ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 39
Registered: ‎07-10-2010

RAP Unable to Tunnel with Controller

Dear ALL,
One of my recent deployments is RAP-2 with a controller having static private IP with 1 to 1 Natting with public IP.

All the ports are allowed on the firewall and i can ping,https,ssh the controller.

However the RAP can never reach the controller always giving rc_error_ikep1 (controller unreachable). I have changed ISPs on RAP side as well and the traffic is properly forwarded.

My Ques is that is there any tool that will allow me to see whether my controller is accepting connection at 4500 UDP port or not? As per logs from Firewall, also i cannot see any traffic hitting on controller interface with port 4500.

Regards..
Guru Elite
Posts: 19,964
Registered: ‎03-29-2007

Re: RAP Unable to Tunnel with Controller

If you use "show datapath session table | include 4500" on the commandline on the controller, you will see that.

When you are provisioning the RAP2 on the diagnostics screen, what are you seeing?
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor II
Posts: 39
Registered: ‎07-10-2010

Re: RAP Unable to Tunnel with Controller

On RAP2 i get the message:

Connecting to Master: Trying (4/4) RC_ERROR_IKEP1

Then a prompt message:
AP has encountered an error and is going to restart
Guru Elite
Posts: 19,964
Registered: ‎03-29-2007

Re: RAP Unable to Tunnel with Controller

That does mean that there is no connectivity between the RAP and the controller. What kind of broadband connection do you have on the RAP side?
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor II
Posts: 39
Registered: ‎07-10-2010

Re: RAP Unable to Tunnel with Controller

I have tried several broadband connections, with the same broadband connection i am able to assoicate the RAP with another controller installed in a different location, Anyway i have already tried on:
Wimax
DSL
3G network
Guru Elite
Posts: 19,964
Registered: ‎03-29-2007

Re: RAP Unable to Tunnel with Controller

Do you have a different rap to try? What is your firewall in front of the controller?
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor II
Posts: 39
Registered: ‎07-10-2010

Re: RAP Unable to Tunnel with Controller

I have already tired with 2 X RAP2WG and 1 X RAP5

Firewall infront of the controller is Juniper SSG140. According to the client there is not hit at port 4500 on the controller.
Also on the controller i have enabled debug logging securtiy and till now i havent found any issue.
Guru Elite
Posts: 19,964
Registered: ‎03-29-2007

Re: RAP Unable to Tunnel with Controller

The traffic has to hit the firewall before it hits the controller. I am not familiar with the SSG, can you show all the traffic that is hitting that public ip address? You should at least see UDP 4500.. If you can, open it up to http and do a "show datapath session table" on the controller and see if you see the http traffic from the public source address when you initiate it, after opening it up on the firewall.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor II
Posts: 39
Registered: ‎07-10-2010

Re: RAP Unable to Tunnel with Controller

Hmm,ok thats good,let me gather the log from the client & paste here afterwards..

Thanks for your help!
Occasional Contributor I
Posts: 7
Registered: ‎03-11-2010

Re: RAP Unable to Tunnel with Controller

Does the firewall by any chance have active VPN services? In that case the firewall might decide to respond to the ISAKMP request from the RAP instead of passing it through to the controller.

I've had issues with our SonicWall NSA2400 who has active site-to-site VPN tunnels. Capturing the conversation between a RAP-2WG and my controller showed that the NSA2400 responded with a "No proposal chosen" message, which gave the same error message in the RAP GUI that you get..

Don't know if it helps, but you never know;-)
Search Airheads
Showing results for 
Search instead for 
Did you mean: