Aruba Instant & Cloud Wi-Fi

Reply
Occasional Contributor II
Posts: 13
Registered: ‎09-20-2011

RAP provision problems - conversion successfully but failed at the next reboot to associate

I have all tcp/udp ports opened from RAP to connect to controller on firewall.   RAP-3WN could be converted successfully and showed up on controller with status "down". 

 

If RAP is placed in the same LAN with controller,  it would boot up just fine and functional.  So I figure it is something to do with firewall but don't know what it is.

 

Controller is 7210 vers 6.3.1.10.

Guru Elite
Posts: 7,864
Registered: ‎09-08-2010

Re: RAP provision problems - conversion successfully but failed at the next reboot to associate

When it's attempting to connect, do you see any traffic when you run:

show datapath session table | include 4500

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 288
Registered: ‎08-27-2012

Re: RAP provision problems - conversion successfully but failed at the next reboot to associate

You'll also need to open IP protocol 50 for IPSec.
ACDX #419 | ACMP |
Occasional Contributor II
Posts: 13
Registered: ‎09-20-2011

Re: RAP provision problems - conversion successfully but failed at the next reboot to associate

Thanks for the help.

 

It showed up for a few seconds but disappeared from session table.

 

205.211.168.200 is RAP IP.  10.1.100.16 is the master IP and 10.1.100.17 is the local.

 

Aruba-Master-A) #show datapath session table | include 4500
10.1.100.17     10.1.100.16     17   4500  4500   0/0     0 0   0   0/0/0       2b   7         1592       FC
10.1.100.16     10.1.100.17     17   4500  4500   0/0     0 0   1   0/0/0       2b   0         0          F
10.1.100.16     205.211.168.200 17   4500  32768  0/0     0 0   0   local       7    1         108        FDC

 

The following is firewall traffic log: 205.211.168.200 is RAP, 205.211.168.9 is public IP for master controller.

 

85.387941 arp who-has 205.211.168.9 tell 205.211.168.200
85.387950 arp reply 205.211.168.9 is-at 0:9:f:9:0:17
85.388198 205.211.168.200.32768 -> 205.211.168.9.4500: udp 390
85.390405 205.211.168.9.4500 -> 205.211.168.200.32768: udp 60
85.393347 205.211.168.200.32768 -> 205.211.168.9.4500: udp 418
85.396310 205.211.168.9.4500 -> 205.211.168.200.32768: udp 417
90.056041 arp who-has 205.211.168.200 tell 205.211.168.3
90.386191 arp who-has 205.211.168.200 tell 205.211.168.38
90.386826 arp reply 205.211.168.200 is-at 0:9:f:30:16:ba
107.168881 205.211.168.200 -> 205.211.168.9: icmp: 205.211.168.200 udp port 32768 unreachable
107.168910 205.211.168.200 -> 205.211.168.9: icmp: 205.211.168.200 udp port 32768 unreachable
119.189696 205.211.168.200 -> 205.211.168.9: icmp: 205.211.168.200 udp port 32768 unreachable
119.189942 205.211.168.200 -> 205.211.168.9: icmp: 205.211.168.200 udp port 32768 unreachable

 

Yong

Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: RAP provision problems - conversion successfully but failed at the next reboot to associate

[ Edited ]

The fact that it can connect and function on the LAN indicates either a firewall or routing issue.   You've ruled out the firewall issue by opening all ports as you have indicated (you only really need UDP 4500).  

 

My guess is it is a routing issue.  What is the default route of the controller?   Is it the external firewall or something on the inside?   If your controller is terminating RAPs from the Internet, it's default gateway needs to be the next external hop (your firewall doing the external NAT usually).   Otherwise you'll end up in an asynchronous routing issue where traffic comes in one way but the response goes another.

 

You can then add static routes as necessary for any internal networks.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor II
Posts: 13
Registered: ‎09-20-2011

Re: RAP provision problems - conversion successfully but failed at the next reboot to associate

Thanks clembo.   I think that is the most possible cause right now.  The master controll doesn't have internet connectivity as it is blocked by ACL.  I will test it.

 

Question: does controller initiate any connection to AP?

 

Yong

Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: RAP provision problems - conversion successfully but failed at the next reboot to associate

All communication from the controller is within the IPsec tunnel; so the only firewall rule you'll need to add is UDP 4500 to the controller from the Internet side.   And then make sure the controller uses this same path as its default route.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor II
Posts: 13
Registered: ‎09-20-2011

Re: RAP provision problems - conversion successfully but failed at the next reboot to associate

Thanks again clembo.  It was routing issue.  Everything is good now.

Search Airheads
Showing results for 
Search instead for 
Did you mean: