Network Management

Reply
New Contributor
Posts: 4
Registered: ‎07-21-2016

Issues converting an IAP205 to a RAP over VPN

We are attempting to convert an IAP205 to a RAP for home office use. 

Input the public facing IP of the firewall and the NAT rules are set up to route to the Master Controller at HQ. Port 4500 is also open.

Have also tried to statically set the IP address that the AP will get from the HQ network but no method has worked. The FW also is not seeing any hits to the table.

 

Have worked with TAC for 5 hours on this so far, but no resolution.


Help anyone? Thank you in advance

Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: Issues converting an IAP205 to a RAP over VPN

We need more information on your setup.   You say you are trying to convert to a RAP "over VPN".   Do you mean that the location where the RAP is has an existing VPN connection to the corporate location; or do you simply mean "RAP over VPN"?

 

Some things to check:

- Does your firewall see any incoming requests from the IAP's external IP?

- If so, confirm you have UDP 4500 open and not TCP 4500

- On the IAP, have you looked at "show log convert" to see if you have any details in there.  

- If the answer to my first question is that the RAP is at a site with an existing VPN connection back to the controller site; try to see if you can convert using the internal IP of the controller.....some firewalls do not like the traversal from internal to external IPs and then back in.

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

New Contributor
Posts: 4
Registered: ‎07-21-2016

Re: Issues converting an IAP205 to a RAP over VPN

Hey thanks for replying........

 

So to answer your questions:

 

-it first was an attempt to RAP over VPN, failure to setup vpn

 

- we did convert it to a RAP connected directly to the controller, and then brought it to a remote location with DHCP handoff from an ISP router, was not able to reach the controller through VPN again

 

- not seeing any hits on the FW when we attempt to start the VPN connection

 

-UDP 4500 is open

 

-

Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: Issues converting an IAP205 to a RAP over VPN

Can you confirm the ISP router is not blocking anything; specifically allowing NAT-T (UDP 4500)?

 

If you can convert it locally; but when remote you do not see any hits on your firewall; it is likely an issue at the remote site or ISP blocking something.

 

Do you have the ability to try another site/location?  Perhaps your home?

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

New Contributor
Posts: 4
Registered: ‎07-21-2016

Re: Issues converting an IAP205 to a RAP over VPN

TAC tried to replicate the request from their lab but got no response from the FW, they wiresharked the test and sent the results, no reply from the FW. Checked with the office ISP just in case any ports are being blocked, but no. 

 

I never thought this would be so problematic. I'm still trying to ascertain who needs to take the lead to resolve the issue; my network engineers or TAC. 

Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: Issues converting an IAP205 to a RAP over VPN

If TAC tried to connect to your controller with their own RAP and  you stisll got  no hit on the firewall; then this is something on your end (or the ISP). 

 

If possible position the RAP right outside the firewall interface and try.  This would rule out any ISP issue and focus on the firewall.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
Showing results for 
Search instead for 
Did you mean: