Wireless Access

last person joined: 9 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

RAP with multi WAN

This thread has been viewed 1 times

  • 1.  RAP with multi WAN

    Posted Mar 15, 2019 02:15 PM

    My RAP is behind a router with two ISP.  Router works fine within second when failover happens. I have to make sure RAP will not reboot after the gateway will change to speed up proccess so I adjusted "Number of IPSEC retries" to 0.  But now utill the originall ISP does not come back it does not work, it works only when that settings is non 0. Can RAP work without reboot on the secondary ISP?

     

    Do those settings make difference here?

    Request Retry Interval  ?

    Maximum Request Retries ?

    Bootstrap threshold ?

    Heartbeat DSCP ?

     

     

     



  • 2.  RE: RAP with multi WAN

    EMPLOYEE
    Posted Mar 15, 2019 07:04 PM

    If you only have a single ip address that the RAP points to, ipsec retries of 0 just means it will never rebootstrap.  You don't want that.  The RAP has to rebootstrap to attempt to connect when disconnected.  Did you try ipsec retries at the default?



  • 3.  RE: RAP with multi WAN

    Posted Mar 15, 2019 10:24 PM

    So what I did so far is increase from 3 to 60 ipsec retries and that kind of helped.

     

    I have to understand which knobs I can use to adjust settings timing for RAPs. I am talking from RAP local perspective, right before firewall with 2 ISPs

     

    My firewall kills all states on any ISP failure, so once it happens I have like 4 seconds outage then back online to secondary ISP (tested on wifi), then after 10 or 15 seconds wifi still works and then I loose another 10 pings (1sec interval) before APs readjust (I guess this is must be new IPsec tunnel using other active ISP, but why it worked 10 to 15sec before that happens?). Also I realized that I had preemption on with 60sec hold timer so after 60 seconds another outage but I got rid of it by increasing hold timer to sth like 600.

     

    Do I really need to rebootstrap in case of failure of my RAP gateway? Can my ipsec reconnect seemlessly?

     



  • 4.  RE: RAP with multi WAN

    EMPLOYEE
    Posted Mar 18, 2019 06:56 AM

    RAPs are designed to fail over to a secondary ip address supplied either via LMS-IP or dual DNS A-record.  RAPS have a minimum bootstrap threshold of 30 seconds, which is not configurable below 30 seconds (that is to ensure stability).  Ipsec retries will retry the existing connection connection (same destination port and same source port) after the bootstrap threshold  expires, so you probably want that to be low (ipsec retries).  Preemption and all of those other knobs will not come into play, because you do not have a secondary ip address supplied to preempt to and the RAP cannot tell when its uplink as changed:  It can only tell when traffic is not being returned to it in your scenario.