Wireless Access

Reply
Highlighted
MVP

MM/MD drop connectivity - won't re-establish without MD reboot

Hi,

 

I have a strange issue between two sites.  The current setup I have works across multiple sites but one is causing an issue.

 

Mobility Master is at head office

Managed device on another site

VPN configured to allow connection between both

Added relevant firewall rules

Managed devices added as normal to Mobility Master

Everything comes up and syncs the config

 

The connection between the two sites drops intermittently for a few seconds every day this is currently being investigated.  However once this happens the MM loses connection to the MD (they show as down on the MM) and they never re-establish unless I do a full reboot of both the primary and secondary controllers on the remote site.  I have no idea why this would work until a drop in connectivity and why the connection doesn't re-establish between MM and MD like it has done on other sites when a drop between sites happens.

 

Thanks

Highlighted
MVP

Re: MM/MD drop connectivity - won't re-establish without MD reboot

This is showing in the security logs:

 

 

Mar 25 15:41:16 :103103:  <3440> <WARN> |ike|   IKE SA Deletion: IKE2_delSa peer:172.20.xx.xx:4500 id:2375889169 errcode:ERR_IKESA_EXPIRED saflags:0x41000005 arflags:0x20
Mar 25 15:41:58 :103103:  <3440> <WARN> |ike|   IKE SA Deletion: IKE2_delSa peer:172.20.xx.xx:4500 id:2375889170 errcode:ERR_IKESA_EXPIRED saflags:0x41000005 arflags:0x20

 

Also showing this when searching logs for cfmg:

 

Mar 25 14:24:28  cfgm[3375]: <399816> <3375> <ERRS> |cfgm|  handle_read: State(READY:UPDATE SUCCESSFUL:CFGID-869:PEND-0:INITCFGID:0) FD=33:Failure receiving heartbeat response header information Result=-1 Err=Connection timed out
Mar 25 14:24:37  cfgm[3375]: <399838> <3375> <WARN> |cfgm|  LmsHeartBeatResultAction: State(CONNECTINPROGRESS:UPDATE SUCCESSFUL:CFGID-869:PEND-0:INITCFGID:0) FD=33:Cannot heartbeat with the master.
Mar 25 14:24:58  cfgm[3375]: <399838> <3375> <WARN> |cfgm|  LmsHeartBeatResultAction: State(READY:UPDATE SUCCESSFUL:CFGID-869:PEND-0:INITCFGID:0) FD=33:Cannot heartbeat with the master.

 

Highlighted

Re: MM/MD drop connectivity - won't re-establish without MD reboot

What firmware version are you running? Also, does the VPN connection between the two sites NAT address space between the sites?


Charlie Clemmer
Aruba Customer Engineering
Highlighted
MVP

Re: MM/MD drop connectivity - won't re-establish without MD reboot

Thanks for your reply.

 

Firmware version is 8.4.0.3

 

No there are no NATs involved

Highlighted

Re: MM/MD drop connectivity - won't re-establish without MD reboot

Has this ever worked before? It sounds like an MTU issue with the MM/MD IPSec tunnel being routed down your local site-to-site VPN tunnel


Charlie Clemmer
Aruba Customer Engineering
Highlighted
MVP

Re: MM/MD drop connectivity - won't re-establish without MD reboot

Yes most definitely in fact it works every time I reboot the two managed devices they come back online - then when the ISP drops out at the remote site temporarily the MM sees the two MDs as down and they never come back up - yet I can get to them through the browser window and they are still up on site, they just lose connection to the MM and the only way to resolve it is to reboot them both - not ideal. 

Highlighted
MVP

Re: MM/MD drop connectivity - won't re-establish without MD reboot

I have opened the firewall on both sides to allow traffic for testing purposes from the IP of the MMs and the IP of the MDs.

 

However when even trying to ping the MDs from the MMs the firewall doesn't see it - i guess it looks like it is trying to go down the tunnel that was created between the MM and MD but doesn't get a response so it fails?

Highlighted
Guru Elite

Re: MM/MD drop connectivity - won't re-establish without MD reboot

Right.  If that tunnel doesn't exist, pings do not work because there is a route setup to reach the MD that goes through the tunnel via the ipsec map.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba VIA ASE Solution - Configure VIA VPN
Highlighted
MVP

Re: MM/MD drop connectivity - won't re-establish without MD reboot

Correct - that is what i was saying by the above post - i understand why it does not work however what i do not understand is why, like other sites, the connection between the MM and the MD does not re-establish when the VPN between the two sites is back?

Highlighted
Guru Elite

Re: MM/MD drop connectivity - won't re-establish without MD reboot

Do the other sites have a firewall?  Is there NAT involved? (I think this was asked before).

 

I would debug the ipsec connection on the MM side using the instructions here : EDIT https://community.arubanetworks.com/t5/Aruba-Solution-Exchange/Troubleshooting-IPsec/ta-p/282677 

https://community.arubanetworks.com/t5/Controller-Based-WLANs/Understanding-and-Troubleshooting-IPSec-issues/ta-p/240527 (the debug syntax is slightly different  in 8.x).  That would show you the attempt the MDs is making to connect.  I would also do "show datapath session table <ip address of md>" repeatedly on the MM side to see what traffic is being sent to the MM from the MD.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba VIA ASE Solution - Configure VIA VPN
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: