Local controller to master over internet
07-14-2016 05:42 AM - edited 07-14-2016 05:44 AM
I´m setting up a lab scenario with a central controller with UDP 4500 only port forwarded to it from the public facing firewall and a branch office controller with internet only access that should connect as a local to the central master. I think I´m missing something simple so please help me take an extra look :)
Configuration on master:
local-factory-cert local-mac "00:0b:86:xx:xx:xx"
controller-ip 192.168.230.3 (this one has UDP 4500 port forwarded to it from 184.108.40.206)
crypto isakmp udpencap-behind-natdevice enable
Configuration on brach local:
masterip 220.127.116.11 ipsec-factory-cert master-mac-1 00:0b:86:yy:yy:yy
interface vlan 4094 (internetfacing accessport)
ip address dhcp-client
ip nat outside
interface vlan 5
ip address 172.22.5.10 255.255.255.0
ip nat inside
controller-ip vlan 5
I can see successful isapmp SA and ipsec SA on both controllers and the routes are successfully implemented in the IPSEC maps.
C 172.22.5.10/32 is an ipsec map default-local-master-ipsecmap-00:0b:86:xx:xx:xx
C 192.168.230.3/32 is an ipsec map default-local-master-ipsecmap
If I ping from the master to 172.22.5.10 I can see this in the datapath session table of the local:
192.168.230.3 172.22.5.10 1 55 2048 0/0 0 0 1 tunnel 10 8 1 120 FSCI
172.22.5.10 18.104.22.168 1 58 0 0/0 0 0 1 tunnel 10 6 1 120 FNI
(Also in the datapath I see the local trying to answer PAPI traffic back to the public IP of 22.214.171.124 instead of the masters controller-ip which I think it should be)
If I ping from the local to the 192.168.230.3 address I see nothing in the datapath of the master.
In the logs of the local I just see that it tries to send things directly to the public IP of the master, shouldn´t it understand that it needs to communicate through the tunnel?
Jul 14 15:33:21 cfgm: <307025> <DBUG> |cfgm| local:Sending heartbeat message to MMS
Jul 14 15:33:21 cfgm: <307103> <INFO> |cfgm| send_tcp_hb_master 196 Connection to the master failed, Will retry socket ID 20 state CONFIG_SOCKET_NOTCONNECTED
Jul 14 15:33:21 cfgm: <307240> <DBUG> |cfgm| Connecting the Local CFGM socket, state 1
Jul 14 15:33:21 cfgm: <307242> <INFO> |cfgm| Failed to connect to the Master (126.96.36.199),Configuration socket will try again: Connection timed out
Jul 14 15:33:21 cfgm: <399814> <DBUG> |cfgm| Checking if the regulatory file is modified
Jul 14 15:33:21 cfgm: <399814> <DBUG> |cfgm| Sending the heartbeat message. Not Responding counter=7
Jul 14 15:33:21 cfgm: <399815> <INFO> |cfgm| Cannot connect to the master 188.8.131.52 error Connection timed out errno 145 socket id 20
I´ve also put up a local using certificate based authentication on the same subnet as the master and it works like a charm. I´d like this to work with only the UDP4500 port forward.
Please help me put some extra eyes on this dear Airheaders :) I´m running ArubaOS 184.108.40.206
Aruba Partner Ambassador
Aruba: ACMX #537 ACCP ACDP | CWNP: CWNE #306