Target : 00:0b:86:82:e8:90 show vpn status profile name:default -------------------------------------------------- current using tunnel :primary tunnel ipsec is preempt status :disable ipsec is fast failover status :disable ipsec hold on period :600 ipsec tunnel monitor frequency (seconds/packet) :10 ipsec tunnel monitor timeout by lost packet cnt :2 ipsec primary tunnel crypto type :Cert ipsec primary tunnel peer address : ipsec primary tunnel peer tunnel ip : ipsec primary tunnel ap tunnel ip : ipsec primary tunnel current sm status :Up ipsec primary tunnel tunnel status :Up ipsec primary tunnel tunnel retry times :1 ipsec primary tunnel tunnel uptime :4 seconds ipsec backup tunnel crypto type :Cert ipsec backup tunnel peer address :N/A ipsec backup tunnel peer tunnel ip :N/A ipsec backup tunnel ap tunnel ip :N/A ipsec backup tunnel current sm status :Init ipsec backup tunnel tunnel status :Down ipsec backup tunnel tunnel retry times :0 ipsec backup tunnel tunnel uptime :0 end of show vpn status ======================================================== show upgrade info Image Upgrade Progress ---------------------- Mac IP Adress AP Class Status Image Info Error Detail --- --------- -------- ------ ---------- ------------ 00:0b:86:82:e8:90 x.x.x.x Orion downloading image file Retrieve image fail end of show upgrade info ======================================================== show log upgrade ----------Download log start---------- Executing '/aruba/bin/download_image_swarm ac-ftp://x.x.x.x/mips32.ari' fetching ('/usr/sbin/wget -T 120 -t 3 ftp://sap:x@x.x.x.x/mips32.ari') Error: failed to retrieve image cleaning up done ----------Download log end------------ Download status: Retrieve image fail ----------Upgrade log start---------- upgrade log not available ----------Upgrade log end------------ Upgrade status: upgrade status not available end of show log upgrade ======================================================== show log rapper Jan 01, 00:15:55: get_ike_version: Use IKE Version 2 Jan 01, 00:15:55: papi_init papifd:9 ack:10 IKE_EXAMPLE: Starting up IKE server setup_tunnel Jan 01, 00:15:55: IKE_init: ethmacstr = 00:0B:86:82:E8:90 Initialized Timers IKE_init: completed after (0.0)(pid:8678) time:2000-01-01 00:15:55 seconds. Jan 01, 00:15:55: RAP using default certificates Jan 01, 00:15:55: Before getting Certs Jan 01, 00:15:55: TPM enabled Jan 01, 00:15:55: CA_MGMT_EXAMPLE_computeHostKeys init cert-len 0 Jan 01, 00:15:55: Factory Device Cert is /tmp/deviceCerts/certifiedKeyCert.der Jan 01, 00:15:55: Reading DER Device Cert file /tmp/deviceCerts/certifiedKeyCert.der Jan 01, 00:15:55: DER Device Cert file len:1768 Jan 01, 00:15:55: Intermediate Cert index:0 is /tmp/deviceCerts/certifiedKeyCaCert.der Jan 01, 00:15:55: Reading DER Intermediate Cert file Jan 01, 00:15:55: DER Intermediate Cert