Remote Networking

Reply
New Contributor
Posts: 4
Registered: ‎09-07-2010

Cable Broadband Issues?

I've got RAP-2wg's setup and working.
Installed using ATT UVerse as provider, they work fine.

Remote, certificate based, RAP2-WG with sufficient ip's in pool.

Using cable, they go "inactive" (RcI in controller).
I believe that they doing the IKE okay and setting up the L2TP. It seems like the GRE tunnel is getting broken??

I have tried having the cable company set static, public addresses on the cable box.
I have tried using my own router (dlink and linksys) and setting the ip of the rap to "dmz" and verified that port 4500 is passed.

I am wondering if the cable company blocks any of these ports and/or protocols. (that any of you may have already experienced).

It is kind of crazy that I can use DSL / VDSL / T1, Etc and it works perfectly but cable is a no-go.
Guru Elite
Posts: 21,281
Registered: ‎03-29-2007

Re: Cable Broadband Issues?

The RAPs ONLY use UDP 4500 to communicate. You should also NOT have to allow UPD4500 back in or setup a special DMZ connection for it to work. It should work just fine behind a NAT boundary. When the AP is inactive, does it have any other flags?

When you say "go inactive", do they come up and then go inactive or do they come up as inactive? If you have a router, or cable modem, please attempt to plug it into the cable modem by itself (you probably will have to reboot the cable modem to do this). Some routers can only pass a single VPN connection at a time, so you want to ensure that you are the only person attempting a VPN at a time.

Please type "show log system 50" and "show log security 50" to see if there is anything in the logs that might indicate why that AP is inactive.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 4
Registered: ‎09-07-2010

Re: Cable Broadband Issues?

no other flags. The raps come up RcI.
the system log shows nothing about the rap
I can see interfereing AP's at 1 of the "inactive" RAP sites but no other messages about the RAP.
At this end we have a 50MB fiber connection to level 3 going through a firebox but I have 2 RAPS working that have Uverse on the other end. (the same RAPS would NOT work on the test cable connection in the lab).

I've got a hub and think I'll wireshark the outbound connection and see if I can see anything. Any other ideas anyone?
New Contributor
Posts: 4
Registered: ‎09-07-2010

Re: Cable Broadband Issues?

1 more thing. If you try to provision one that is RcI it says that it has older code. Maybe these things are dying during code update process? But why only with cable carriers?
Guru Elite
Posts: 21,281
Registered: ‎03-29-2007

Re: Cable Broadband Issues?

Older code means that it is currently upgrading, so you cannot do anything with it. Do "show ap image version" to see if it is upgrading. If it is, that means it is going to take some time to upgrade, so give it some time. The RcI is typical for upgrading. Do a "show ap database" to confirm that, as well.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 4
Registered: ‎09-07-2010

Still stuck...

The RAPS in question have now set for 3 days with no change. If I remove a RAP that is running on Cable (directly attached to cable modem with static public address) and attach it to DSL, VDSL, T1, or other network. All works well. Any other ideas?
Guru Elite
Posts: 21,281
Registered: ‎03-29-2007

Re: Cable Broadband Issues?

When you have the RAP on Cable, do a "show datapath session table " to see if traffic is being blocked. Also, do a "show ap debug system-status ip-addr ".

You might also want to open a support case for this one.....


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 23
Registered: ‎05-01-2009

Good Luck With This...Your Pain is Shared....

