Wireless Access

last person joined: 22 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

RAP-203RP in boot cycle if LMS is set to local controller

This thread has been viewed 0 times

  • 1.  RAP-203RP in boot cycle if LMS is set to local controller

    Posted Oct 31, 2017 10:13 PM

    Hello!

     

    I've converted a RAP-203RP from instant to RAP.
    The RAP is allready whitelisted, VPN services are configured and the RAP comes perfectly up (ipsec terminating on master VRRP).
    The inner tunnel IP is set over IPSEC address pool on the Master controller.

     

    Now I have also two local controllers.
    If I is set the LMS IP in the AP system profile to one of the local controllers, the RAP goes into a boot cycle.
    The VPN tunnel also gets established, but only for a view seconds before the RAP boots again.

     

    If I remove the LMS IP configuration RAP boots up normaly.

     

    The only difference between the master and local contoller is, that the IP adress pool is not pushed down from the master to the locals.
    Do I have to set the pool on the locals to?
    Is it right that the RAP establishes the IPSEC tunnel to the master and the GRE/PAPI tunnels to the LMS IP?

     

    Any suggestions how i can troubleshoot this behavior?

     

    Thank you!

     



  • 2.  RE: RAP-203RP in boot cycle if LMS is set to local controller
    Best Answer

    EMPLOYEE
    Posted Oct 31, 2017 10:43 PM

    The LMS should only be a public ip address, because it is initiated from the br0 of the AP and not the ipsec tunnel.  (The RAP will try looking for that LMS-IP on the local network that the RAP is connected to).

     

    RAPs should not terminate on a VRRP if there is a NAT firewall between the RAP and the controller.

     

    The ipsec pools are configured individually on each controller.  You can name them the same thing, but the ip address range for each pool needs to be defined individually on each controller.



  • 3.  RE: RAP-203RP in boot cycle if LMS is set to local controller

    Posted Nov 02, 2017 03:37 AM

    Hi colin!

     

    If I understand it right, the LMS shoud be a VRRP reachable over the internet without a need for tunneling.
    So the LMS must match the Master Controller IP Address/DNS name in the provisioning mask under AP Installation?
    If not, you got a boot cycle?

    So the Backup LMS is not needet because of the master redundancy.

     

    Is there a way to configure it, that the RAP build it's IPSEC to the master pair but terminates on a local?

     

    Thank you for your advice!

     



  • 4.  RE: RAP-203RP in boot cycle if LMS is set to local controller

    EMPLOYEE
    Posted Nov 02, 2017 05:47 AM

    - Don't use VRRP with RAP.  Having a firewall between the RAP and the VRRP somehow does not allow it to work properly.

    - If you want redundancy, make the LMS a public 1:1 nat pointing to the first controller and the backup LMS a public 1:1 nat pointing to the second controller (the local)

    - You can provision a RAP to point to the public ip address of the master, but have the LMS-IP point to the public address of the local.  The AP will find the master, and then switch over to the local.



  • 5.  RE: RAP-203RP in boot cycle if LMS is set to local controller

    Posted Nov 02, 2017 07:01 AM

    Thank you for clarifying.

    Now the switchover works, i forgot to define the IP pool on the local.

    In the most cases a firewall would be between ISP and controller, i will choose the two times 1:1 nat and LMS/backup LMS like you recommended.


    I have read the RAP VRD, there is the design with VRRP and Firewall described.

    If the firewall would bring problems, does it make sense to work routed, to give both controllers a public IP and a third for VRRP?
    Is it recommended to use a controller as "border firewall"?