file len:1456 Jan 01, 00:15:55: Intermediate Cert index:1 is /tmp/deviceCerts/caChainCert1.der Jan 01, 00:15:55: Reading DER Intermediate Cert file Jan 01, 00:15:55: DER Intermediate Cert file len:1580 Jan 01, 00:15:55: Decode PEM Key length :0 Jan 01, 00:15:55: testHostKeys : status 0 Jan 01, 00:15:55: testHostKeys : free temp Certificate status 0 Jan 01, 00:15:55: CA_MGMT_EXAMPLE_computeHostKeys after testHostKeys cert-len 1768 Jan 01, 00:15:55: CA Cert index:0 is /tmp/deviceCerts/OpensslOldCA_RootCert.der Jan 01, 00:15:55: Reading DER CA Cert file Jan 01, 00:15:55: DER CA Cert file len:1416 Jan 01, 00:15:55: CA Cert index:1 is /tmp/deviceCerts/MSCAV1_RootCert.der Jan 01, 00:15:55: Reading DER CA Cert file Jan 01, 00:15:55: DER CA Cert file len:1009 Jan 01, 00:15:55: Got 2 Trusted Certs Jan 01, 00:15:55: After getFieldTrustedCerts ret:-1 Jan 01, 00:15:55: Got 0 Field Trusted Certs Jan 01, 00:15:55: CSS CA Cert is /tmp/deviceCerts/CSS_CA_RootCert.der Jan 01, 00:15:55: Reading DER CA Cert file Jan 01, 00:15:55: Error in reading DER CA Cert:/tmp/deviceCerts/CSS_CA_RootCert.der, Ignore It Jan 01, 00:15:55: CA Cert status : 0 Before IKE_initServer Jan 01, 00:15:55: IKE_initServer: Cert length 1768 IKE_initServer: Host Certificate is set (RSA-SIG) {CN=BF0018870::00:0b:86:82:e8:90} Jan 01, 00:15:55: IKE_EXAMPLE_addServer port:0 natt:0 Jan 01, 00:15:55: srcdev_name = br0 ip a322105 Jan 01, 00:15:55: IKE_EXAMPLE_addUdpSkt: Using SocketIndex:0 IKE_EXAMPLE: Socket created on x.x.x.x[49171] Jan 01, 00:15:55: IKE_EXAMPLE_addServer:1413 socket descriptor is 0 port number 49171 for server instance 0 at 0th index Jan 01, 00:15:55: srcdev_name = br0 ip a322105 Jan 01, 00:15:55: IKE_EXAMPLE_addUdpSkt: Using SocketIndex:1 IKE_EXAMPLE: Socket created on x.x.x.x[49172] Jan 01, 00:15:55: IKE_EXAMPLE_addServer:1460 socket descriptor is 1 port number 49172 for server instance 0 at 1st index Jan 01, 00:15:55: IKE_EXAMPLE_addDefaultServers status:0 (0.0)(pid:8678) time:2000-01-01 00:15:55 SA_INIT dest=x.x.x.x Jan 01, 00:15:55: Initialize IKE SA Jan 01, 00:15:55: IKE_CUSTOM_getVersion(peerAddr:a323c63): ikeVersion:2 Timer ID: 1 Initialized Jan 01, 00:15:55: IKE2_newSa(peerAddr:a323c63): IKE_SA-lifetime:28000 I --> Jan 01, 00:15:55: OutSa(v2-peerAddr:0 pxSa->dwPeerAddr:a323c63): Entered Jan 01, 00:15:55: OutTfm_I(v2-peerAddr:a323c63): Entered ENCR_AES 256-BITS PRF_HMAC_SHA1 AUTH_HMAC_SHA1_96 DH_2 NAT_D (us): bf cc 9d 10 cf ef f9 cd a2 6a 46 67 54 05 66 af 83 ce eb 2a NAT_D (peer): d3 cb 7a 41 45 45 46 a4 cf 5e 60 3a bf 6c 45 2d 76 e8 f4 f1 spi={08b0571fadf7dc19 0000000000000000} np=SA exchange=IKE_SA_INIT msgid=0 len=376 #SEND 380 bytes to x.x.x.x[4500] (0.0)(pid:8678) time:2000-01-01 00:15:55 Jan 01, 00:15:55: IKE_SAMPLE_ikeXchgSend Successfully setsockopt UDP_ENCAP port 49172 IKE_EXAMPLE: IKE_keyConnect() started, id = 0xJan 01, 00:15:55: IKE_EXAMPLE: IKE_keyConnect() started, id = 0x on device br0 e9588528... Jan 01, 00:15:55: papi:15200 #RECV 60 bytes from x.x.x.x[4500] (0.0)(pid:8678) time:2000-01-01 00:15:55 spi={08b0571fadf7dc19 0000000000000000} np=N exchange=IKE_SA_INIT msgid=0 len=56 I <-- Notify: COOKIE spi={08b0571fadf7dc19 0000000000000000} np=N exchange=IKE_SA_INIT msgid=0 len=404 #SEND 408 bytes to x.x.x.x[4500] (0.0)(pid:8678) time:2000-01-01 00:15:55 #RECV 397 bytes from x.x.x.x[4500] (0.0)(pid:8678) time:2000-01-01 00:15:55 spi={08b0571fadf7dc19 df4446847d557cc3} np=SA exchange=IKE_SA_INIT msgid=0 len=393 I <-- Proposal #1: IKE[4] ENCR_AES 256-BITS PRF_HMAC_SHA1 AUTH_HMAC_SHA1_96 DH_2 Notify: NAT_DETECTION_SOURCE_IP Notify: NAT_DETECTION_DESTINATION_IP NAT_D (us/NAT): 59 a4 f5 bc 98 a6 4b d1 97 72 93 d5 ec 08 39 a0 21 08 7e 9c VID: 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 Jan 01, 00:15:55: Fragmentation is enabled I --> Notify: INITIAL_CONTACT Jan 01, 00:15:55: OutCert: adding leaf Cert of Len:1768 Jan 01, 00:15:55: RAPPER priority old: -19, set to -20 (0.0)(pid:8678) time:2000-01-01 00:15:55 HASH_i aa 0f 22 64 c5 fe d9 e1 46 e8 7f 11 1c af f3 1b 72 fa 8c 27 (3.0)(pid:8678) time:2000-01-01 00:15:58 Jan 01, 00:15:58: OutAuth TPM sign api passed (3.0)(pid:8678) time:2000-01-01 00:15:58 CFG_REQUEST IP4_ADDRESS IP4_NETMASK Jan 01, 00:15:58: OutSa(v2-peerAddr:a323c63 pxSa->dwPeerAddr:a323c63): Entered Jan 01, 00:15:58: OutTfm2(v2-peerAddr:a323c63): oTfmId:0 wAuthAlgo:0 wEncrKeyLen:0 wAuthKeyLen:0 bNoEnumEncr:0 bNoEnumAuth:0 ENCR_AES 256-BITS ENCR_3DES AUTH_HMAC_SHA1_96 ESN_0 TSi: 0.0.0.0~255.255.255.255 TSr: 0.0.0.0~255.255.255.255 spi={08b0571fadf7dc19 df4446847d557cc3} np=E{IDi} exchange=IKE_AUTH msgid=1 len=2300 #SEND 2304 bytes to x.x.x.x[4500] (3.0)(pid:8678) time:2000-01-01 00:15:58 Jan 01, 00:15:58: Sending fragment, size = 530 Jan 01, 00:15:58: Sending fragment, size = 530 Jan 01, 00:15:58: Sending fragment, size = 530 Jan 01, 00:15:58: Sending fragment, size = 530 Jan 01, 00:15:58: Sending last fragment, size = 352 #RECV 900 bytes from x.x.x.x[4500] (3.0)(pid:8678) time:2000-01-01 00:15:58 spi={08b0571fadf7dc19 df4446847d557cc3} np=FGMT exchange=IKE_AUTH msgid=1 len=896 ike2.c (656): errorCode = ERR_FRAGMENTATION_REQUIRED spi={08b0571fadf7dc19 df4446847d557cc3} np=FGMT exchange=IKE_AUTH msgid=1 len=896 Insert Timer type 1 Sec 70 uSec 0 #RECV 900 bytes from x.x.x.x[4500] (3.0)(pid:8678) time:2000-01-01 00:15:58 spi={08b0571fadf7dc19 df4446847d557cc3} np=FGMT exchange=IKE_AUTH msgid=1 len=896 ike2.c (656): errorCode = ERR_FRAGMENTATION_REQUIRED spi={08b0571fadf7dc19 df4446847d557cc3} np=FGMT exchange=IKE_AUTH msgid=1 len=896 #RECV 900 bytes from x.x.x.x[4500] (3.0)(pid:8678) time:2000-01-01 00:15:58 spi={08b0571fadf7dc19 df4446847d557cc3} np=FGMT exchange=IKE_AUTH