Controller Based WLANs

Is there a quick and easy way to remotely test the NATT and associated port forwarding is working before we try to bring up an Aruba RAP?

Environment Information :  

 

Any Aruba Controller
Any Access Point
Any Aruba OS 

 

 

Symptoms  :  When we connect a Aruba RAP to internet and have connectivity to the Controller but still do not see UDP 4500 from the RAP hitting the Controller then we need to verify UDP 4500 is allowed on the Corporate Firewall.

   

 

 

Cause  :  Perhaps NAT-T (UDP 4500) isn't allowed on the firewall both ways. 

 

Resolution  :  

  To remotely test that the NATT and associated port forwarding is working without a RAP, you can use ike-scan on any windows laptop.

For example:
If the Aruba Controller hostname (publicly resolvable) is "Aruba.no-ip.org" then, we may use the command:
 
C:\tools\ike-scan-win32-1.9>ike-scan.exe --nat-t --sport=4500 Aruba.no-ip.org
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
16.10.7.107    Main Mode Handshake returned HDR=(CKY-R=37ae550278574b89) SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp10
Ending ike-scan 1.9: 1 hosts scanned in 0.040 seconds (25.00 hosts/sec).  1 returned handshake; 0 returned notify
C:\tools\ike-scan-win32-1.9>
 
If you get a response from the Controller (16.10.7.107 in my case), then the natt is working end to end.  ** note that I specified –sport=4501 here because my vpn client on laptop is already consuming udp/4500, you can optionally remove it.
 
You can view the incoming connection on the controller, using “show datapath session” command:
 
(tac-620) #show datapath session table | include 4500
192.168.1.2     16.10.7.107    17   4501  4500   0/0     0 96  1   tunnel 19   2    15     333    FC
16.10.7.107    192.168.1.2     17   4500  4501   0/0     0 96  0   tunnel 19   2    0      0      F
(tac-620) #
 
This tool Ike-scan is from http://www.nta-monitor.com/tools-resources/security-tools/ike-scan
   

 

 

Answer  :  

  To remotely test that the NATT and associated port forwarding is working without a RAP, you can use ike-scan on any windows laptop.

For example:
If the Aruba Controller hostname (publicly resolvable) is "Aruba.no-ip.org" then, we may use the command:
 
C:\tools\ike-scan-win32-1.9>ike-scan.exe --nat-t --sport=4500 Aruba.no-ip.org
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
16.10.7.107    Main Mode Handshake returned HDR=(CKY-R=37ae550278574b89) SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp10
Ending ike-scan 1.9: 1 hosts scanned in 0.040 seconds (25.00 hosts/sec).  1 returned handshake; 0 returned notify
C:\tools\ike-scan-win32-1.9>
 
If you get a response from the Controller (16.10.7.107 in my case), then the natt is working end to end.  ** note that I specified –sport=4501 here because my vpn client on laptop is already consuming udp/4500, you can optionally remove it.
 
You can view the incoming connection on the controller, using “show datapath session” command:
 
(tac-620) #show datapath session table | include 4500
192.168.1.2     16.10.7.107    17   4501  4500   0/0     0 96  1   tunnel 19   2    15     333    FC
16.10.7.107    192.168.1.2     17   4500  4501   0/0     0 96  0   tunnel 19   2    0      0      F
(tac-620) #
 
This tool Ike-scan is from http://www.nta-monitor.com/tools-resources/security-tools/ike-scan
   

 

Version history
Revision #:
1 of 1
Last update:
‎07-10-2014 05:59 PM
Updated by:
 
Labels (2)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.