Wireless Access

We have an existing AOS 6.5 production setup and we have a whole new set of hardware configured for AOS 8.3. So far, the new setup is ready for testing and I am trying to move an AP from the current AOS6 setup to AOS8 by changing the LMS IP of an AP. I pointed the LMS IP to the VRRP IP of the MM. Here's what's on the AP console:

 

AP rebooted Tue Jun 18 14:27:24 PDT 2019; Unable to set up IPSec tunnel to saved lms, Error:RC_ERROR_IKEV2_TIMEOUT
shutting down watchdog process (nanny will restart it)...

The MM doesn’t support APs , you need to change LMS IP so that the APs build the tunnel with the Mobility Controller (Manage Nodes)





Thank you

Victor Fabian

Pardon typos sent from Mobile

I see.

 

So which of the MCs. I have 2 MCs for now that is clustered. I'm still waiting for the other 2 so a total of 4 when complete. I know there's a Leader concept on the MCs but I don't know which one. Should I point it to the leader or any of the MCs will do fine?

How are you planning to migrate all your APs ? All at one or in phases

I recommend you have the same AP-Group names , makes things a bit easier (you can create new ones and move the APs to the new ones , once the APs are already communicating with the AOS8 controllers)

Configure VRRIP VIP between the two MCs
You have a couple of options :
- You can update the LMS-IP using VRRIP VIP on the AP-Group from the existing AOS6
- You can point the APs to aruba-master that resolves to a VRRIP VIP (don’t do this if you are planning to move your APs in phases and Aruba-master is currently in-use)
- Configure DHCP option 43 using the VRRIP VIP

Once the APs are fully provisioned on the AOS8 Cluster, all the APs will have a cluster node list with the MCs IPs


Thank you

Victor Fabian

Pardon typos sent from Mobile

I just changed the LMS IP and now pointing to one of the MC and the other MC as backup LMS IP.  The problem is stil the same where the AP can't form IPsec tunnel to the MC.    

 

My Plan of migrating all those 2000 APs is by one AP Group at a time by changing their LMS IPs. The AOS8 setup have the same AP groups just like the current AOS6 has.  

    

Right now, I only have 2 MCs but I am expecting 2 more (being shipped right now). I can create a VIP between the 2 MCs now but what happens if I add the other 2?

- You need to make a VIP beween the two MDs and then add the two other two MDs to the VRRP.

- Your discovery method, DNS, dhcp option 43 should point to that VIP.

- When APs discover a cluster, the list of nodes are pushed to the APs flash and upon reboot the APs no longer, discover using DNS, or DHCP or multicast:  they attempt to connect to the list of nodes in their flash. 

- There is no need to put an LMS-IP into the ap-group, because the AP is assigned a controller by the cluster leader when it connects to one of the nodes in the nodelist.

- LMS-ip is only necessary if you have more than one cluster and there is a chance that your APs will initially discover the wrong cluster and will need to be redirected to the correct one, OR you need to enter a backup-lms for redundancy to a second cluster (overkill).

 

If you have 2000 APs to migrate, I suggest you contract a VAR or work with your Aruba SE to get information on how to proceed, because there are many ways to configure things suboptimally.

On the new environment make sure you have the MC controllers LMS IPs define as well.

Also click save configuration on the master so the config is pushed


Thank you

Victor Fabian

Pardon typos sent from Mobile

It turned out that the problem was ALE qos issue. I was able to terminate 2 APs now to AOS8 by changing the APs LMS IP on the AOS6 pointing to one of the MCs.

 

However, I think I did the design all wrong. All of the boxes (2 MM + 2 MCs) are all in one VLAN. The 2 MM got a VIP within that VLAN. I thought  APs needs to find this VIP for the discovery but it turns out that APs have to find the MC's instead. Now it seems that AOS8 doesn't allow me to make VRRP for the 4 MCs  within that same VLAN.    

        

What's a good practice here? Should the 2 MM stay in there own subnet and the 4 MCs on their own?

 

Thanks

I always try to keep those separate from segment/VLAN perspective , I think you will see much better performance

And you will not see much benefit for having the MM and MD on the same VLANs

Sent from Mail for Windows 10

As Victor mentions, usually they are separated, but you can certainly put all the MMs and MCs in the same VLAN, you just have to make sure you're tracking all the VRRP IP, as the cluster configuration will use the higher numbered VRRP IPs and IDs. I keep my MM VIPs low to avoid that. But in the vast majority of deployments, the MMs end up on different vlans from the MCs.

Maybe a related question:

 

Should it work to point option 43 to one VRRP IP that is there because of clustering.

So, not creating a dedicated VRRP but use an existing one?

 

We tried this but the AP could not build an IPSec tunnel to the Cluster VRRP IP.

 

The cluster VIP (I believe) is ONLY for cluster and contorllers will not respond to external connections to cluster VIPs. you would want to point discovery at either a created VRRP across the cluster, or to a controller IP within the cluster (though if you do that, and that contorller is down, will result in the AP not coming up).

 

I usually create a single VIP across the entire cluster for AP discover so that no matter what at least one controller will always respond.

You should use a VRRP VIP (under Configuration > Services > Redundancy > Virtual Router Table )that is not included in the cluster profile config



Thank you

Victor Fabian

Pardon typos sent from Mobile

For simple troubleshooting, you can try to point directly to one of your MC.  It will still work but the best practice is to point to the VIP of all the MC in that cluster.