msgid=1 len=896 ike2.c (656): errorCode = ERR_FRAGMENTATION_REQUIRED spi={08b0571fadf7dc19 df4446847d557cc3} np=FGMT exchange=IKE_AUTH msgid=1 len=896 #RECV 900 bytes from x.x.x.x[4500] (3.0)(pid:8678) time:2000-01-01 00:15:58 spi={08b0571fadf7dc19 df4446847d557cc3} np=FGMT exchange=IKE_AUTH msgid=1 len=896 ike2.c (656): errorCode = ERR_FRAGMENTATION_REQUIRED spi={08b0571fadf7dc19 df4446847d557cc3} np=FGMT exchange=IKE_AUTH msgid=1 len=896 #RECV 900 bytes from x.x.x.x[4500] (3.0)(pid:8678) time:2000-01-01 00:15:58 spi={08b0571fadf7dc19 df4446847d557cc3} np=FGMT exchange=IKE_AUTH msgid=1 len=896 ike2.c (656): errorCode = ERR_FRAGMENTATION_REQUIRED spi={08b0571fadf7dc19 df4446847d557cc3} np=FGMT exchange=IKE_AUTH msgid=1 len=896 #RECV 900 bytes from x.x.x.x[4500] (3.0)(pid:8678) time:2000-01-01 00:15:58 spi={08b0571fadf7dc19 df4446847d557cc3} np=FGMT exchange=IKE_AUTH msgid=1 len=896 ike2.c (656): errorCode = ERR_FRAGMENTATION_REQUIRED spi={08b0571fadf7dc19 df4446847d557cc3} np=FGMT exchange=IKE_AUTH msgid=1 len=896 #RECV 900 bytes from x.x.x.x[4500] (3.0)(pid:8678) time:2000-01-01 00:15:58 spi={08b0571fadf7dc19 df4446847d557cc3} np=FGMT exchange=IKE_AUTH msgid=1 len=896 ike2.c (656): errorCode = ERR_FRAGMENTATION_REQUIRED spi={08b0571fadf7dc19 df4446847d557cc3} np=FGMT exchange=IKE_AUTH msgid=1 len=896 #RECV 100 bytes from x.x.x.x[4500] (3.0)(pid:8678) time:2000-01-01 00:15:58 spi={08b0571fadf7dc19 df4446847d557cc3} np=FGMT exchange=IKE_AUTH msgid=1 len=96 ike2.c (656): errorCode = ERR_FRAGMENTATION_REQUIRED spi={08b0571fadf7dc19 df4446847d557cc3} np=FGMT exchange=IKE_AUTH msgid=1 len=96 Jan 01, 00:15:58: IKE2_fragRecv Rcvd all 8 fragments Delete Timer Type 1 #RECV 6112 bytes from x.x.x.x[4500] (3.0)(pid:8678) time:2000-01-01 00:15:58 spi={08b0571fadf7dc19 df4446847d557cc3} np=E{IDr} exchange=IKE_AUTH msgid=1 len=6108 I <-- Jan 01, 00:15:58: CERT_ComputeCertificateHash: status :0 Jan 01, 00:15:58: CERT_verifyRSACertSignature: comparison result 0 Jan 01, 00:15:58: CERT_ComputeCertificateHash: status :0 Jan 01, 00:15:58: CERT_verifyRSACertSignature: comparison result 0 Jan 01, 00:15:58: CERT_ComputeCertificateHash: status :0 Jan 01, 00:15:58: CERT_verifyRSACertSignature: comparison result 0 Jan 01, 00:15:58: IKE_certGetKey(peer:a323c63): isCSS:0 Check in ArubaTrustedCaCerts, numCaCerts:2 Jan 01, 00:15:58: IKE_certGetKey(): Cert trying ArubaTrustedCaCerts[0] Jan 01, 00:15:58: IKE_certGetKey(): verify the validity Jan 01, 00:15:58: IKE_certGetKey(): Cert trying ArubaTrustedCaCerts[1] Jan 01, 00:15:58: IKE_certGetKey(): verify the validity Jan 01, 00:15:58: CERT_ComputeCertificateHash: status :0 Jan 01, 00:15:58: CERT_verifyRSACertSignature: comparison result 0 Jan 01, 00:15:58: IKE_certGetKey(): iset the key value 0x4f082c HASH_r 76 4f 8f 9e 73 2f a2 3f 90 4e 33 ba eb 5e af 84 da 6f 9c cf CFG_REPLY IP4_ADDRESS(x.x.x.x) PASSCODE(****) MESSAGE("RAP3-COR") CHALLENGE(52 41 50 33 2d 43 4f 52 40 50 68 69 6c 2e 53 77 69 64 65 72 73 6b 69) IP4_ADDRESS(x.x.x.x) Jan 01, 00:15:58: RespCfg IKE_CFG_ATTR_T:1 Internal IPv4 Address:afe0167 PASSCODE(****) Jan 01, 00:15:58: RespCfg IKE_CFG_ATTR_T:16 Internal IPv4 LMS Address:a323c64 MESSAGE("RAP3-COR") Jan 01, 00:15:58: RespCfg IKE_CFG_ATTR_T:17 Internal AP Group :RAP3-COR, len=8 CHALLENGE(52 41 50 33 2d 43 4f 52 40 50 68 69 6c 2e 53 77 69 64 65 72 73 6b 69) Jan 01, 00:15:58: RespCfg IKE_CFG_ATTR_T:18 Internal AP Name :RAP3-COR@user.name, len=23 x.x.x.xIKE_startIPSEC: starting IPSEC SA Jan 01, 00:15:58: IKE_confSet InnerIP:afe0167, mTransportMode=0 Jan 01, 00:15:58: IPSEC_confAdd(): Entered Jan 01, 00:15:58: IPSec_newSp returned 0 Jan 01, 00:15:58: IPSEC_confAdd(): Entered Jan 01, 00:15:58: IPSec_newSp returned 0 x.x.x.x Proposal #1: ESP[3] spi=e16c6d00 ENCR_AES 256-BITS AUTH_HMAC_SHA1_96 ESN_0 Jan 01, 00:15:58: IKE_SAMPLE_ikeStatHdlr(SA): dwPeerAddr:a323c63 index:0 mPeerType:0 Jan 01, 00:15:58: IKE_SA [v2 I] (id=0xe9588528) (flags:0x4100001d) (state:5) mode:Tunnel created. (3.0)(pid:8678) time:2000-01-01 00:15:58 (3.0)(pid:8678) time:2000-01-01 00:15:58 Timer ID: 1 Deleted IKE_addIPsecKey(ike=e9588528) Jan 01, 00:15:58: Add new key to the driver for ipsec Jan 01, 00:15:58: arubaIPSecSetKeys(): src: x.x.x.x:49172 dst: x.x.x.x:4500 IPSEC-lifetime 7200 Rekey-interval 5472 ESP spi=e16c6d00 x.x.x.x << x.x.x.x spd=0[0] exp=7200 secs auth=sha1 encr=aes Jan 01, 00:15:58: Add new key to the driver for ipsec Jan 01, 00:15:58: arubaIPSecSetKeys(): src: x.x.x.x:49172 dst: x.x.x.x:4500 IPSEC-lifetime 7200 Rekey-interval 5472 ESP spi=f0464800 x.x.x.x << x.x.x.x spd=0[0] exp=7200 secs auth=sha1 encr=aes Jan 01, 00:15:58: IKE_SAMPLE_ikeStatHdlr(CHILD_SA): dwPeerAddr:a323c63 index:0 mPeerType:0 Jan 01, 00:15:58: CHILD_SA [v2 I] created. x.x.x.xJan 01, 00:15:58: config_tunnel ret:0 ifconfig tun0 x.x.x.x pointopoint x.x.x.x netmask 255.255.255.255 mtu 1300 up Jan 01, 00:15:58: config_tunnel-setaddr ret:0 tun0 afe0167 Jan 01, 00:15:58: check_tun_device returned addr from ioctl : afe0167 Jan 01, 00:15:58: check_tun_device IF is UP from ioctl Jan 01, 00:15:58: send_sapd_tunup(to x.x.x.x): TUNNEL to MASTER established, tun_name tun0 Jan 01, 00:15:58: send_sapd_tunup(to x.x.x.x): PAPI_Send RC_OPCODE_PPP_UP ip:afe0167 apgroup:RAP3-COR apname:RAP3-COR@user.name (3.0)(pid:8678) time:2000-01-01 00:15:58 Jan 01, 00:15:58: ipsectokernel() done (3.0)(pid:8678) time:2000-01-01 00:15:58 Jan 01, 00:15:58: IKE_SAMPLE_ikeStatHdlr: enabling Single-Encryption for Non-CSS tunnel by default Jan 01, 00:15:58: enablesinglecrypt(): val:1 ret:0 err:0 (3.0)(pid:8678) time:2000-01-01 00:15:58 rapperSendStatusCB end of show log rapper ========================================================