Wireless Access

Reply
Highlighted
MVP

VIA constant disconnect in a cluster

Hi, we have a setup (lab environment) with 2 MCs, MC1 & MC2 in a cluster, where VIA VPN is being done to one of the MCs through an AP in the cluster. Here's a description of the problem:

 

1. VPN client connects successfully. I can see ipsec SA built successfully in the logs
2. VPN client disconnects itself constantly & rebuilds constantly, every few seconds. 
Notes:
- Controllers clustered
- Client connected to AP2, A-AAC is MC2
- Client's A-UAC is MC2
- Client VPN opens successfully to MC1, but keeps getting torn down.
 
During testing, we created 2 VIA connection profiles, one for MC1 and one for MC2. We noticed that when:
- VIA VPN to MC2, Client's A-UAC is MC2, connection is stable. No disconnects.
- VIA VPN to MC1, client's A-UAC is MC2, constant disconnects. 
 
So when the client's VIA VPN controller is different from its A-UAC, the disconnect issue is seen.
 
In the errorlog, we see the following log repeatedly:

datapath-userrem(ipv4/L2) failed: mac=00:00:00:00:00:00 IP=172.16.10.50, action=0x8001

 

Thoughts?
Highlighted

Re: VIA constant disconnect in a cluster

Take a look at this: https://support.hpe.com/hpesc/public/docDisplay?docId=a00098430en_us

 

VIA itself does not support controller/MD clustering in AOS8, as it does not have the notion of active anchor and standby anchor for the VPN session. VIA controllers are typically standalone or VRRP active/standby. 

 


Charlie Clemmer
Aruba Customer Engineering
Highlighted
Guru Elite

Re: VIA constant disconnect in a cluster

I asked someone internally for comment, and this is what they responded:

 

"We have not tested this type of scenario before. But the big problem in this test is that the VIA client also functions as a wireless client which connects to a CAP.

 

A typical VIA client should come from a remote site and it has no way to connect to a CAP which terminates at the same VIA controller, and its MAC address a all “0”, it wont have a UAC as campus wireless client. In a word, this test is not a valid test for our VIA solution. I will recommend testing with a client which does not connect to campus AP which terminates to the same VIA controller."


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
MVP

Re: VIA constant disconnect in a cluster

Ok good to know, thank you both!! 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: