GRE tunnel issues on AP230

  • 1
  • Question
  • Updated 1 year ago
  • (Edited)
We have a wireless network of 815 x AP230 access points connected to on-premise HiveManager version 6.8r7. Currently all AP230's are at version 7.1r1, however we have had this issue with versions 6.5r5 and 6.8r1 also.

We have one main SSID and use RADIUS filter-id to set the user profile. Trusted clients are left on VLAN 1 and therefore dropped off at local AP, the tunneling policy for this is Dynamic. These work absolutely fine with no issues.

Untrusted clients have static identity-based tunnel in the user profile with a VLAN id set. This tunnel terminates on a virtual Aerohive VPN gateway (Layer 2 mode).

Clients are experiencing issues whereby either the tunnel does not form when joining or roaming to an AP, or the client has been connected for a period of time and the tunnel drops and does not reform. This leaves the client connected to the wireless network but without any further connectivity (to the Internet etc.). This is not consistent and happens randomly across a number of different, random AP's.

Disconnecting the client from the wireless network and then re-connecting usually fixes the issue and the tunnel forms as expected. When the tunnel is up and running there are no problems and performance is as expected. I've checked CPU/memory levels on both AP and the VPN gateway and these are within normal values.

This is causing us a lot of problems with our users constantly complaining of connection issues. I've got this logged with Aerohive support but currently waiting for a response.

This used to work fine ages ago on firmware 6.1, however I've been having no end of issues with firmware versions since I tried to go to the first so-called "golden" release.

Has anyone seen anything similar or know of any potential fix?

Many thanks
Photo of Steve Wood

Steve Wood

  • 5 Posts
  • 0 Reply Likes

Posted 1 year ago

  • 1
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Rather than using identity-based tunnels have you considered using the VPN service?  I have found this much easier to support as the VPNs stay permanently up so you can see if the VPNs are constantly dropping.