Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Local controller to master over internet

This thread has been viewed 0 times

  • 1.  Local controller to master over internet

    Posted Jul 14, 2016 08:43 AM

    Hi!

     

    I´m setting up a lab scenario with a central controller with UDP 4500 only port forwarded to it from the public facing firewall and a branch office controller with internet only access that should connect as a local to the central master. I think I´m missing something simple so please help me take an extra look :)

     

    Configuration on master:

    local-factory-cert local-mac "00:0b:86:xx:xx:xx"

    controller-ip 192.168.230.3 (this one has UDP 4500 port forwarded to it from 1.1.1.1)

    crypto isakmp udpencap-behind-natdevice enable

     

    Configuration on brach local: 

    masterip 1.1.1.1 ipsec-factory-cert master-mac-1 00:0b:86:yy:yy:yy

    !

    interface vlan 4094 (internetfacing accessport)
    ip address dhcp-client
    ip nat outside
    !

    interface vlan 5
    ip address 172.22.5.10 255.255.255.0
    ip nat inside
    !

    controller-ip vlan 5

     

    I can see successful isapmp SA and ipsec SA on both controllers and the routes are successfully implemented in the IPSEC maps.

     

    On Master:

    C    172.22.5.10/32 is an ipsec map default-local-master-ipsecmap-00:0b:86:xx:xx:xx

     

    On Local:

    C    192.168.230.3/32 is an ipsec map default-local-master-ipsecmap

     

    If I ping from the master to 172.22.5.10 I can see this in the datapath session table of the local:

    192.168.230.3 172.22.5.10 1 55 2048 0/0 0 0 1 tunnel 10 8 1 120 FSCI
    172.22.5.10 1.1.1.1 1 58 0 0/0 0 0 1 tunnel 10 6 1 120 FNI

    (Also in the datapath I see the local trying to answer PAPI traffic back to the public IP of 1.1.1.1 instead of the masters controller-ip which I think it should be)

     

    If I ping from the local to the 192.168.230.3 address I see nothing in the datapath of the master.

     

    In the logs of the local I just see that it tries to send things directly to the public IP of the master, shouldn´t it understand that it needs to communicate through the tunnel?

     

    Jul 14 15:33:21 cfgm[3468]: <307025> <DBUG> |cfgm| local:Sending heartbeat message to MMS
    Jul 14 15:33:21 cfgm[3468]: <307103> <INFO> |cfgm| send_tcp_hb_master 196 Connection to the master failed, Will retry socket ID 20 state CONFIG_SOCKET_NOTCONNECTED
    Jul 14 15:33:21 cfgm[3468]: <307240> <DBUG> |cfgm| Connecting the Local CFGM socket, state 1
    Jul 14 15:33:21 cfgm[3468]: <307242> <INFO> |cfgm| Failed to connect to the Master (1.1.1.1),Configuration socket will try again: Connection timed out
    Jul 14 15:33:21 cfgm[3468]: <399814> <DBUG> |cfgm| Checking if the regulatory file is modified
    Jul 14 15:33:21 cfgm[3468]: <399814> <DBUG> |cfgm| Sending the heartbeat message. Not Responding counter=7
    Jul 14 15:33:21 cfgm[3468]: <399815> <INFO> |cfgm| Cannot connect to the master 1.1.1.1 error Connection timed out errno 145 socket id 20

     

    I´ve also put up a local using certificate based authentication on the same subnet as the master and it works like a charm. I´d like this to work with only the UDP4500 port forward.

     

    Please help me put some extra eyes on this dear Airheaders :) I´m running ArubaOS 6.4.4.8

     

    Cheers,