Aruba Instant & Cloud Wi-Fi

Reply
Occasional Contributor II
Posts: 12
Registered: ‎08-15-2011

Cannot convert rap-155 IKE SA failed reason ERR_TPM_SIGN_FAIL

[ Edited ]

I am not able to convert Rap-155 to remote AP on 3200 controller.

 

They are both on the most current release of firmware, attached is the convert error log from the rap-155

 

Thanks!

 

 

MVP
Posts: 4,011
Registered: ‎07-20-2011

Re: Cannot convert rap-155 IKE SA failed reason %3D ERR_TPM_SIGN_FAIL

- Do you add the MAC address to whitelist ?
- created a VPN pool ?
- are you allowing port 4500/Udp on your firewall ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 12
Registered: ‎08-15-2011

Re: Cannot convert rap-155 IKE SA failed reason ERR_TPM_SIGN_FAIL

Target : 00:0b:86:9e:11:7d


show vpn status


profile name:default
--------------------------------------------------
current using tunnel                            :unselected tunnel
ipsec is preempt status                         :disable
ipsec is fast failover status                   :disable
ipsec hold on period                            :600
ipsec tunnel monitor frequency (seconds/packet) :5
ipsec tunnel monitor timeout by lost packet cnt :2

ipsec     primary tunnel crypto type            :Cert
ipsec     primary tunnel peer address           :192.168.22.15
ipsec     primary tunnel peer tunnel ip         :0.0.0.0
ipsec     primary tunnel ap tunnel ip           :0.0.0.0
ipsec     primary tunnel current sm status      :Retrying
ipsec     primary tunnel tunnel status          :Down
ipsec     primary tunnel tunnel retry times     :110
ipsec     primary tunnel tunnel uptime          :0

ipsec      backup tunnel crypto type            :Cert
ipsec      backup tunnel peer address           :N/A
ipsec      backup tunnel peer tunnel ip         :N/A
ipsec      backup tunnel ap tunnel ip           :N/A
ipsec      backup tunnel current sm status      :Init
ipsec      backup tunnel tunnel status          :Down
ipsec      backup tunnel tunnel retry times     :0
ipsec      backup tunnel tunnel uptime          :0
end of show vpn status
========================================================

show upgrade info

Image Upgrade Progress
----------------------
Mac                IP Address      AP Class  Status    Image Info  Error Detail
---                ----------      --------  ------    ----------  ------------
00:0b:86:9e:11:7d  192.168.12.145  Aries     image-ok  image file  none
Auto reboot           :enable
Use external URL      :enable
end of show upgrade info
========================================================

show log upgrade
----------Download log start----------
download log not available
----------Download log end------------
Download status: incomplete
----------Upgrade log start----------
upgrade log not available
----------Upgrade log end------------
Upgrade status: upgrade status not available
end of show log upgrade
========================================================

show log rapper
Nov 17, 15:01:00: IKE_CUSTOM_getVersion(peerAddr:c0a8160f): ikeVersion:2
Timer ID: 1 Initialized 
Nov 17, 15:01:00: IKE2_newSa(peerAddr:c0a8160f): IKE_SA-lifetime:28000
  I -->
Nov 17, 15:01:00: OutSa(v2-peerAddr:0 pxSa->dwPeerAddr:c0a8160f): Entered
     ENCR_AES 256-BITS
     PRF_HMAC_SHA1
     AUTH_HMAC_SHA1_96
     DH_2
   NAT_D (us): fd aa 7d c0 f4 e5 c6 73 bd a6 53 29 e6 73 86 e6 
ae c5 65 f5 
   NAT_D (peer): e7 b7 05 50 bf ad b6 ee 7a bb 60 be 6a 91 27 8f 
51 1f 90 7a 
Nov 17, 15:01:00: RAPPER_ERROR_FILE exists 

Nov 17, 15:01:00: AP err cookie retval 9 cookie:4618a4f63cdb4536 err 2b

Nov 17, 15:01:00: RAPPER_ERROR_FILE exists 

Nov 17, 15:01:00: AP err cookie retval 9 cookie:4618a4f63cdb4536 err 2b

Nov 17, 15:01:00: RAPPER_ERROR_FILE exists 

Nov 17, 15:01:00: AP err cookie retval 9 cookie:4618a4f63cdb4536 err 2b

Nov 17, 15:01:00: RAPPER_ERROR_FILE exists 

Nov 17, 15:01:00: AP err cookie retval 9 cookie:4618a4f63cdb4536 err 2b

Nov 17, 15:01:00: RAPPER_ERROR_FILE exists 

Nov 17, 15:01:00: AP err cookie retval 9 cookie:4618a4f63cdb4536 err 2b

 spi={6defde9680a2b8fa 0000000000000000} np=SA
 exchange=IKE_SA_INIT msgid=0 len=380
#SEND 384 bytes to 192.168.22.15[4500] (0.0)(pid:14882)  time:2014-11-17 15:01:00

Nov 17, 15:01:00: IKE_SAMPLE_ikeXchgSend Successfully setsockopt UDP_ENCAP port 65059

IKE_EXAMPLE: IKE_keyConnect() started, id = 0xNov 17, 15:01:00: IKE_EXAMPLE: IKE_keyConnect() started, id = 0x on device br0
e9afcb16...
Nov 17, 15:01:00: papi:15200

#RECV 60 bytes from 192.168.22.15[4500] (0.0)(pid:14882)  time:2014-11-17 15:01:00

 spi={6defde9680a2b8fa 0000000000000000} np=N
 exchange=IKE_SA_INIT msgid=0 len=56
  I <--
   Notify: COOKIE
 spi={6defde9680a2b8fa 0000000000000000} np=N
 exchange=IKE_SA_INIT msgid=0 len=408
#SEND 412 bytes to 192.168.22.15[4500] (0.0)(pid:14882)  time:2014-11-17 15:01:00


#RECV 417 bytes from 192.168.22.15[4500] (0.0)(pid:14882)  time:2014-11-17 15:01:00

 spi={6defde9680a2b8fa 910d03d3eef556f5} np=SA
 exchange=IKE_SA_INIT msgid=0 len=413
  I <--
    Proposal #1: IKE[4]
     ENCR_AES 256-BITS
     PRF_HMAC_SHA1
     AUTH_HMAC_SHA1_96
     DH_2
   Notify: NAT_DETECTION_SOURCE_IP
   Notify: NAT_DETECTION_DESTINATION_IP
   NAT_D (us/NAT): f5 c4 97 91 6f 34 cf d1 69 04 e3 60 0c 4a 72 c0 
8f 91 fc b3 
   VID: 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 
Nov 17, 15:01:00: Fragmentation is enabled
  I -->
   Notify: INITIAL_CONTACT
Nov 17, 15:01:00: OutCert: adding leaf Cert of Len:1574
Nov 17, 15:01:00: RAPPER priority old: -19, set to -20

 (0.0)(pid:14882)  time:2014-11-17 15:01:00

   HASH_i bc 1f fa 74 0b 6b 37 f9 d5 fc 00 16 98 da 2f dd 
bd da 3f f0 
Nov 17, 15:01:00: OutAuth TPM sign api failed with return-code:-1
 (0.0)(pid:14882)  time:2014-11-17 15:01:00

Nov 17, 15:01:00: IKE_SAMPLE_ikeStatHdlr(CHILD_SA): dwPeerAddr:c0a8160f index:0 mPeerType:0
Nov 17, 15:01:00: IKE SA failed reason = ERR_TPM_SIGN_FAIL, errorcode = -90001 ikeVer 2
Nov 17, 15:01:00: send_sapd_error: InnerIP:0  error:43 debug_error:-90001

Guru Elite
Posts: 7,837
Registered: ‎09-08-2010

Re: Cannot convert rap-155 IKE SA failed reason ERR_TPM_SIGN_FAIL

Factory reset the AP.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 12
Registered: ‎08-15-2011

Re: Cannot convert rap-155 IKE SA failed reason %3D ERR_TPM_SIGN_FAIL

Yes, to all of the above questions

Occasional Contributor II
Posts: 12
Registered: ‎08-15-2011

Re: Cannot convert rap-155 IKE SA failed reason ERR_TPM_SIGN_FAIL

I have factory reset the AP twice manually, I will try doing it from the web interface now.

Occasional Contributor II
Posts: 12
Registered: ‎08-15-2011

Re: Cannot convert rap-155 IKE SA failed reason ERR_TPM_SIGN_FAIL

I have tried factory resetting the device, it still won't convert, same error. Any other assistance would be greatly appreciated! Thanks! 

MVP
Posts: 4,011
Registered: ‎07-20-2011

Re: Cannot convert rap-155 IKE SA failed reason ERR_TPM_SIGN_FAIL

Is your controller on AOS 6.3?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 12
Registered: ‎08-15-2011

Re: Cannot convert rap-155 IKE SA failed reason ERR_TPM_SIGN_FAIL


victorfabian wrote:
Is your controller on AOS 6.3?

Yes

Occasional Contributor II
Posts: 12
Registered: ‎08-15-2011

Re: Cannot convert rap-155 IKE SA failed reason ERR_TPM_SIGN_FAIL

Is there any other information I can provide for you guys?

Search Airheads
Showing results for 
Search instead for 
Did you mean: