Wireless Access

Occasional Contributor II

Master-Local IPSec connection not happening

Before I talk to India I thought I throw this out here.


I have a site with Master/Master backup and 5 local controllers running 3.4.4FIPS.


Recently had to replace a local sup card, the new one which was configured with basic IP settings to enable me to access. I have full HTTPS/SSL connectivity, was able to upgrade to current code and transfer licenses, but cannot get the Master connect to the local. I have deleted the Local Controller IPSec config and readded it on the Master to no avail. I can ping the local from any other local (or other devices), but not from either of the masters. The other locals are in other buildings and subnets, this is a layer 2 network. From the new local I can ping whatever I want, masters, locals, gateways.....


Any thoughts?

Aruba Employee

Re: Master-Local IPSec connection not happening

Ping from the masters is probably not working because IPSEC is trying to get established. If you were to remove the master-local configuration from both controllers, the ping should recover.


You can enable "logging level debugging security" on the master and local controller, and check "show log security 50" to understand why the IPSEC is not getting established.


A few more commands to check to determine whether phase1 or phase2 is failing are:

show crypto isakmp sa

show crypto ipsec sa



Aruba Employee

Re: Master-Local IPSec connection not happening

I ran into something very similar, and what I found was that my pre-shared key was wrong on the local.  You've probably already checked that, but if you want to take a closer look, do a "encrypt disable" on the local and check that key.

Aruba Employee

Re: Master-Local IPSec connection not happening

It will be a good idea to make sure that whether the ipsec link to the master is estalished using the interface ip or loopback ip of the local.


On the Master check "show running-config | include localip" and on the local check the switch ip.


I have seen issue when both of them are not same.

Occasional Contributor II

Re: Master-Local IPSec connection not happening

Problem solved


What happened was the sup card was sent out to the site (we don't have the capability of preconfiguring an RMAed card, go figure) and the local contact mistakenly set this sup card as a master. Once we realized this, set it to local everything else fell into place.


Tried deleting all IPSec settings and still couldn't ping the "local" from the master till after we changed the role to local.


Thanks for the suggestions.

Contributor I

Re: Master-Local IPSec connection not happening

I just worked through a similar issue and turned out I had the wrong switch role on my local controller.  On top of that I had a typo with the loopback IP address on my local so it didn't match the "localip x.x.x.x ipec xxx" config from the master.  I found the advice on this thread to very helpful in troubleshooting my issues. 

New Contributor

Re: Master-Local IPSec connection not happening

I resolved the issue with the information in this thread. Thanks everyone. Below is my findings to share:


For my case: there is a firewall in between the local and Master devices. Nothing is blocked, debugging on the controllers shows IPSec phase1 messages were going back and forth but no ISKMP SA established.


Using "Encrypt disable" confirmed key matches. 

By clearing the session on the firewall in between, the local and master automatically completed the IPSec negotiation successfully.


In conclusion: for my case the issue appear to have the same symptoms but the root cause has nothing to do with the Local or Master configurations, but traffic in between. Thus, it's worthwhile to check all devices in between if possible.


Contributor I

Re: Master-Local IPSec connection not happening

I had a similar issue, turned out the port on my controller was not marked as 'trusted'.

Occasional Contributor II

Re: Master-Local IPSec connection not happening

Hi all,

just on the same issue ,i`m new to aruba`s world ,we have a master controller (`s running fine and i need to set up a local controller( and configure redundancy .the problem is that i don`t know the ipsec preshared key that is configured on the master controller . i tried to use encrypt disable but i didn`t know where to look on the running config :

i have the below config on the master :

Crypto Map "default-psk-redundant-master-ipsecmap" 9999 ipsec-isakmp

Crypto Map Template"default-psk-redundant-master-ipsecmap" 9999

                 IKE Version: 1

                 IKEv1 Policy: All

                 Security association lifetime seconds : [300 -86400]

                 Security association lifetime kilobytes: N/A

                 PFS (Y/N): N

                 Transform sets={ default-ml-transform }

                 Peer gateway:

                 Interface: VLAN 0

                 Source network:

                 Destination network:

                 Pre-Connect (Y/N): Y

                 Tunnel Trusted (Y/N): Y

                 Forced NAT-T (Y/N): N

                 Uplink Failover (Y/N): N

                 Force-Tunnel-Mode (Y/N): N

                 IP Compression (Y/N): N


how can i get the preshared key from the master ? if i need to use `encrypt enable `which part of the config i need to look to ?thank you in advance

Search Airheads
Showing results for 
Search instead for 
Did you mean: