Wireless Access

When connected on a RAP, I'm unable to connect / https to my mobility master (which manages the controllers that this RAP terminates on).  I had this same issue before in my aos 6 setup , but it wasn't as big of a problem then since our campus and rap clusters were separate.  Now that I'm managing them under one umbrella, its a bigger problem.  

In AOS6, I believe it was a hair-pinning issue as I could access the mobility controller in the DMZ, but not the master.  So I'm guessing this is something similar.  Is there any way around this?  

Remote into a separate machine to access the MCR.

When connected on a RAP, I'm unable to connect / https to my mobility master (which manages the controllers that this RAP terminates on).  I had this same issue before in my aos 6 setup , but it wasn't as big of a problem then since our campus and rap clusters were separate.  Now that I'm managing them under one umbrella, its a bigger problem.  

In AOS6, I believe it was a hair-pinning issue as I could access the mobility controller in the DMZ, but not the master.  So I'm guessing this is something similar.  Is there any way around this?  

Thats what I'm doing currently, but it would be nice to be able to access it direct with how often I'm in it.  Is there a way?  This almost doesn't seem like a hairpin issue, since the MCR is located on an entirely different subnet than my DMZ controllers.

Remote into a separate machine to access the MCR.

When connected on a RAP, I'm unable to connect / https to my mobility master (which manages the controllers that this RAP terminates on).  I had this same issue before in my aos 6 setup , but it wasn't as big of a problem then since our campus and rap clusters were separate.  Now that I'm managing them under one umbrella, its a bigger problem.  

In AOS6, I believe it was a hair-pinning issue as I could access the mobility controller in the DMZ, but not the master.  So I'm guessing this is something similar.  Is there any way around this?  

Thats what I'm doing currently, but it would be nice to be able to access it direct with how often I'm in it.  Is there a way?  This almost doesn't seem like a hairpin issue, since the MCR is located on an entirely different subnet than my DMZ controllers.

Remote into a separate machine to access the MCR.

When connected on a RAP, I'm unable to connect / https to my mobility master (which manages the controllers that this RAP terminates on).  I had this same issue before in my aos 6 setup , but it wasn't as big of a problem then since our campus and rap clusters were separate.  Now that I'm managing them under one umbrella, its a bigger problem.  

In AOS6, I believe it was a hair-pinning issue as I could access the mobility controller in the DMZ, but not the master.  So I'm guessing this is something similar.  Is there any way around this?  

Suggestion:

I surmise the RAP client workstation has proper role and routing to allow connectivity to the Mobility Master(Conductor) and the Managed Devices.

Can the workstation reach the Managed Device IP addresses, but not the Mobility Conductor controller-ip ?

• check the Mobility Conductor "show datapath session with live traffic from the workstation, you might find the return frames are not sent down the IPSEC tunnel to the workstation.

If this is true, in some network designs, one can get around this by adding a VRRP address to the Mobility Conductor, the VRRP is reachable from the workstation,

Example:

Mobility Conductor 1 controller-ip  10.10.10.2  vlan 10

Mobility Conductor 2 controller-ip  10.10.10.3  vlan 10   VRRP for MC clustering 10.10.10.1

the Controller-ip of each  Mobility Conductor are unreachable. 

In VLAN 10, add a VRRP address of 10.10.10.254

Check reach/usability of this VRRP address.

If this works, apply appropriate filter/routing/ACLs/user-roles to provide the desired access.

Thats what I'm doing currently, but it would be nice to be able to access it direct with how often I'm in it.  Is there a way?  This almost doesn't seem like a hairpin issue, since the MCR is located on an entirely different subnet than my DMZ controllers.

Remote into a separate machine to access the MCR.

When connected on a RAP, I'm unable to connect / https to my mobility master (which manages the controllers that this RAP terminates on).  I had this same issue before in my aos 6 setup , but it wasn't as big of a problem then since our campus and rap clusters were separate.  Now that I'm managing them under one umbrella, its a bigger problem.  

In AOS6, I believe it was a hair-pinning issue as I could access the mobility controller in the DMZ, but not the master.  So I'm guessing this is something similar.  Is there any way around this?  

Sorry for the delayed response.

So you're saying to add another VRRP?   As you said, I have an existing VRRP between the two MCRs at the moment, which all of my MDs point to.  

Currently:

MC1 - 10.4.127.10

MC2 - 10.4.127.11

VRRP - 10.4.127.5

Add another VRRP of 10.4.127.6 and see how that works?  

You are absolutely correct that I am able to ssh/gui to the IP of my MD rap controller that my RAP is connected to.  

Suggestion:

I surmise the RAP client workstation has proper role and routing to allow connectivity to the Mobility Master(Conductor) and the Managed Devices.

Can the workstation reach the Managed Device IP addresses, but not the Mobility Conductor controller-ip ?

• check the Mobility Conductor "show datapath session with live traffic from the workstation, you might find the return frames are not sent down the IPSEC tunnel to the workstation.

If this is true, in some network designs, one can get around this by adding a VRRP address to the Mobility Conductor, the VRRP is reachable from the workstation,

Example:

Mobility Conductor 1 controller-ip  10.10.10.2  vlan 10

Mobility Conductor 2 controller-ip  10.10.10.3  vlan 10   VRRP for MC clustering 10.10.10.1

the Controller-ip of each  Mobility Conductor are unreachable. 

In VLAN 10, add a VRRP address of 10.10.10.254

Check reach/usability of this VRRP address.

If this works, apply appropriate filter/routing/ACLs/user-roles to provide the desired access.

------------------------------
Shawn Adams

Original Message:
Sent: Feb 05, 2024 03:17 PM
From: dkauffman
Subject: Accessing Mobility Master over RAP

Thats what I'm doing currently, but it would be nice to be able to access it direct with how often I'm in it.  Is there a way?  This almost doesn't seem like a hairpin issue, since the MCR is located on an entirely different subnet than my DMZ controllers.

Remote into a separate machine to access the MCR.

When connected on a RAP, I'm unable to connect / https to my mobility master (which manages the controllers that this RAP terminates on).  I had this same issue before in my aos 6 setup , but it wasn't as big of a problem then since our campus and rap clusters were separate.  Now that I'm managing them under one umbrella, its a bigger problem.  

In AOS6, I believe it was a hair-pinning issue as I could access the mobility controller in the DMZ, but not the master.  So I'm guessing this is something similar.  Is there any way around this?