How do I troubleshoot RAP in ArubaOS?

Aruba Employee

Product and Software:This article applies to all Aruba platforms and ArubaOS 3.3.1.x and later.



Assumptions
· The configuration was done as described in the User Guide and the "How do I configure RAP in ArubaOS 3.3.1?" KB article. The IP addresses will be different, of course.
· RAP has been provisioned directly from controller with username, password, and IKE PSK.
· IP connectivity exists between RAP and the controller public address.

Normal RAP Sequence of Events
1) RAP boots its image that was downloaded from the controller when it was provisioned locally.
2) RAP checks environment variables and goes to RAP procedure because it has IPsec/L2TP parameters.
3) RAP tries to build an IPsec tunnel to the master IP address. It can get the master IP statically from env variables or from DNS. It is advisable to set it statically while troubleshooting.
4) The controller authenticates RAP using IKE PSK, and they negotiate the ISAKMP parameters.
5) After IKE Quick Mode has succeeded, RAP tries to build an L2TP tunnel to the controller over the established secure tunnel.
6) The controller authenticates the RAP using the username and password. The server group configured during VPN authentication and rule derivation are used.
7) After VPN authentication is successful for RAP, RAP gets its role and inner IP address from the VPN-configured local pool.
8) RAP uses its inner address to build a GRE tunnel to the controller and RAP follows a procedure similar to normal AP. Troubleshooting after this point follows normal AP troubleshooting.

Debugging RAP Issues
1) Debugging IKE and ISAKMP:
(Aruba) (config)# logging level debugging security process crypto
(Aruba) (config)# logging level debugging security subcat ike

2) Debugging L2TP and local-db authentication:
(Aruba) (config)# logging level debugging security process l2tp
(Aruba) (config)# logging level debugging security process localdb

3) Debugging authentication and role derivation:
(Aruba) (config)# logging level debugging security process authmgr

1620_image001.jpg

Network Diagram


Expected syslog Messages in Normal Operation

To display all log messages related to RAP IPsec and authentication, issue this command:

(Aruba) # show log security all

There are some main messages to verify:

1) Make sure that the controller can receive NAT-T traffic from a RAP external address.

May 27 12:34:01 :103063: <DBUG> |ike| exchange_setup_p1: ID is IPv4
May 27 12:34:01 :103063: <DBUG> |ike| exchange_setup_p1: USING exchange type ID_PROT
May 27 12:34:01 :103063: <DBUG> |ike| exchange_setup_p1: passed checks
May 27 12:34:01 :103060: <DBUG> |ike| ike_phase_1.c:ike_phase_1_responder_recv_SA:817 Recvd VPN IKE Phase 1 SA transform negotiation (1st packet) from IP 66.6.1.1.
May 27 12:34:01 :103060: <DBUG> |ike| ike_phase_1.c:ike_phase_1_responder_recv_SA:846 Found our AP vendor ID from external IP 66.6.1.1

Otherwise, you might have issues in:

· IP routing between the RAP external IP and the controller public IP.
· FW or other security device blocking NAT-T (UDP port 4500) traffic between RAP and the controller.
· NAT device not configure properly to forward received traffic on <public IP>:<udp 4500> to <controller IP>:<udp 4500>

2) Make sure that IKE and ISAKMP negotiation is successful.

May 27 12:34:03 :103022: <INFO> |ike| IKE Quick Mode succeeded for peer 66.6.1.1
May 27 12:34:03 :103034: <INFO> |ike| IKE Quick Mode succeeded from client external 66.6.1.1
May 27 12:34:03 :103060: <DBUG> |ike| ike_quick_mode.c:ike_quick_mode_send_notify:3391 ike_quick_mode_send_notify: Added ike quick mode notify payload.
May 27 12:34:03 :103063: <DBUG> |ike| ipsec_sa 0x10269ddc, proto 0x1026bd44
May 27 12:34:03 :103063: <DBUG> |ike| ipc_setup_ipsec_dp_sa add=1, out=1, sa=0x10267d4c, proto=0x1026bd44
May 27 12:34:03 :103063: <DBUG> |ike| ipc_setup_ipsec_dp_sa sa src=0xc0a800fe, dst=0x42060101
May 27 12:34:03 :103060: <DBUG> |ike| ipc.c:ipc_print_dp_packet:1313 DP: :TRANSPORT::SA_ADD::L2TP: OFF::outgoing::ESP::3DES or DES::Auth = SHA1:, SPI 94318200, esrc C0A800FE, edst_ip 42060101, dst_ip 0, l2tp_tunid 0, l2tp_sessid 0, l2tp_hello 0
May 27 12:34:03 :103060: <DBUG> |ike| ipc.c:ipc_modify_sb_data&colon;848 IPSEC dst_ip=0.0.0.0, dst_mask 0.0.0.0 inner_ip 0.0.0.0 client:yestrusted:no, Master-Local:no
May 27 12:34:03 :103063: <DBUG> |ike| Setup the outgoing IPSEC SA --- DONE !!
May 27 12:34:03 :103063: <DBUG> |ike| ipc_setup_ipsec_dp_sa add=1, out=0, sa=0x10267d4c, proto=0x1026bd44
May 27 12:34:03 :103063: <DBUG> |ike| ipc_setup_ipsec_dp_sa sa src=0xc0a800fe, dst=0x42060101
May 27 12:34:03 :103060: <DBUG> |ike| ipc.c:ipc_print_dp_packet:1313 DP: :TRANSPORT::SA_ADD::L2TP: OFF::incoming::ESP::3DES or DES::Auth = SHA1:, SPI D4306D00, esrc 42060101, edst_ip C0A800FE, dst_ip 0, l2tp_tunid 0, l2tp_sessid 0, l2tp_hello 0
May 27 12:34:03 :103063: <DBUG> |ike| Setup the incoming IPSEC SA --- DONE !!
May 27 12:34:03 :103063: <DBUG> |ike| ***** Adding to the DB Transport ESP 3DES SHA ******

Otherwise you might have issues in IKE PSK.

3) Make sure that L2TP authentication is successful and RAP got an inner IP address.

For Localdb authentication:
May 27 12:34:06 :133004: <INFO> |localdb| Received Authentication Request for User rapuser1
May 27 12:34:06 :133005: <INFO> |localdb| User rapuser1 rap_role Succesfully Authenticated
For L2TP and inner IP:
May 27 12:34:06 :142003: <DBUG> |l2tp| IP UP from PPPD: TID 4, CID 16142, Inner ip 192.168.1.13
May 27 12:34:06 :142000: <INFO> |l2tp| Creating L2TP Tunnel from 66.6.1.1(innerip=192.168.1.13)

Otherwise you might have issues in:
· Username and password.
· Role derivation rules, if the RAP did not get the correct role.
· Local pool is full.



Other Verification Commands

(Aruba)# show datapath tunnel table
Datapath Tunnel Table Entries
---------------------------------
Flags: E - Ether encap, I - Wi-Fi encap, F - IP fragment OK
W - WEP, K - TKIP, A - AESCCM, M - no mcast src filtering
S - Single encrypt, U - Untagged, X - MUX
T - Trusted, L - No looping, d - Drop Bcast/Mcast

# Source Destination Prt Type MTU VLAN BSSID Decaps Encaps Heartbeats Flags
--- -------------- -------------- --- ---- ---- ---- ----------------- ---------- ---------- ---------- -----
13 SPID4306D00 in 192.168.0.254 50 IPSE 1500 0 routeDest 5115 381 0
12 SPI94318200out 66.6.1.1 50 IPSE 1500 0 routeDest 0000 0 672
9 192.168.0.253 192.168.1.13 47 8210 1200 2 00:0B:86:2D:39:F1 124 0 124 IM
8 192.168.0.253 192.168.1.13 47 8200 1200 2 00:0B:86:2D:39:F0 126 0 124 IKM


(Aruba)# show ap active
Active AP Table
-----------------
Name Group IP Address 11g Clients 11g Ch/Pwr 11a Clients 11a Ch/Pwr AP Type Flags Uptime
---- ----- ---------- ----------- ---------- ----------- ---------- ------- ----- ------
RAP default 192.168.1.13 0 AP:1/6 0 61 R 3m:48s
Flags: R = Remote AP; P = PPPOE; E = Wired AP enabled; A = Enet1 in active/standby mode;
L = Active Load Balancing Enabled; D = Disconn. Extra Calls On; B = Battery Boost On
X = Maintenance Mode; d = Drop Mcast/Bcast On
Num APs:1


(Aruba)# show ap bss-table
Aruba AP BSS Table
----------------------
bss ess s/p ip phy type ch/pwr cur-cl ap name in-t(s) tot-t mtu acl-state
--- --- --- -- --- ---- ------ ------ ------- ------- ----- --- ---------
00:0b:86:2d:39:f0 Oxygen ?/? 192.168.1.13 g ap 1/6 0 RAP 0 3m:10s 1200 -
00:0b:86:2d:39:f1 Oxygen-Guest ?/? 192.168.1.13 g ap 1/6 0 RAP 0 3m:10s 1200 -
Num APs:1
Num Associations:0



Common Issues
· Wrong IKE PSK
May 27 14:59:05 :103063: <DBUG> |ike| exchange_setup_p1: ID is IPv4
May 27 14:59:05 :103063: <DBUG> |ike| exchange_setup_p1: USING exchange type ID_PROT
May 27 14:59:05 :103063: <DBUG> |ike| exchange_setup_p1: passed checks
May 27 14:59:05 :103060: <DBUG> |ike| ike_phase_1.c:ike_phase_1_responder_recv_SA:817 Recvd VPN IKE Phase 1 SA transform negotiation (1st packet) from IP 66.6.1.1.
May 27 14:59:05 :103060: <DBUG> |ike| ike_phase_1.c:ike_phase_1_responder_recv_SA:846 Found our AP vendor ID from external IP 66.6.1.1
May 27 14:59:05 :103060: <DBUG> |ike| ike_phase_1.c:attribute_unacceptable:2402 Proposal match failed in key length, configured=0, peer using=32
May 27 14:59:05 :103060: <DBUG> |ike| ike_phase_1.c:ike_phase_1_responder_recv_SA:955 Ike Phase 1 received SA
May 27 14:59:06 :103063: <DBUG> |ike| GetFirstMatchIsakmpPSK: entering
May 27 14:59:06 :103063: <DBUG> |ike| mask FFFFFFFF, ip 42060101, key_ip 50E36A2A
May 27 14:59:06 :103063: <DBUG> |ike| mask 0, ip 42060101, key_ip 0
May 27 14:59:06 :103060: <DBUG> |ike| ike_auth.c:ike_auth_get_key:405 Found isakmp policy for peer 0.0.0.0 client:no
May 27 14:59:07 :103063: <DBUG> |ike| message_parse_payloads: reserved field non-zero: f9
May 27 14:59:07 :103060: <DBUG> |ike| message.c:message_drop:2061 Message drop from 66.6.1.1 port 12050 due to notification type PAYLOAD_MALFORMED
May 27 14:59:07 :103053: <INFO> |ike| Dropping IKE message from 66.6.1.1 possibly due to invalid IKE pre-shared key or RSA client certificate configured on client


· Wrong Username and Password
May 27 15:12:57 :124038: <INFO> |authmgr| Selected server Internal for method=VPN; user=rapuser1, essid=<>, domain=<>, server-group=default
May 27 15:12:57 :133004: <INFO> |localdb| Received Authentication Request for User rapuser1
May 27 15:12:57 :133006: <ERRS> |localdb| User rapuser1 Failed Authentication
May 27 15:12:57 :124004: <DBUG> |authmgr| Rx message 21/23, length 318 from 192.168.0.253:8344
May 27 15:12:57 :124003: <INFO> |authmgr| Authentication result=Authentication failed(1), method=VPN, server=Internal, user=00:0b:86:51:8d:90
May 27 15:12:57 :124004: <DBUG> |authmgr| Auth server 'Internal' response=1
May 27 15:12:57 :124004: <DBUG> |authmgr| Setting authserver 'Internal' for user 66.6.1.1, client VPN
May 27 15:12:57 :105003: <ERRS> |l2tp| PPP/VPN Authentication failed rapuser1 66.6.1.1 PAP.
Please check authentication server radius/ldap/tacacs logs.

· Local Pool is Full
May 27 16:09:49 :142003: <DBUG> |l2tp| write_packet: writing fd:18 bytes:47 retval:47 buf:1003b700 after sync async convertion
May 27 16:09:49 :142003: <DBUG> |l2tp| handle_packet: after write_packet result:0
May 27 16:09:51 :142003: <DBUG> |l2tp| network_thread: recv packet from 192.168.0.234, size = 57, tunnel = 24, call = 49113
May 27 16:09:51 :142003: <DBUG> |l2tp| handle_packet: rcvd Data packet len:57 !
May 27 16:09:51 :142003: <DBUG> |l2tp| write_packet: writing packet to tty
May 27 16:09:51 :142003: <DBUG> |l2tp| write_packet: writing fd:18 bytes:76 retval:76 buf:1003b700 after sync async convertion
May 27 16:09:51 :142003: <DBUG> |l2tp| handle_packet: after write_packet result:0
May 27 16:09:51 :142003: <DBUG> |l2tp| network_thread: recv packet from 192.168.0.234, size = 51, tunnel = 24, call = 49113
May 27 16:09:51 :142003: <DBUG> |l2tp| handle_packet: rcvd Data packet len:51 !
May 27 16:09:51 :142003: <DBUG> |l2tp| write_packet: writing packet to tty
May 27 16:09:51 :142003: <DBUG> |l2tp| write_packet: writing fd:18 bytes:66 retval:66 buf:1003b700 after sync async convertion
May 27 16:09:51 :142003: <DBUG> |l2tp| handle_packet: after write_packet result:0
May 27 16:09:51 :142003: <DBUG> |l2tp| network_thread: recv packet from 192.168.0.234, size = 32, tunnel = 24, call = 49113
May 27 16:09:51 :142003: <DBUG> |l2tp| handle_packet: rcvd Data packet len:32 !
May 27 16:09:51 :142003: <DBUG> |l2tp| write_packet: writing packet to tty
May 27 16:09:51 :142003: <DBUG> |l2tp| write_packet: writing fd:18 bytes:34 retval:34 buf:1003b700 after sync async convertion
May 27 16:09:51 :142003: <DBUG> |l2tp| handle_packet: after write_packet result:0
May 27 16:09:51 :124004: <DBUG> |authmgr| RX (sock) message of type 1, len 608
May 27 16:09:51 :124004: <DBUG> |authmgr| Setting auth subtype 'PAP' for user x.x.x.x, client VPN
May 27 16:09:51 :124004: <DBUG> |authmgr| Setting auth type 'VPN' for user x.x.x.x, client VPN


(Aruba)# show vpdn l2tp local pool
IP addresses used in pool rap
192.168.1.10

1 IPs used - 0 IPs free - 1 IPs configured

· No License or Not Enough Licenses
(Aruba)# show log system 1
May 27 16:22:25 :305014: <WARN> |stm| No available license for remote AP RAP


Also refer to the KB article "How do I configure RAP in ArubaOS 3.3.1?". This article is available on the Aruba support website and is Answer ID 343:

http://support.arubanetworks.com/Default.aspx?tabid=111&loc=https://kb.arubanetworks.com/app/answers/detail/a_id/343/kw/343v

Version history
Revision #:
1 of 1
Last update:
‎07-02-2014 01:15 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: