Wireless Access

Could someone explain how the features:

crypto-local ipsec-map uplink failover

crypto-local ipsec-map load-balance

crypto-local ipsec-map monitor

should work?

Consider we have a controller with 2 ISPs and we established two tunnels (one for each ISP to a remote VPN gateway)

will those load-balance or uplink failover feature work and how in this scenario?

What you are looking for might be here:  https://www.arubanetworks.com/techdocs/ArubaOS_85_Web_Help/Content/arubaos-solutions/branchoffice/upli-moni-load-bala.htm?Highlight=uplink%20manager

Frankly speaking the link you provided relates to 

uplink load-balance while I'm asking about 

crypto-local ipsec-map uplink failover

crypto-local ipsec-map load-balance

crypto-local ipsec-map monitor

As it isn't described anywhere I'm really not sure if those crypto commands are related to uplink load-balance and what are prerequesties for those crypto commands to work neither what is the purpose of those crypto commands.

It can be also worth to mention that I'm using current recommended by support sw version 8.3.0.10.

The User Guide for this sw

https://www.arubanetworks.com/techdocs/ArubaOS_83x_Web_Help/Content/ArubaFrameStyles/Dashboard_Monitoring/WAN.htm

also states that the WAN uplik status should be available while there is not such dashboard in this sw.

Although Health Check & uplink & uplink load-balance is configured:

From CLI:

uplink enable # inherited from [/mm]
uplink health-check # inherited from [/mm]
uplink health-check ip 1.1.1.1 # inherited from [/mm]
uplink load-balance media-mode # inherited from [/mm]

When I was trying to setup crypto-local ipsec-map uplink-failover

crypto-local ipsec-map azure 1000 # inherited from [/mm]
uplink-failover

causes Configuration Failure
---------------------
Command: uplink-failover
Process: IKE
Message: Uplink failover not supported with ikev1
Total Failures: 1

I apologize that I did not understand you and I forwarded an unrelated link before asking you more specific questions.

Your original post said that you have two ISPs and two tunnels.

Questions:

- Are the tunnels terminated on the controllers or are the controllers plugged into two physical circuits or both?  I cannot tell from your diagram.

- Is this planned or this is already configured and how?

The commands you listed may or may not be the way to go.

There is one controller (7030).

Int gig 0/0/2 is ISP1

Int gig 0/0/3 is ISP2

tunnels are established from this controller to azure VPN gateway

The relevant configuration is:

!

ip access-list route uplink-lb-cfg-racl
any network 192.168.210.0 255.255.255.0 any route next-hop-list azure_vpn
any network 192.168.211.8 255.255.255.248 any route next-hop-list azure_vpn
any network 192.168.211.0 255.255.255.248 any route next-hop-list azure_vpn
!
ip access-list route azure_vpn
any network 192.168.210.0 255.255.255.0 any route next-hop-list azure_vpn
any network 192.168.211.0 255.255.255.248 any route next-hop-list azure_vpn
any network 192.168.211.8 255.255.255.248 any route next-hop-list azure_vpn

! 

interface gigabitethernet 0/0/2
description "ISP1"
trusted
trusted vlan 1-4094
no poe
switchport access vlan 600
!

interface gigabitethernet 0/0/3
description "ISP2"
trusted
trusted vlan 1-4094
no poe
switchport access vlan 601

!

interface gigabitethernet 0/0/4
description "Test"
trusted
trusted vlan 1-4094
no poe
switchport access vlan 322

!

interface vlan 600
ip address <public ISP1> 255.255.255.240
ip nat outside
description "ISP1"
!

interface vlan 601
ip address <public ISP2> 255.255.255.240
ip nat outside
description "ISP2"

!

interface vlan 322
ip address 10.100.1.4 255.255.255.0

!

interface tunnel 5
description "Tunnel azure ISP1"
tunnel mode gre ip
tunnel source vlan 600
tunnel destination <public AzureVPNGateway>
tunnel keepalive
tunnel keepalive 1 3
trusted
!
interface tunnel 6
description "Tunnel azure ISP2"
tunnel mode gre ip
tunnel source vlan 601
tunnel destination <public AzureVPNGateway>
tunnel keepalive
tunnel keepalive 1 3
trusted