I have the same problem. Behind my comcast broadband, the RAP2WG seems to complete IKEP1 okay. Looking at the rapconsole via a connected laptop it shows the processes completing okay. When it gets to Connecting to Controller I get the green check indicating the connection is in place, but the next step of imaging the RAP never starts....just sits at "Continuing" with the spinning wheel. Eventually the RAP reboots. "rinse-repeat". I can see the RAP on the controller showing up in the "show ap database status up" command output. It doesn't show up in the "show ap active" output. Show datapath session table shows bidirectional 4500 sessions between the controller and RAP's outer ip. Sometimes you might see PAPI populate the session table (8211) but it goes away quick.
I've worked with an Aruba SE and TAC and we narrowed it down to my comcast connection at home. This scenario works perfectly at the SE's home across town. He has Comcast as well, but my modem is different as it carries VoIP service. I'm thinking some sort of traffic shaping or ToS setting for the VoIP "might be" causing a problem. I'll probably be doing a wireshark capture myself if I want to ever solve the mystery, but I'm more than willing to let you do it and post your findings AND resolve! Good Luck...
Guru Elite
Posts: 21,281
Registered: ‎03-29-2007

Re: Cable Broadband Issues?


I have the same problem. Behind my comcast broadband, the RAP2WG seems to complete IKEP1 okay. Looking at the rapconsole via a connected laptop it shows the processes completing okay. When it gets to Connecting to Controller I get the green check indicating the connection is in place, but the next step of imaging the RAP never starts....just sits at "Continuing" with the spinning wheel. Eventually the RAP reboots. "rinse-repeat". I can see the RAP on the controller showing up in the "show ap database status up" command output. It doesn't show up in the "show ap active" output. Show datapath session table shows bidirectional 4500 sessions between the controller and RAP's outer ip. Sometimes you might see PAPI populate the session table (8211) but it goes away quick.
I've worked with an Aruba SE and TAC and we narrowed it down to my comcast connection at home. This scenario works perfectly at the SE's home across town. He has Comcast as well, but my modem is different as it carries VoIP service. I'm thinking some sort of traffic shaping or ToS setting for the VoIP "might be" causing a problem. I'll probably be doing a wireshark capture myself if I want to ever solve the mystery, but I'm more than willing to let you do it and post your findings AND resolve! Good Luck...




Please try another rap if you can.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 23
Registered: ‎05-01-2009

I Have a Stack of RAPS Used...




Colin:

I've gone through half a dozen RAP2WG and RAP5WN APs. same results. This seems to be specific to COMCAST as these units work over CenturyLink DSL without any hitch. I will paste the output, but I've noticed a growing trend of these IKE PHASE 1 failures being posted here. I hope its not a sign of an oncoming storm. I use zero-touch provisionings (cert-based auth) Any ideas?

Mar 15 09:12:19 :103060: |ike| ike_phase_1.c:ike_phase_1_responder_recv_SA:1041 Ike Phase 1 received SA

Mar 15 09:12:23 :103060: |ike| ike_phase_1.c:ike_phase_1_responder_recv_SA:897 Recvd VPN IKE Phase 1 SA transform negotiation (1st packet) from IP 67.233.140.44.
Mar 15 09:12:23 :103060: |ike| ike_phase_1.c:ike_phase_1_responder_recv_SA:926 Found our AP vendor ID from external IP 67.xxx.xxx.44
Mar 15 09:12:23 :103060: |ike| ike_phase_1.c:attribute_unacceptable:2847 Proposal match failed in key length, configured=32, peer using=16
Mar 15 09:12:23 :103060: |ike| ike_phase_1.c:attribute_unacceptable:2818 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG
Mar 15 09:12:23 :103060: |ike| ike_phase_1.c:attribute_unacceptable:2807 Proposal match failed in hash algo, configured=SHA, peer using=MD5
Mar 15 09:12:23 :103060: |ike| ike_phase_1.c:attribute_unacceptable:2847 Proposal match failed in key length, configured=32, peer using=24
Mar 15 09:12:23 :103060: |ike| ike_phase_1.c:attribute_unacceptable:2818 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG
Mar 15 09:12:23 :103060: |ike| ike_phase_1.c:attribute_unacceptable:2807 Proposal match failed in hash algo, configured=SHA, peer using=MD5
Mar 15 09:12:23 :103060: |ike| ike_phase_1.c:ike_phase_1_responder_recv_SA:1041 Ike Phase 1 received SA

Search Airheads
Showing results for 
Search instead for 
Did you mean: