Reply
Contributor I

RAP2 trouble

Hi all

We're having some trouble getting our RAP2 to work.
It establishes the IPSec tunnel to the controller just fine, then it's told to upgrade the image and after the upgrade and AP reboot, the AP comes up and just blinks green in the status light.

It looks like theres activity on the E0 port, but the controller says the AP is down in IPSec.

The setup is a Remote AP with Controller behind firewall:

RAP -> Firewall -> Internet -> Firewall -> Controller

NAT-T is allowed through firewall.

The AP is whitelisted and as far as I can see the #show crypto isakmp sa and #show crypto ipsec sa looks fine.

After this I'm stuck and cant figure out how it can get a new image and boot, but not work after?

Hope you can give a hint in the right direction

/Kevin
Guru Elite

Re: RAP2 trouble

Can you see the access point in "show ap database'? Did you create a local ipsec pool for that RAP? Did you type "show log security 60" to see if you might be seeing anything?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: RAP2 trouble

Is the RAP being put into a group in the whitelist or is it default?

I am just thinking perhaps in the whitelist you have specified a group and something to do with the E0/AP System profile is taking out connectivity?
Contributor I

Re: RAP2 trouble

Hi again guys, sorry for the late reply.

@ cjoseph
The ap shows in the " show ap database " but status is down and the flags are " Rc".
Nothing shows from that ap in the " show log security 60 ".
Yes, the local IPSec pool is created and with 50 addresses to give out.

@Adam@CCS
Yes, the ap gets into our defined rap group.

Since we're using the rap as a Zero Touch, it might be a certificate issue, but how can i troubleshoot that ? Shouldnt it show up in the " show log security " ?
Also, the E0 interface is set to "default" in our rap ap group.

/kevin
Guru Elite

Re: RAP2 trouble

Does the RAP group have an AP system profile? (they all do). In that AP system profile, is there an LMS-iP? If that's the case, you need to remove it. If not, we need more information:

Do you have regular APs terminating on this controller with no problems?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I

Re: RAP2 trouble

Yes, we have 150+ campus ap's terminating on the controller.
We do have the LMS ip set... should i just remove it or does it has to be set to something else ?
Guru Elite

Re: RAP2 trouble

That is your problem. Create a new AP system profile for your RAP group (Edit the RAP group, expand AP, expand system profile and remove the LMS-ip). Click on Save-AS, to save the new AP system profile as RAP, so that the other group that is sharing the old AP system profile can retain it.

If you have an LMS-IP in your RAP group, it needs to be a public address of a controller or blank, because the tunnel is initiated from the private IP space of the RAP. If it is a private address, your RAP will try to find that private address from behind the router or cable modem, or his ISP will drop it. So your RAP is contacting the controller and getting redirected to la-la land. Make the change with the "save as" so that you do not disturb the AP system profile of that other group.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I

Re: RAP2 trouble

No worries, we already created a seperate rap group / profile so we wont disturb the already running configuration.

Testing it now.
Contributor I

Re: RAP2 trouble

Your the man Colin, looks like it was the LMS ip, had to set it to the external ip tho, blank didnt work.

Thanks alot guys for your help :)

/Kevin

Btw, can I give you credit for the solution in any way ?
Guru Elite

Re: RAP2 trouble

Yes, tell 3 friends :)


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base