Controllerless Networks

Reply
Occasional Contributor II

RAP not provisioning

Hi,

first, im quite  a beginner, so ill try to explain my problem as best as i can.

i am using a cluter  active/passive of 7205 controller, with CAP  (325 and 275).

i want to use some AP as RAP (bridge).

i enabled VPN services, i provisionned my AP as a remote AP with controller Public IP.

But it doesnt work.

i checked log on the controller, AP conencts, get an IP from VPN pool, but then after a minute it disconnects.

 

i can see in the logs that this repeats few time (7) before disconnecting

 

Feb 20 13:26:28 :124405:  <4822> <DBUG> |authmgr|  AUTH GSM: ADD bss b4:5d:50:11:b2:c1: event=0
Feb 20 13:26:28 :124202:  <4822> <DBUG> |authmgr|  add_bss_object(): Detected AP (f/l 0) with ip 172.28.40.3 slotport 8448 status 1 txkey 0
Feb 20 13:26:28 :124004:  <4822> <DBUG> |authmgr|  user_add_af_ap: ap_ip 172.28.40.3 ap->ref_count 5
Feb 20 13:26:28 :124004:  <4822> <DBUG> |authmgr|   logging role event for 0x1ee3a94: 0x148d4dc,0x1160014, index 6
Feb 20 13:26:28 :124004:  <4822> <DBUG> |authmgr|  user_download: User 172.28.40.3  Router Acl(0)
Feb 20 13:26:28 :124004:  <4822> <DBUG> |authmgr|  get_traffic_prio_from_role: |TC-PROF GET|: Profile Name (Default) Role name (sys-ap-role) val(15)
Feb 20 13:26:28 :124004:  <4822> <DBUG> |authmgr|  user_download: |TC-PROF|: Role (sys-ap-role)  Traffic Prio(15)
Feb 20 13:26:28 :124163:  <4822> <DBUG> |authmgr|  download-L3: ip=172.28.40.3 acl=11/0 role=sys-ap-role, Ubwm=0, Dbwm=0 tunl=0x0x0, PA=0, HA=1, RO=0, VPN=0, MAC=00:00:00:00:00:00.
Feb 20 13:26:28 :124234:  <4822> <DBUG> |authmgr|  Tx message to Sibyte, blocking with ack, Opcode = 164, msglen = 556 2 user messages bundled, actions = 18, 20
Feb 20 13:26:28 :124004:  <4822> <DBUG> |authmgr|  add_bss_object: ap (172.28.40.3) bss->bssid.addr b4:5d:50:11:b2:c1 first_or_last is 0

and then after 50 seconds after last attempt IPSEC tunnel is down.

 

 

Can you help me find out whats wrong with my configuration?

im sure there is important information missing in what i said, then dont hesitate to ask me and ill try to be more precise.

 

 

Thanks

 

Guru Elite

Re: RAP not provisioning

In the AP group for that AP, make sure that under AP> System Profile, you do not have an LMS-IP address.  If you do, the AP will attempt to connect to that private address over the internet and fail.







********************************************

Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Moderator

Re: RAP not provisioning

you might have better luck trying to post through the IAP section: http://community.arubanetworks.com/t5/Controllerless-Networks/bd-p/IAP

 

moving the conversation there to see if that audience can help.


Rob Gin
Senior QA Engineer - Network Services
Aruba Networks, a Hewlett Packard Enterprise Company
Occasional Contributor II

Re: RAP not provisioning

than for your answers.

under APgroup >AP > AP System there is no IP under LMS IP

i do not think the problem is this because the AP connects fine, ipsec tunnel is established, AP gets IP from VPN pool (in the log below 172.28.40.7). and Role "sys-ap-role"

 

is there something needed after ipsec connection, for the AP to stay connected to the controller?

 

though i dont know much about all of this, i suspect the problem might come from the sys-ap-role affected to my AP. it seem to be the default role for RAP when CPsec is enabled. and as it is a system Role i cannot edit it or i cannot choose an other role for the AP.

 

 

|authmgr|  get_traffic_prio_from_role: |TC-PROF GET|: Profile Name (Default) Role name (sys-ap-role) val(15)
|authmgr|  user_download: |TC-PROF|: Role (sys-ap-role)  Traffic Prio(15)
|authmgr|  download-L3: ip=172.28.40.7 acl=11/0 role=sys-ap-role, Ubwm=0, Dbwm=0 tunl=0x0x0, PA=0, HA=1, RO=0, VPN=0, MAC=00:00:00:00:00:00.
|authmgr|  Tx message to Sibyte, blocking with ack, Opcode = 164, msglen = 556 2 user messages bundled, actions = 18, 20
|authmgr|  add_bss_object: ap (172.28.40.7) bss->bssid.addr b4:5d:50:11:b2:c2 first_or_last is 0
|authmgr|  do_bss_response(): Detected AP (f/l 0) with ip 172.28.40.7 slotport 8448 status 1 txkey 0
|authmgr|  Auth GSM: Num dev_id_cache entries aged = 0
|ike|   ipc.c:ipc_rcvcb:2650 Auth ip down message.  ip=172.28.40.7
|ike|   IPSEC_deleteSaByInnerIPExtIP delete IPSEC SA X.X.X.X:(inner:172.28.40.7)
|ike|  IPSEC SA deleted for peer X.X.X.X

Re: RAP not provisioning

Are you using AOS 8 Clustering ?


Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: RAP not provisioning

our controllers OS version is 6.5.0.3

Guru Elite

Re: RAP not provisioning

Is there an lms-ip in the ap system profile?

Honestly, cpsec is not used for RAP, so it would not affect it.







********************************************

Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Occasional Contributor II

Re: RAP not provisioning

you were right to ask the question a second time.

 

i double checked and indeed this RAP is part of a group which has a LMS IP.

 

i will try to remove it.

thanks.

Guru Elite

Re: RAP not provisioning

The system role is what APs use to connect.  There should be no problem.

 

Your logs do not have timestamps on them, so it is hard to understand the timeframe.  If you need immediate assistance with this, I would contact TAC.  It is hard to reverse-engineer what is wrong with partial logs.







********************************************

Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Occasional Contributor II

Re: RAP not provisioning

Have you added the MAC addressof the RAP to the 

Wireless > AP Installation > Whitelist > Remote AP's?

 

You should just be able to add the MAC address and the AP group you want to assign the RAP to.

 

Thanks

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: