Wireless Access

Reply
Highlighted
Guru Elite

Re: MM/MD drop connectivity - won't re-establish without MD reboot

Did that fix your specific issue?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Occasional Contributor I

Re: MM/MD drop connectivity - won't re-establish without MD reboot

Yes, it did.

 

Thank you

Highlighted
MVP

Re: MM/MD drop connectivity - won't re-establish without MD reboot

Hi @dmitry.skotnikov - firstly I am so happy someone else has an insight into this issue it has been driving me crazy

 

It looks like the default of this setting on Cisco ASAs (Which is what we use and have the same issue) is 0:00:00

 

Why does it need to be set to 00:00:30 to fix this?  I'm not sure I understand why this would make a difference and i want to understand

Highlighted
Occasional Contributor I

Re: MM/MD drop connectivity - won't re-establish without MD reboot

Ok, let me try to explain.

 

What I've found on the firewall after the IPSec has been restored between MM and MD sites was the state for a connection UDP MD:4500 -> MM:4500 via outside interface of ASA. It was weird, because I had a more specific route towards the MM subnet via the IPSec VTI tunnel interface, meaning the connection from MD towards MM supposed to be made via tunnel interface instead of the egress outside interface.

 

ASA has an old feature which prevents the box from clearing the connection even after we installed a more specific route into the routing table. In other words, when the IPSec tunnel restored and routing changed, we still had a connection via the outside interface, which was established when MD was trying to re-connect to MM at the time of IPSec outage, and since at that time we had only a default route via outside, the state has been programmed by the firewall. And since MM/MD uses NAT-T to build the tunnel, the firewall will see a UDP flow, which will never expire, since MD is constantly trying to re-establish the tunnel.  

 

The configuration knob timeout floating-conn 0:00:00, which is a default for ASA pretty much says never clear the connection I've described above.

 

Changing to timeout floating-conn 0:00:30, will make sure the connection will be cleared after 30s when the IPSec is restored and we have a better route towards MM.

 

If the description above is vague, please, check this out to get another take on it:

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113592-udp-traffic-fails-00.html

Highlighted
MVP

Re: MM/MD drop connectivity - won't re-establish without MD reboot

Yes i would just like to say to you - thank you very much

 

This VTI setup you have is what we have and this is when the major problems happened.


Also your advice led me down the correct path as I was able to do the command on the ASA:

 

show conn address (ip off mobility master)

 

This returned two idle UDP connections :


Once I used this command:

 

clear conn protocol udp address (ip address of the MM)

 

Straight away the MM to MD connection came back.  So i believe with the timeout command this will fix the problem.

 

Thank you again.

 

Highlighted
Occasional Contributor I

Re: MM/MD drop connectivity - won't re-establish without MD reboot

Yes, you are right clearing the connection manually is the way to restore connectivity immediately, you need to do it for each MC in your cluster if you run more than 1 box.

 

Awesome, glad it helps!

Highlighted
MVP

Re: MM/MD drop connectivity - won't re-establish without MD reboot

Dmitry this is a fantastic find - thank you this has solved my issue on all sites! Thank you again

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: