Wireless Access

Reply
Occasional Contributor II

RAP with multi WAN

My RAP is behind a router with two ISP.  Router works fine within second when failover happens. I have to make sure RAP will not reboot after the gateway will change to speed up proccess so I adjusted "Number of IPSEC retries" to 0.  But now utill the originall ISP does not come back it does not work, it works only when that settings is non 0. Can RAP work without reboot on the secondary ISP?

 

Do those settings make difference here?

Request Retry Interval  ?

Maximum Request Retries ?

Bootstrap threshold ?

Heartbeat DSCP ?

 

 

 

Guru Elite

Re: RAP with multi WAN

If you only have a single ip address that the RAP points to, ipsec retries of 0 just means it will never rebootstrap.  You don't want that.  The RAP has to rebootstrap to attempt to connect when disconnected.  Did you try ipsec retries at the default?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: RAP with multi WAN

So what I did so far is increase from 3 to 60 ipsec retries and that kind of helped.

 

I have to understand which knobs I can use to adjust settings timing for RAPs. I am talking from RAP local perspective, right before firewall with 2 ISPs

 

My firewall kills all states on any ISP failure, so once it happens I have like 4 seconds outage then back online to secondary ISP (tested on wifi), then after 10 or 15 seconds wifi still works and then I loose another 10 pings (1sec interval) before APs readjust (I guess this is must be new IPsec tunnel using other active ISP, but why it worked 10 to 15sec before that happens?). Also I realized that I had preemption on with 60sec hold timer so after 60 seconds another outage but I got rid of it by increasing hold timer to sth like 600.

 

Do I really need to rebootstrap in case of failure of my RAP gateway? Can my ipsec reconnect seemlessly?

 

Guru Elite

Re: RAP with multi WAN

RAPs are designed to fail over to a secondary ip address supplied either via LMS-IP or dual DNS A-record.  RAPS have a minimum bootstrap threshold of 30 seconds, which is not configurable below 30 seconds (that is to ensure stability).  Ipsec retries will retry the existing connection connection (same destination port and same source port) after the bootstrap threshold  expires, so you probably want that to be low (ipsec retries).  Preemption and all of those other knobs will not come into play, because you do not have a secondary ip address supplied to preempt to and the RAP cannot tell when its uplink as changed:  It can only tell when traffic is not being returned to it in your scenario.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: