ArubaOS and Controllers

Reply
Occasional Contributor II

Failed to convert RAP-3WN to RAP

Hi,

 

I´m trying to convert RAP-3WN in RAP, but when i push de convert buttom the proccess fail in VPN setup.

 

The RAP-3WN is connected in a VLAN and can reach the controller ip address. I put the MAC of the AP in the whitelist, i setup VPN POOL, but sometihing is wrong because the AP does not finish the convert proccess.

 

The AP has and ip address in the vlan, 10.21.16.75, because is the only way that i can manage the AP remotely.

 

the output of the "show log secutiry" in the controller is:

 

Rx message 0/67108864, length 255 from 127.0.0.1:8345
Oct 10 09:53:27 :124220: <DBUG> |authmgr| stm_message_handler : msg_type 3007
Oct 10 09:53:27 :124004: <DBUG> |authmgr| RX (sock) message of type 19, len 28
Oct 10 09:53:27 :124459: <DBUG> |authmgr| IP DN int: 10.21.16.75, ext:10.21.16.75
Oct 10 09:53:27 :124234: <DBUG> |authmgr| Tx message to Sibyte, blocking with ack, Opcode = 17, msglen = 200 action = 5
Oct 10 09:53:27 :124004: <DBUG> |authmgr| sta_del_l3: mac 00:00:00:00:00:00 ip 10.21.16.75
Oct 10 09:53:27 :124153: <DBUG> |authmgr| Free ipuser 0x0x2e63ab2c (10.21.16.75) for user 0x0x2e9d2fc4.
Oct 10 09:53:27 :124154: <DBUG> |authmgr| Free user 0x0x2e9d2fc4.
Oct 10 09:53:27 :124004: <DBUG> |authmgr| RX (sock) message of type 66, len 760
Oct 10 09:53:27 :124454: <DBUG> |authmgr| auth_user_query_raw: recvd request user:00:0b:86:8e:de:cd ip:10.21.16.75 cookie:-753431465
Oct 10 09:53:27 :124150: <DBUG> |authmgr| Create ipuser and user 00:00:00:00:00:00.
Oct 10 09:53:27 :124156: <DBUG> |authmgr| Called ip_user_new() for ip 10.21.16.75.
Oct 10 09:53:27 :124004: <DBUG> |authmgr| sta_add_l3: mac 00:00:00:00:00:00 ip 10.21.16.75
Oct 10 09:53:27 :124100: <DBUG> |authmgr| Setting auth subtype 'EAP-LEAP' for user 10.21.16.75, client VPN.
Oct 10 09:53:27 :124099: <DBUG> |authmgr| Setting auth type 'VPN' for user 10.21.16.75, client VPN.
Oct 10 09:53:27 :124098: <DBUG> |authmgr| Setting authstate 'started' for user 10.21.16.75, client VPN.
Oct 10 09:53:27 :124546: <DBUG> |authmgr| aal_authenticate user:00:0b:86:8e:de:cd vpnflags:4.
Oct 10 09:53:27 :124004: <DBUG> |authmgr| ncfg_auth_server_group_authtype ip=10.21.16.75, method=VPN vpnflags:4
Oct 10 09:53:27 :124004: <DBUG> |authmgr| ncfg_auth_server_group_authtype vpnflags:4 vpn-profile:default-iap
Oct 10 09:53:27 :124004: <DBUG> |authmgr| ip=10.21.16.75, sg=internal
Oct 10 09:53:27 :124547: <DBUG> |authmgr| aal_authenticate server_group:internal.
Oct 10 09:53:27 :124004: <DBUG> |authmgr| ncfg_auth_server_group_authtype ip=10.21.16.75, method=VPN vpnflags:4
Oct 10 09:53:27 :124004: <DBUG> |authmgr| ncfg_auth_server_group_authtype vpnflags:4 vpn-profile:default-iap
Oct 10 09:53:27 :124004: <DBUG> |authmgr| ip=10.21.16.75, sg=internal
Oct 10 09:53:27 :124004: <DBUG> |authmgr| Select server for method=VPN, user=00:0b:86:8e:de:cd, essid=<>, server-group=internal, last_srv <>
Oct 10 09:53:27 :124004: <DBUG> |authmgr| server=Internal, ena=1, ins=1 (1)
Oct 10 09:53:27 :124038: <INFO> |authmgr| Selected server Internal for method=VPN; user=00:0b:86:8e:de:cd, essid=<>, domain=<>, server-group=internal
Oct 10 09:53:27 :124230: <DBUG> |authmgr| Rx message 62/63, length 2995 from 127.0.0.1:8344
Oct 10 09:53:27 :124003: <INFO> |authmgr| Authentication result=Authentication Successful(0), method=VPN, server=Internal, user=10.21.16.75
Oct 10 09:53:27 :124004: <DBUG> |authmgr| Auth server 'Internal' response=0
Oct 10 09:53:27 :124097: <DBUG> |authmgr| Setting authserver 'Internal' for user 10.21.16.75, client VPN.
Oct 10 09:53:27 :124453: <DBUG> |authmgr| auth_user_query_resp: response user:00:0b:86:8e:de:cd ip:10.21.16.75 cookie:-753431465
Oct 10 09:53:27 :124184: <DBUG> |authmgr| {L3} Authenticating Server is Internal.
Oct 10 09:53:27 :124004: <DBUG> |authmgr| Matching `internal' rules to derive role ...
Oct 10 09:53:27 :124004: <DBUG> |authmgr| Role 'value-of'
Oct 10 09:53:27 :124004: <DBUG> |authmgr| rule: set role condition Role value-of
Oct 10 09:53:27 :124004: <DBUG> |authmgr| match_rule Value Pair to match User-Name : 00:0b:86:8e:de:cd
Oct 10 09:53:27 :124004: <DBUG> |authmgr| match_rule Value Pair to match E-Mail :
Oct 10 09:53:27 :124004: <DBUG> |authmgr| match_rule Value Pair to match Role :
Oct 10 09:53:27 :124441: <DBUG> |authmgr| auth_user_query_resp: vpnflags:4
Oct 10 09:53:27 :124467: <DBUG> |authmgr| Framed IP: found 0x0x0 (mask 0x0xffffffff)
Oct 10 09:53:27 :103046: <ERRS> |ike| IKE XAuth client UP failed 10.21.16.75 (External 10.21.16.75)

 

For some reason, The proccess fails and i don't know what i'm missing.

 

The RAP-3WN log:

 

#RECV 80 bytes from 10.21.8.16[4500] (2.0)
(pid:14338)  time:2000-01-02 21:46:44

 spi={95ffeee0b90c4e2d d33aac6d1bd90855} np=E{N}
 exchange=IKE_AUTH msgid=1 len=76
  I <--
   Notify: AUTHENTICATION_FAILED (ESP spi=6660d100)
InNotify AP authentication failed
ike2_state.c (7737): errorCode = ERR_IKE_NOTIFY_PAYLOAD
IKE SA failed reason = ERR_IKE_XAUTH_FAILED, errorcode = -8952
send_sapd_error: error:45 debug_error:0

 

 

I'm trying to convert the AP in RAP connected in a VLAN that has direct access to the controller, because is my first time working with RAP. Once the AP has converted in RAP and reach the controller i will try to setup the RAP via Internet configuring a public IP address in the controller or doing NAT in a router.

 

I hope you can help me!

 

Kind Regards!

Re: Failed to convert RAP-3WN to RAP

 

Do you have a master-local setup ?

 

Please run the following commands:

 

- show datapath session table <ipaddress> | include 4500 

- show crypto ipsec sa

-show user-table verbose 

 

Make sure UDP/4500 is allowed

 

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: Failed to convert RAP-3WN to RAP

Hi, thanks for reply!

 

these are the output commands:

 

show datapath session table 10.21.16.75 | include 4500
10.21.16.75 10.155.154.41 17 40994 4500 0/0 0 0 1 local 3 0 0 FY
10.21.16.75 10.155.154.41 17 40996 4500 0/0 0 0 0 0/0/0 2 2 844 FC
10.155.154.41 10.21.16.75 17 4500 40994 0/0 0 0 1 local 3 1 108 FC
10.155.154.41 10.21.16.75 17 4500 40996 0/0 0 0 1 0/0/0 2 2 513 F

 

#show crypto ipsec sa

% No active IPSEC SA

 

show user-table verbose | include 10.21.16.75


10.21.16.75 00:00:00:00:00:00 logon 00:00:00 VPN N/A tunnel 1

 

Thanks!

 

Re: Failed to convert RAP-3WN to RAP

 

Do you have a master-local setup ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: Failed to convert RAP-3WN to RAP

The controller is Master.

 

But I dont know if i have to set some parameters in ipsec:

 

 

master_controller.JPG

 

 

 

Thank you very much!

Re: Failed to convert RAP-3WN to RAP

 

Are you using AOS 6.2 ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: Failed to convert RAP-3WN to RAP

yes.

 

show version

 

Version 6.2.0.0

 

 

Guru Elite

Re: Failed to convert RAP-3WN to RAP

JuanCarlos,

 

Did you setup a VPN pool for your IAP?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: Failed to convert RAP-3WN to RAP

Yes, i've setud a VPN pool for only one RAP.

 

start ip address 10.21.16.75 end ip address 10.21.16.75.

 

But the RAP-3WN has this ip address yet, because is connected in a Vlan in this range and is the only way to manage the AP.Should i configure another different pool?

 

 

As i said, i want to try to convert the AP in RAP, after when the RAP works, i will use another VPN pool and configure NAT in router with public address pointing to the controller in order to use RAP across the internet.

 

But in this moment i'm not able to convert the AP in RAP an register the AP in the controller due to VPN setup failure.

 

I don't know if i have to configure IPSEC parameters in controller or if is posible to do what i want with the AP directly coneccted to the VLAN. i think RAP can be used across the Internet but isn't mandatory.

 

Regards!

 

 

Guru Elite

Re: Failed to convert RAP-3WN to RAP

For the VPN pool, you should use a non-routable address like 8.8.8.1 to 8.8.8.8.  Include more than one ip address for troubleshooting.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: