Wireless Access

We have two controllers initialized on md mode and clustered.

There are 3 SSIDs broadcasted, and for all of them, the gateway on the users traffic is the vrrp ip of controllers in the associated vlan.

The cluster is going well, both controllers are handling APs (around 90 per controller more or less).

The issue is when both controllers are up, some users cannot access internet , even when they can ping the gateway. But if we turn off one controller, everything is going well. We know controllers are working in active/active way for controlling access point, but for the user traffic they are working in master/backup in each VRRP instance. Is there an issue in that architecture, with controllers acting as gateway of users traffic. We are thinking about asymetric traffic...

How can we solve that issue, if we cannot put gateway of users traffic on firewall ?

Is there any reason why the Default Gateway of the users is pointing to the Warless Controllers VRRP? Are the controllers doing NAT?

If not, i would recommend to put the Default Gateway on the Firewall and then you can easily check if its a Controller Problem or Network Miss-Configuration.

We have two controllers initialized on md mode and clustered.

There are 3 SSIDs broadcasted, and for all of them, the gateway on the users traffic is the vrrp ip of controllers in the associated vlan.

The cluster is going well, both controllers are handling APs (around 90 per controller more or less).

The issue is when both controllers are up, some users cannot access internet , even when they can ping the gateway. But if we turn off one controller, everything is going well. We know controllers are working in active/active way for controlling access point, but for the user traffic they are working in master/backup in each VRRP instance. Is there an issue in that architecture, with controllers acting as gateway of users traffic. We are thinking about asymetric traffic...

How can we solve that issue, if we cannot put gateway of users traffic on firewall ?

Hello Shpat,

Thank you for your reply. 

Actually, controllers are not doing any NAT. We are looking for a solution without using firewall as default gateway of users trafic, As because of hardware limitation, we cannot do it. Our Firewalls cannot handle traffic of around 2000 users a day.

Regards

Is there any reason why the Default Gateway of the users is pointing to the Warless Controllers VRRP? Are the controllers doing NAT?

If not, i would recommend to put the Default Gateway on the Firewall and then you can easily check if its a Controller Problem or Network Miss-Configuration.

We have two controllers initialized on md mode and clustered.

There are 3 SSIDs broadcasted, and for all of them, the gateway on the users traffic is the vrrp ip of controllers in the associated vlan.

The cluster is going well, both controllers are handling APs (around 90 per controller more or less).

The issue is when both controllers are up, some users cannot access internet , even when they can ping the gateway. But if we turn off one controller, everything is going well. We know controllers are working in active/active way for controlling access point, but for the user traffic they are working in master/backup in each VRRP instance. Is there an issue in that architecture, with controllers acting as gateway of users traffic. We are thinking about asymetric traffic...

How can we solve that issue, if we cannot put gateway of users traffic on firewall ?

Hello Shpat,

Thank you for your reply. 

Actually, controllers are not doing any NAT. We are looking for a solution without using firewall as default gateway of users trafic, As because of hardware limitation, we cannot do it. Our Firewalls cannot handle traffic of around 2000 users a day.

Regards

Is there any reason why the Default Gateway of the users is pointing to the Warless Controllers VRRP? Are the controllers doing NAT?

If not, i would recommend to put the Default Gateway on the Firewall and then you can easily check if its a Controller Problem or Network Miss-Configuration.

We have two controllers initialized on md mode and clustered.

There are 3 SSIDs broadcasted, and for all of them, the gateway on the users traffic is the vrrp ip of controllers in the associated vlan.

The cluster is going well, both controllers are handling APs (around 90 per controller more or less).

The issue is when both controllers are up, some users cannot access internet , even when they can ping the gateway. But if we turn off one controller, everything is going well. We know controllers are working in active/active way for controlling access point, but for the user traffic they are working in master/backup in each VRRP instance. Is there an issue in that architecture, with controllers acting as gateway of users traffic. We are thinking about asymetric traffic...

How can we solve that issue, if we cannot put gateway of users traffic on firewall ?

Do you have the user VLAN (L2) (and the uplink VLAN towards the network/internet) connected between the controllers? Are those VLANs and ports trusted on all controllers?

Note that in your setup with routing on the gateway with VRRP, all active VRRPs should be on the same controller, and also all user traffic will run through that single controller. That's part of why it's deprecated to route user traffic on the controller, and using an external L3 (like a firewall) is the preferred option.

Hello Shpat,

Thank you for your reply. 

Actually, controllers are not doing any NAT. We are looking for a solution without using firewall as default gateway of users trafic, As because of hardware limitation, we cannot do it. Our Firewalls cannot handle traffic of around 2000 users a day.

Regards

Is there any reason why the Default Gateway of the users is pointing to the Warless Controllers VRRP? Are the controllers doing NAT?

If not, i would recommend to put the Default Gateway on the Firewall and then you can easily check if its a Controller Problem or Network Miss-Configuration.

We have two controllers initialized on md mode and clustered.

There are 3 SSIDs broadcasted, and for all of them, the gateway on the users traffic is the vrrp ip of controllers in the associated vlan.

The cluster is going well, both controllers are handling APs (around 90 per controller more or less).

The issue is when both controllers are up, some users cannot access internet , even when they can ping the gateway. But if we turn off one controller, everything is going well. We know controllers are working in active/active way for controlling access point, but for the user traffic they are working in master/backup in each VRRP instance. Is there an issue in that architecture, with controllers acting as gateway of users traffic. We are thinking about asymetric traffic...

How can we solve that issue, if we cannot put gateway of users traffic on firewall ?

Do you have the user VLAN (L2) (and the uplink VLAN towards the network/internet) connected between the controllers? Are those VLANs and ports trusted on all controllers?

Note that in your setup with routing on the gateway with VRRP, all active VRRPs should be on the same controller, and also all user traffic will run through that single controller. That's part of why it's deprecated to route user traffic on the controller, and using an external L3 (like a firewall) is the preferred option.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 27, 2024 11:25 AM
From: jkmendess
Subject: Issue with Controllers in active/active cluster terminating users traffic

Hello Shpat,

Thank you for your reply. 

Actually, controllers are not doing any NAT. We are looking for a solution without using firewall as default gateway of users trafic, As because of hardware limitation, we cannot do it. Our Firewalls cannot handle traffic of around 2000 users a day.

Regards

Original Message:
Sent: Dec 27, 2024 01:46 AM
From: shpat
Subject: Issue with Controllers in active/active cluster terminating users traffic

Is there any reason why the Default Gateway of the users is pointing to the Warless Controllers VRRP? Are the controllers doing NAT?

If not, i would recommend to put the Default Gateway on the Firewall and then you can easily check if its a Controller Problem or Network Miss-Configuration.

------------------------------
Shpat | ACEP | ACMP | ACCP | ACDP |
-Just an Aruba enthusiast and contributor by cases
Original Message:
Sent: Dec 25, 2024 06:27 PM
From: jkmendess
Subject: Issue with Controllers in active/active cluster terminating users traffic

We have two controllers initialized on md mode and clustered.

There are 3 SSIDs broadcasted, and for all of them, the gateway on the users traffic is the vrrp ip of controllers in the associated vlan.

The cluster is going well, both controllers are handling APs (around 90 per controller more or less).

The issue is when both controllers are up, some users cannot access internet , even when they can ping the gateway. But if we turn off one controller, everything is going well. We know controllers are working in active/active way for controlling access point, but for the user traffic they are working in master/backup in each VRRP instance. Is there an issue in that architecture, with controllers acting as gateway of users traffic. We are thinking about asymetric traffic...

How can we solve that issue, if we cannot put gateway of users traffic on firewall ?