Controllerless Networks

Hi,

first, im quite  a beginner, so ill try to explain my problem as best as i can.

i am using a cluter  active/passive of 7205 controller, with CAP  (325 and 275).

i want to use some AP as RAP (bridge).

i enabled VPN services, i provisionned my AP as a remote AP with controller Public IP.

But it doesnt work.

i checked log on the controller, AP conencts, get an IP from VPN pool, but then after a minute it disconnects.

i can see in the logs that this repeats few time (7) before disconnecting

Feb 20 13:26:28 :124405:  <4822> <DBUG> |authmgr|  AUTH GSM: ADD bss b4:5d:50:11:b2:c1: event=0
Feb 20 13:26:28 :124202:  <4822> <DBUG> |authmgr|  add_bss_object(): Detected AP (f/l 0) with ip 172.28.40.3 slotport 8448 status 1 txkey 0
Feb 20 13:26:28 :124004:  <4822> <DBUG> |authmgr|  user_add_af_ap: ap_ip 172.28.40.3 ap->ref_count 5
Feb 20 13:26:28 :124004:  <4822> <DBUG> |authmgr|   logging role event for 0x1ee3a94: 0x148d4dc,0x1160014, index 6
Feb 20 13:26:28 :124004:  <4822> <DBUG> |authmgr|  user_download: User 172.28.40.3  Router Acl(0)
Feb 20 13:26:28 :124004:  <4822> <DBUG> |authmgr|  get_traffic_prio_from_role: |TC-PROF GET|: Profile Name (Default) Role name (sys-ap-role) val(15)
Feb 20 13:26:28 :124004:  <4822> <DBUG> |authmgr|  user_download: |TC-PROF|: Role (sys-ap-role)  Traffic Prio(15)
Feb 20 13:26:28 :124163:  <4822> <DBUG> |authmgr|  download-L3: ip=172.28.40.3 acl=11/0 role=sys-ap-role, Ubwm=0, Dbwm=0 tunl=0x0x0, PA=0, HA=1, RO=0, VPN=0, MAC=00:00:00:00:00:00.
Feb 20 13:26:28 :124234:  <4822> <DBUG> |authmgr|  Tx message to Sibyte, blocking with ack, Opcode = 164, msglen = 556 2 user messages bundled, actions = 18, 20
Feb 20 13:26:28 :124004:  <4822> <DBUG> |authmgr|  add_bss_object: ap (172.28.40.3) bss->bssid.addr b4:5d:50:11:b2:c1 first_or_last is 0

and then after 50 seconds after last attempt IPSEC tunnel is down.

Can you help me find out whats wrong with my configuration?

im sure there is important information missing in what i said, then dont hesitate to ask me and ill try to be more precise.

Thanks

In the AP group for that AP, make sure that under AP> System Profile, you do not have an LMS-IP address.  If you do, the AP will attempt to connect to that private address over the internet and fail.

you might have better luck trying to post through the IAP section: http://community.arubanetworks.com/t5/Controllerless-Networks/bd-p/IAP

moving the conversation there to see if that audience can help.

than for your answers.

under APgroup >AP > AP System there is no IP under LMS IP

i do not think the problem is this because the AP connects fine, ipsec tunnel is established, AP gets IP from VPN pool (in the log below 172.28.40.7). and Role "sys-ap-role"

is there something needed after ipsec connection, for the AP to stay connected to the controller?

though i dont know much about all of this, i suspect the problem might come from the sys-ap-role affected to my AP. it seem to be the default role for RAP when CPsec is enabled. and as it is a system Role i cannot edit it or i cannot choose an other role for the AP.

|authmgr|  get_traffic_prio_from_role: |TC-PROF GET|: Profile Name (Default) Role name (sys-ap-role) val(15)
|authmgr|  user_download: |TC-PROF|: Role (sys-ap-role)  Traffic Prio(15)
|authmgr|  download-L3: ip=172.28.40.7 acl=11/0 role=sys-ap-role, Ubwm=0, Dbwm=0 tunl=0x0x0, PA=0, HA=1, RO=0, VPN=0, MAC=00:00:00:00:00:00.
|authmgr|  Tx message to Sibyte, blocking with ack, Opcode = 164, msglen = 556 2 user messages bundled, actions = 18, 20
|authmgr|  add_bss_object: ap (172.28.40.7) bss->bssid.addr b4:5d:50:11:b2:c2 first_or_last is 0
|authmgr|  do_bss_response(): Detected AP (f/l 0) with ip 172.28.40.7 slotport 8448 status 1 txkey 0
|authmgr|  Auth GSM: Num dev_id_cache entries aged = 0
|ike|   ipc.c:ipc_rcvcb:2650 Auth ip down message.  ip=172.28.40.7
|ike|   IPSEC_deleteSaByInnerIPExtIP delete IPSEC SA X.X.X.X:(inner:172.28.40.7)
|ike|  IPSEC SA deleted for peer X.X.X.X

our controllers OS version is 6.5.0.3

Is there an lms-ip in the ap system profile?

Honestly, cpsec is not used for RAP, so it would not affect it.

you were right to ask the question a second time.

i double checked and indeed this RAP is part of a group which has a LMS IP.

i will try to remove it.

thanks.

The system role is what APs use to connect.  There should be no problem.

Your logs do not have timestamps on them, so it is hard to understand the timeframe.  If you need immediate assistance with this, I would contact TAC.  It is hard to reverse-engineer what is wrong with partial logs.

Have you added the MAC addressof the RAP to the 

Wireless > AP Installation > Whitelist > Remote AP's?

You should just be able to add the MAC address and the AP group you want to assign the RAP to.

Thanks

so the first answer to this post was the solution.

RAP was in wrong AP group with LMS IP .....

Thanks, and sorry about that :)