!

uplink wired vlan 601 uplink-id link2
priority 100
!
uplink wired vlan 600 uplink-id link1

!

no uplink wired vlan 1
uplink enable
uplink health-check ip 1.1.1.1
uplink health-check
uplink load-balance
uplink load-balance media-mode

!

ip default-gateway <ISP1_gateway> 20
ip default-gateway <ISP2_gateway> 20
no ip default-gateway import dhcp
no ip default-gateway import cell
no ip default-gateway import pppoe
ip route 192.168.210.0 255.255.255.0 ipsec azure
ip route 192.168.211.0 255.255.255.248 ipsec azure 10
ip route 192.168.211.8 255.255.255.248 ipsec azure 10

!

ip nexthop-list azure_vpn
ipsec-map azure priority 20

ipsec-map azure2 priority 10

!

crypto isakmp policy 20
encryption aes256

!

crypto-local isakmp key "******" address <public AzureVPNGateway> netmask 255.255.255.255

crypto ipsec transform-set azure esp-aes128 esp-sha-hmac

!

crypto-local ipsec-map azure 20
set ikev1-policy 20
peer-ip <public AzureVPNGateway>
vlan 600
src-net vlan 322
dst-net 192.168.211.0 255.255.255.248
set transform-set "azure"
pre-connect
trusted
!

crypto-local ipsec-map azure2 20
set ikev1-policy 20
peer-ip <public AzureVPNGateway>
vlan 601
src-net vlan 322
dst-net 192.168.211.8 255.255.255.248
set transform-set "azure"
pre-connect
trusted
!

At Azure I have a Vnet with 3 address ranges:

192.168.210.0 255.255.255.0
192.168.211.0 255.255.255.248
192.168.211.8 255.255.255.248

and there is a test host 192.168.210.132

This configuration doesn't work.

What I'm going to achieve is to have a redundancy between ISPs.

When routing through ISP1 will be broken the traffic should go through tunnel established with ISP2. The preemption if possible would be also nice.

The purpose why I created 

192.168.211.0 255.255.255.248
192.168.211.8 255.255.255.248

was that to create separate (redundant) crypto-local ipsec-maps I have to provide different dst-net.

Without matching selectors tunnels doesn't come up.

Azure support told me that they have any to any however controller if it is not initiator will get eg.

isakmpd[3480]: <103060> <3480> <DBUG> |ike| <public AzureVPNGateway>:500-> ike_quick_mode.c:checkIpsecSelectors:3999 initRange:192.168.210.1 -192.168.210.255 policyRange:192.168.210.0-192.168.210.255 for map azure
isakmpd[3480]: <103060> <3480> <DBUG> |ike| <public AzureVPNGateway>:500-> ike_quick_mode.c:checkIpsecSelectors:4027 respRange:10.100.1.1 -10.100.1.255 policyRange:10.100.1.0-10.100.1.255 for map azure

isakmpd[3470]: <103060> <3470> <DBUG> <public AzureVPNGateway>:500-> ike_quick_mode.c:checkIpsecSelectors:3999 initRange:192.168.210.1 -192.168.210.255 policyRange:192.168.211.8-192.168.211.15 for map azure
isakmpd[3470]: <103035> <3470> <INFO> <name 192.168.222.38> Initiator IKE Phase 2 Identity doesn't match for ipsec-map azure

When Aruba controller is Initiator this would look like eg.:

Jan 17 12:35:27 isakmpd[3470]: <103060> <3470> <DBUG> |ike|<public AzureVPNGateway>:500-> ike_quick_mode.c:checkIpsecSelectors:3999 initRange:10.100.1.1 -10.100.1.255 policyRange:10.100.1.0-10.100.1.255 for map azure
Jan 17 12:35:27 isakmpd[3470]: <103060> <3470> <DBUG> |ike|<public AzureVPNGateway>:500-> ike_quick_mode.c:checkIpsecSelectors:4027 respRange:192.168.211.1 -192.168.211.7 policyRange:192.168.211.0-192.168.211.7 for map azure