That is what Shawn is recommending, yes. Preferably after you test the behavior by looking at show datapath session
when attempting to reach the MCR from the remote PC.
Original Message:
Sent: Apr 30, 2024 09:20 AM
From: dkauffman
Subject: Accessing Mobility Master over RAP
Sorry for the delayed response.
So you're saying to add another VRRP? As you said, I have an existing VRRP between the two MCRs at the moment, which all of my MDs point to.
Currently:
MC1 - 10.4.127.10
MC2 - 10.4.127.11
VRRP - 10.4.127.5
Add another VRRP of 10.4.127.6 and see how that works?
You are absolutely correct that I am able to ssh/gui to the IP of my MD rap controller that my RAP is connected to.
Original Message:
Sent: Feb 12, 2024 06:49 AM
From: sadams
Subject: Accessing Mobility Master over RAP
Suggestion:
I surmise the RAP client workstation has proper role and routing to allow connectivity to the Mobility Master(Conductor) and the Managed Devices.
Can the workstation reach the Managed Device IP addresses, but not the Mobility Conductor controller-ip ?
- check the Mobility Conductor "show datapath session with live traffic from the workstation, you might find the return frames are not sent down the IPSEC tunnel to the workstation.
If this is true, in some network designs, one can get around this by adding a VRRP address to the Mobility Conductor, the VRRP is reachable from the workstation,
Example:
Mobility Conductor 1 controller-ip 10.10.10.2 vlan 10
Mobility Conductor 2 controller-ip 10.10.10.3 vlan 10 VRRP for MC clustering 10.10.10.1
the Controller-ip of each Mobility Conductor are unreachable.
In VLAN 10, add a VRRP address of 10.10.10.254
Check reach/usability of this VRRP address.
If this works, apply appropriate filter/routing/ACLs/user-roles to provide the desired access.
------------------------------
Shawn Adams
Original Message:
Sent: Feb 05, 2024 03:17 PM
From: dkauffman
Subject: Accessing Mobility Master over RAP
Thats what I'm doing currently, but it would be nice to be able to access it direct with how often I'm in it. Is there a way? This almost doesn't seem like a hairpin issue, since the MCR is located on an entirely different subnet than my DMZ controllers.
Original Message:
Sent: Feb 02, 2024 10:30 AM
From: chulcher
Subject: Accessing Mobility Master over RAP
Remote into a separate machine to access the MCR.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Feb 01, 2024 11:36 AM
From: dkauffman
Subject: Accessing Mobility Master over RAP
When connected on a RAP, I'm unable to connect / https to my mobility master (which manages the controllers that this RAP terminates on). I had this same issue before in my aos 6 setup , but it wasn't as big of a problem then since our campus and rap clusters were separate. Now that I'm managing them under one umbrella, its a bigger problem.
In AOS6, I believe it was a hair-pinning issue as I could access the mobility controller in the DMZ, but not the master. So I'm guessing this is something similar. Is there any way around this?