the destination port by mistake?



  • 4.  RE: Local/Master Communication Problem

    Posted Nov 14, 2012 05:53 PM

    Thanks for the reply. I don't believe it is, but where would I check that? The only place I've defined NAT is on VLAN 31, 32 & 33. using the "ip nat inside" and these are my "internal" VLANs. Since VLAN 1 is also a private IP, I've tried enabling "ip nat inside" on it as well, but that didn't work.



  • 5.  RE: Local/Master Communication Problem

    Posted Nov 14, 2012 05:58 PM

    Most likely it would be on the physical ports of VLAN 1 facing toward the router.

     

    So, if that's not it, I'd be thinking along two lines.

     

    If I wanted a quick dirty fix, reboot the 650 controller and check the result?

     

    If I wanted to find the root cause, run a packet capture on both controllers against port 4500. As long as there are no RAPs connected, the packet capture shouldn't be too big on the local. The master might be quite big, so maybe just start with the local and see what it shows?



  • 6.  RE: Local/Master Communication Problem

    Posted Nov 14, 2012 06:02 PM

    There is no router connected to the local (620), just an ISP modem that is handing out DHCP to VLAN 1 on the controller. I'm not onsite where the local is so I can't do a packet capture there. I could do one for the master though.



  • 7.  RE: Local/Master Communication Problem

    Posted Nov 14, 2012 06:13 PM

    Sorry, when I say router, I mean your DSL modem!

     

    Are you able to get at the controller remotely? SSH from a remote desktop or similar? Login to the local controller if so, and at the enable prompt, start with "packet-capture ?". You set it up (hint - "packet-capture udp 4500"), leave it for a bit, then do "tar logs tech-support".Then, copy the logs.tar file to a TFTP or FTP, and then get it to wherever you are. Might save a trip.

     



  • 8.  RE: Local/Master Communication Problem

    Posted Nov 14, 2012 06:01 PM

    Probably worth checking the version of code you're running against release note fixes too!