Foro en Español

Reply
Super Contributor I
Posts: 290
Registered: ‎11-05-2012

RAP VPN

Estimados buenas noches:

 

Tengo un ArubaOS 6.4.2.4 y un RAP-155. Tengo habilitado en el Firewall el puerto UDP/4500, Y las comunicaciones necesarias para el controlador como: Pool de VLAN en VPN Services, WhiteList, Profile del AP. Sin embargo, la VPN no se establece y me sale el siguiente error:

 

El RAP lo tengo por un enlace de Internet

 

Alguna sugerencia?

 

 

 spi={922f68041c88e9e2 3fd80cb029602e58} np=E{N}
 exchange=IKE_AUTH msgid=1 len=76
  I <--
   Notify: AUTHENTICATION_FAILED (ESP spi=72242b00)
Mar 08, 02:48:59: InNotify AP authentication failed
ike2_state.c (7922): errorCode = ERR_IKE_NOTIFY_PAYLOAD
Mar 08, 02:48:59: IKE_SAMPLE_ikeStatHdlr(CHILD_SA): dwPeerAddr:bedf3fcd index:0 mPeerType:0
Mar 08, 02:48:59: IKE SA failed reason = ERR_IKE_XAUTH_FAILED, errorcode = -8952 ikeVer 2
Mar 08, 02:48:59: send_sapd_error: InnerIP:0  error:45 debug_error:0

Mar 08, 02:48:59: send_sapd_error: error:45 debug_error:0

Mar 08, 02:48:59: rapper_log_error: buf = 92 2f 68 04 1c 88 e9 e2 2d


Mar 08, 02:48:59: IKE_SAMPLE_ikeStatHdlr(SA): dwPeerAddr:bedf3fcd index:0 mPeerType:0
Mar 08, 02:48:59: IKE_SA [v2 I] (id=0xfc9e8067) flags 0x41000015 failed reason = ERR_IKE_XAUTH_FAILED, errorcode = -8952
Mar 08, 02:48:59: IKE_SAMPLE_ikeStatHdlr(IST_FAIL): g_ikeversion:2
Timer ID: 1 Deleted 
rapperSendStatusCB

end of show log rapper
========================================================



MVP
Posts: 1,389
Registered: ‎05-28-2008

Re: RAP VPN

A. Did u configure VPN ip pool?
B. Did u changed something in your logon role? Can u please verify that u got ap-role as needed? ( ra-guard/,control/,ap-acl/,v6-control/,v6-ap-acl/)
C. Did u entered the AP under the RAP whitelist (not the CAP one)? (Dont forget to apply and save config)
*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
MVP
Posts: 1,389
Registered: ‎05-28-2008

Re: RAP VPN

Most importent:
default-vpn-role
Make sure u got this under Security > Access Control > User Roles , and that it's contain allowall
*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Guru Elite
Posts: 20,416
Registered: ‎03-29-2007

Re: RAP VPN

[ Edited ]

eduardo.paredes.burga wrote:

Estimados buenas noches:

 

Tengo un ArubaOS 6.4.2.4 y un RAP-155. Tengo habilitado en el Firewall el puerto UDP/4500, Y las comunicaciones necesarias para el controlador como: Pool de VLAN en VPN Services, WhiteList, Profile del AP. Sin embargo, la VPN no se establece y me sale el siguiente error:

 

El RAP lo tengo por un enlace de Internet

 

Alguna sugerencia?

 

 

 spi={922f68041c88e9e2 3fd80cb029602e58} np=E{N}
 exchange=IKE_AUTH msgid=1 len=76
  I <--
   Notify: AUTHENTICATION_FAILED (ESP spi=72242b00)
Mar 08, 02:48:59: InNotify AP authentication failed
ike2_state.c (7922): errorCode = ERR_IKE_NOTIFY_PAYLOAD
Mar 08, 02:48:59: IKE_SAMPLE_ikeStatHdlr(CHILD_SA): dwPeerAddr:bedf3fcd index:0 mPeerType:0
Mar 08, 02:48:59: IKE SA failed reason = ERR_IKE_XAUTH_FAILED, errorcode = -8952 ikeVer 2
Mar 08, 02:48:59: send_sapd_error: InnerIP:0  error:45 debug_error:0

Mar 08, 02:48:59: send_sapd_error: error:45 debug_error:0

Mar 08, 02:48:59: rapper_log_error: buf = 92 2f 68 04 1c 88 e9 e2 2d


Mar 08, 02:48:59: IKE_SAMPLE_ikeStatHdlr(SA): dwPeerAddr:bedf3fcd index:0 mPeerType:0
Mar 08, 02:48:59: IKE_SA [v2 I] (id=0xfc9e8067) flags 0x41000015 failed reason = ERR_IKE_XAUTH_FAILED, errorcode = -8952
Mar 08, 02:48:59: IKE_SAMPLE_ikeStatHdlr(IST_FAIL): g_ikeversion:2
Timer ID: 1 Deleted 
rapperSendStatusCB

end of show log rapper
========================================================




Navigate to Configuration> Security> Authentication> L3 Authentication> VPN Authentication> Default-RAP.  Make sure the "Server Group" paramater is assigned to the default server group, and when you click on the server group it has the "Internal Database" listed.  In ArubaOS 6.3, you are allowed to point to an external radius server to authorize RAP devices via mac address.  If this server group was accidentally changed to something besides default, or the default server group did not have the "Internal" server assigned, it would not point to your RAP whitelist and create the issue you are seeing.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: