@BigFowlboski wrote:
Hey fellas I see a few issue with people trying to convert these RAP-3's to be managed by a mobility controller. I also am currently trying to do the same. My controllers version code is 6.2.0.3 and just for kicks I have upgraded my RAP-3's firmware to 6.2.0.0-3.
It is successfully conneting back to the controller over 4500. The hang up seems to be when it's trying to retrieve an image from the controller. I have attatched the failed doc to this post. I also have opened a ticket with Aruba and they are trying to recreate my issue in their lab. I have been told that the RAP is using tfpt ( port 69 ) back to the controller to get this image but I also have that port opened on the firewall to allow this traffic as well. Furthermore I see nothing in the logs to support that this tftp traffic is even taking place ( allowed or denied ) unless it's encapsulated within the IPSEC tunnel.
I'm just hoping someone else may have ran into this issue.
Thanks!
Ryan
Ryan,
Do you have any other RAPs (remote APS) besides that RAP3 connecting successfully? Make sure the the ap-role has an acl allowing FTP in it. The ap-role determines what an access point is allowed to do when it connects via ipsec. Everything should occur within the ipsec tunnel, so you should not have to allow TFTP inbounds to your firewall.
Type "show crypto ipsec sa" to see what ipsec tunnels are created and what the "inner" ip address of your access point is. If you see the SA or security association that corresponds to the public ip address of your access point, that means your whitelist is set and it is making the necessary connection. If you do NOT see an SA, you need to make sure you are allowing UDP 4500 and your RAP3 is in the whitelist.
If you see the security association, see what traffic that AP is passing by typing "show datapath session table <inner ip address of the rap3>" to see what traffic it is passing. You should see port 21 or FTP traffic, which means that it is upgrading.....
The "fragmentation" message is cosmetic and can be ignored.
By the way, from your logs, it looks like you have a successful connection, so you should check the AP-role.