Controllerless Networks

Hey fellas I see a few issue with people trying to convert these RAP-3's to be managed by a mobility controller.  I also am currently trying to do the same.  My controllers version code is 6.2.0.3 and just for kicks I have upgraded my RAP-3's firmware  to 6.2.0.0-3. 

It is successfully conneting back to the controller over 4500.  The hang up seems to be when it's trying to retrieve an image from the controller.  I have attatched the failed doc to this post.  I also have opened a ticket with Aruba and they are trying to recreate my issue in their lab.  I have been told that the RAP is using tfpt ( port 69 ) back to the controller to get this image but I also have that port opened on the firewall to allow this traffic as well.  Furthermore I see nothing in the logs to support that this tftp traffic is even taking place ( allowed or denied ) unless it's encapsulated within the IPSEC tunnel.

I'm just hoping someone else may have ran into this issue.

Thanks!

Ryan

Attachment(s)

rap3conversionfail.txt   14 KB 1 version

Do you have the ap on the whitelist? the mac address

Does this happen just with one  RAP3?

Becausae it should work... i actually got the same firmware, and a rap3 at home and i didnt have any issue when i was upgrading it to that version....

From which version you were upgrading?

If its just one rap3 try doing it factory default with the reset button...  let say the image got corrupted or something bad happened when you upgraded it to the lastest instant firmware...

Is the RAP behind a NAT device? Have you enabled NAT-T? Only reason why is I see this in your log :

#RECV 900 bytes from x.x.x.x[4500] (3.0)(pid:8678)  time:2000-01-01 00:15:58

 spi={08b0571fadf7dc19 df4446847d557cc3} np=FGMT
 exchange=IKE_AUTH msgid=1 len=896
ike2.c (656): errorCode = ERR_FRAGMENTATION_REQUIRED

Thanks for the fast reply and sorry for the late response.  I have mutlitple RAP-3's all doing the same thing.  Yes they are on the whitelist.  I currently have RAP-2's and 5's all working great and provisionable.

---

@BigFowlboski wrote:

Hey fellas I see a few issue with people trying to convert these RAP-3's to be managed by a mobility controller.  I also am currently trying to do the same.  My controllers version code is 6.2.0.3 and just for kicks I have upgraded my RAP-3's firmware  to 6.2.0.0-3. 

 

It is successfully conneting back to the controller over 4500.  The hang up seems to be when it's trying to retrieve an image from the controller.  I have attatched the failed doc to this post.  I also have opened a ticket with Aruba and they are trying to recreate my issue in their lab.  I have been told that the RAP is using tfpt ( port 69 ) back to the controller to get this image but I also have that port opened on the firewall to allow this traffic as well.  Furthermore I see nothing in the logs to support that this tftp traffic is even taking place ( allowed or denied ) unless it's encapsulated within the IPSEC tunnel.

 

I'm just hoping someone else may have ran into this issue.

 

Thanks!

 

Ryan

---

Ryan,

Do you have any other RAPs (remote APS) besides that RAP3 connecting successfully?  Make sure the the ap-role has an acl allowing FTP in it.  The ap-role determines what an access point is allowed to do when it connects via ipsec.  Everything should occur within the ipsec tunnel, so you should not have to allow TFTP inbounds to your firewall.

Type "show crypto ipsec sa" to see what ipsec tunnels are created and what the "inner" ip address of your access point is.  If you see the SA or security association that corresponds to the public ip address of your access point, that means your whitelist is set and it is making the necessary connection.  If you do NOT see an SA, you need to make sure you are allowing UDP 4500 and your RAP3 is in the whitelist.

If you see the security association, see what traffic that AP is passing by typing "show datapath session table <inner ip address of the rap3>" to see what traffic it is passing.  You should see port 21 or FTP traffic, which means that it is upgrading.....

The "fragmentation" message is cosmetic and can be ignored.

By the way, from your logs, it looks like you have a successful connection, so you should check the AP-role.

---

@cjoseph wrote:

---

---

Ryan,

 

Do you have any other RAPs (remote APS) besides that RAP3 connecting successfully?  Make sure the the ap-role has an acl allowing FTP in it.  The ap-role determines what an access point is allowed to do when it connects via ipsec.  Everything should occur within the ipsec tunnel, so you should not have to allow TFTP inbounds to your firewall.

 

Type "show crypto ipsec sa" to see what ipsec tunnels are created and what the "inner" ip address of your access point is.  If you see the SA or security association that corresponds to the public ip address of your access point, that means your whitelist is set and it is making the necessary connection.  If you do NOT see an SA, you need to make sure you are allowing UDP 4500 and your RAP3 is in the whitelist.

 

If you see the security association, see what traffic that AP is passing by typing "show datapath session table <inner ip address of the rap3>" to see what traffic it is passing.  You should see port 21 or FTP traffic, which means that it is upgrading.....

 

The "fragmentation" message is cosmetic and can be ignored.

 

By the way, from your logs, it looks like you have a successful connection, so you should check the AP-role.

 

 

---

 

 

That's a great place to start.  Let me check that AP-role and get back to you.

So after trying multiple RAP-3's with an acl that does allow tftp within the tunnel still no dice.  It's still failing to retrieve the image from the controller.  Still working with Aruba engineers to figure out this issue.