Network Management

Reply
Occasional Contributor II

RAP from branch site can't establish IPSEC(down)

Greetings,

I'm trying to setup RAP withs split-tunnel behind a DSL router(branch) but it seems it can't establish IPSEC with my controller at HO tho it gets I.P from my VPN pool. here's details from Local Events.

--

2017-03-11 11:45:03 User 192.168.29.198 with MAC address 00:00:00:00:00:00 and name a8:bd:27:c8:ba:b4 was authenticated with authentication mechanism 3 and the role assigned was sys-ap-role


2017-03-11 11:48:29 User 192.168.29.199 with MAC address 00:00:00:00:00:00 and name a8:bd:27:c8:ba:b4 was authenticated with authentication mechanism 3 and the role assigned was sys-ap-role


2017-03-11 11:52:26 User 192.168.29.200 with MAC address 00:00:00:00:00:00 and name a8:bd:27:c8:ba:b4 was authenticated with authentication mechanism 3 and the role assigned was sys-ap-role

 

so here's the setup:

 

HO

1.FW- Sonicwall

UDP4500,500,65 - OPEN

2.Controller-Aruba 650, 6.4.2.2

-222.x.x.x  as public I.P ; port forward by FW.

 

from controller, I configured VPN pool of 192.168.29.X. 

while the AP was enrolled first as CAP within HO then converted to RAP thru certificate only. CPsec was on and it automatically whitelisted the AP. 222.x.x.x was the master I.p and TFTP.

 

setup once worked w/o FW in a simulated environment but having issues in production.

 

on Local Events, the RAP sometimes goes up but goes down after.

 

any recommendation will be greatly appreciated :)

 

 

 

 

Guru Elite

Re: RAP from branch site can't establish IPSEC(down)

Make sure that in the ap-group, in the AP> System Profile there is no LMS-IP.  If there is an ip there, the AP will be redirected immediately to that ip address on its local network.  If an AP seems to connect to the controller and then goes away, that is the #1 reason.  If a RAP is connecting to a controller, the LMS-IP should either be blank or the public ip address of a controller that the RAP can terminate on.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: RAP from branch site can't establish IPSEC(down)

thank you very much for your response.

 

As per checking under AP Configuration > RAPGroup (AP group name)> AP>AP System (default)

the LMS I.P is blank  by default and still  RAP IPsec is down.

 

will try to create new AP System Profile and enter the 222.x.x.x as the LMS I.P.

 

also, I noticed that the Session ACL is in "ap-uplink-acl" by default.

 

if I created an acl policy for RAP for split tunnel, do I also need to change it?

 

how about the Remote-AP DHCP server VLAN, Server ID and Default Router? should I just leave it by default or put the same value as what I configured on VPN pool? the 192.168.29.x ?

 

RAP is new to me. thank you very much for your response :)

Guru Elite

Re: RAP from branch site can't establish IPSEC(down)

You should leave the LMS-IP Blank.

 

The RAP should work with ap-uplink-acl as the defaults and it is not enforced unless it makes a successful connection, anyways.

 

the Remote AP-DHCP server, VLAN and default router has nothing to do with what you are experiencing now.

 

I would type:

 

config t

logging level debugging security subcat ike
logging level debugging security process aaa
logging level debugging security process authmgr
logging level debugging security process l2tp
logging level debugging security subcat vpn

 

Try to connect the RAP, and then type "show log security 50" to see if there is anything amiss..



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: RAP from branch site can't establish IPSEC(down)

Hi cjoseph ,

 

 thank you for the procedure.  I've been doing a lot  of trial and error on this RAP config discovery. after checking AP System, i entered 222.x.x.x to the LMS I.P then apply . RAP and IPSEC went UP after few hours but I removed the LMS I.P after I read your response.

 

I can only access the controller thru given public address as of now that's why i can't do CLI testing yet. will try those once I get onsite.

 

 i'll also plan to test the split tunel ACLs. 

 

 RAP and IPsec is still up as of the moment.

 

Thank you very much for these info. will definitely test more on RAP ipsec in our lab. :D

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: