Wireless Access

Having problem with a master-local setup.

Have read this post and the problem is very similar

http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Master-Local-communication/td-p/6669

As there is no solution provided with the post, i have to ask the airheads community before a case is made with Aruba TAC.

The problem is similar, i have 2x3400 controllers in VRRP. The controller with problems is a 620, which is to be connected over the internet to the master controllers. This has work without a problem in a pilot face of the project, but in my lab and at the customers site.

Suddenly one Sunday, the local lost contact, and have not been able to get it to connect again.

I do have a second 620 in my lab, that has no problems connection.

I have been thru the troubleshooting guide on Airheads, but it does not provide any solution if you can't get the same results as the guide.

The local controller that is not work does not have a IPSec SA up and running, and i'm unable to find out why.

The IPSec key is correct, checked it several times, the controller that is working uses the same key.

As the post talks about, there is a difference in the default-local-master-ipsecmap of the two local controllers.

Here is the MAP from the controller that is working

Crypto Map Template"default-local-master-ipsecmap" 9999
         IKE Version: 1
         lifetime: [300 - 86400] seconds, no volume limit
         PFS (Y/N): N
         Transform sets={ default-ml-transform }
         Peer gateway: 89.248.4.37
         Interface: VLAN 0
         Source network: 195.1.55.125/255.255.255.255
         Destination network: 192.168.205.4/255.255.255.255
         Pre-Connect (Y/N): Y
         Tunnel Trusted (Y/N): Y
         Forced NAT-T (Y/N): N

The destination network is the network at the customers site, peer gateway is a FW. This firewall is NAT'ing to the master, master has already 50 RAP's connected thru the same gateway/FW, so there is no problem there.

Here is the controller that has problem connecting

Crypto Map Template"default-local-master-ipsecmap" 9999
         IKE Version: 1
         lifetime: [300 - 86400] seconds, no volume limit
         PFS (Y/N): N
         Transform sets={ default-ml-transform }
         Peer gateway: 89.248.4.37
         Interface: VLAN 0
         Source network: 10.10.1.250/255.255.255.255
         Destination network: 89.248.4.37/255.255.255.255
         Pre-Connect (Y/N): Y
         Tunnel Trusted (Y/N): Y
         Forced NAT-T (Y/N): N

Notice the difference in the destination network, here it is the same as the peer gateway, but this might change when the controller successfully connects to the master, i don't know.

All controllers ( 2x3400 and 2x620) are running the same software version (6.1.3.4).

On the controller that is not work i get this

(Riis-Lade_620) #show crypto ipsec sa

% No active IPSEC SA

The other 620 gives me this

(Riis-Hvam_620) #show crypto ipsec sa

IPSEC SA Active Session Information
-----------------------------------
Initiator IP     Responder IP     InitiatorID         ResponderID         Flags    Start Time      Inner IP
------------     ------------     -----------         -----------         -----  ---------------   --------
195.1.55.125     89.248.4.37      195.1.55.125/32     192.168.205.4/32    T      Feb 21 12:18:25     -

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
       L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2

Total IPSEC SAs: 1

They are obviously not connected on the same line, but they try to connect to the same peer gateway.

The controller that is not working is connected to a broadband line that today are running 4-5 RAP's, giving them access. These RAP's are connecting to the same public IP as the controller is trying. Why the controller can't connect, but the RAP's can, beats me.

I would like to resolve this problem not involving Aruba TAC as the TAC tends to take a lot of time. At the same time TAC tends to ask a lot of questions, questions they usually can find the answer to just by reading what i have written.

This is the main problem of Aruba TAC in my experience atm.

Roar

Have you tried "show datapath session | include <ip address of the site controller.>?

My working local controller look like this:

(MASTER2) # show datapath session | include 50.79.73.165
172.18.254.96   50.79.73.165    17   4500  4500   0/0     0 0   1   pc1         fbb3 1      1      F
172.18.254.96   50.79.73.165    17   8209  8209   0/0     0 0   1   tunnel 71   9    1      1      F
50.79.73.165    172.18.254.96   6    41729 8211   0/0     0 0   1   tunnel 90   bb39 0      0      C
50.79.73.165    172.18.254.96   17   8209  8209   0/0     0 0   0   tunnel 71   9    0      0      FC
172.18.254.96   50.79.73.165    6    8211  41729  0/0     0 0   0   tunnel 90   bb39 1      1
50.79.73.165    172.18.254.96   17   4500  4500   0/0     0 0   0   pc1         fbb3 0      0      FC

Hi

I just did the command you said, and it confirms what i have found so far. The IPSec is not up, but as far as i can understand, there is some kind of connection, the master can actually see it been a local

(Riis_3400_Master) #show datapath session | include 10.10.1.250
10.10.1.250     192.168.205.4   47   0     0      0/0     0 0   70  local       c662 0      0      F
192.168.205.4   10.10.1.250     47   0     0      0/0     0 0   0   local       c663 5c     5c     FC

Roar

I noticed that your controller did not have “Forced NAT-T” enable.  You should turn that on.  I believe this will force the IPSEC to UDP-4500.  

I remembered I had the same problem, and it worked when I deleted the tunnel and restarted from fresh.

Found this in the VRD:

Hi

Thanks for the input.

This is the control plane IPSec between master and local, which the controller sets up itself, when i change the role from master to local.

As to my knowledge i'm unable to edit this crypto map, hence not able to turn on forced NAT-T.

And as you can see, i pasted two crypto maps, one working and one offline, none of them has the Forced NAT-T enabled.

If there is any way to turn on Forced NAT-T on this default.-master-local-ipsecmap, i would gladly test this.

Roar

You are right, the local IPSEC controller does not need to enable Forced NAT-T and you can not change it. 

Few things you can try at the local controller:

1. Show controller-ip: to make sure it is the same ip address that the master controller map to
2. Show ip route: you need a default route to the gateway of the local controller, and you must have a route ipsec map to  master controller via default-local-master-ipsecmap
3. Check your firewall log to see if the controller hits your firewall and what port

Can you post the crypto map from the master?

TN

you had a good result, I have this same problem.