Remote Networking

Reply
Occasional Contributor I
Posts: 7
Registered: ‎04-12-2010

RAP-2wg tries TFTP to boot when remote

I'm running 5.0.0.1 on a 6000 controller.

There are a number of APs running on the system across campus. I have successfully provisioned two RAP-2WG devices which find the controller, connect and appear to opperate properly on the campus network (they are whitelisted, the controller sees them online, and I can do things through them using a laptop).

When I take the RAP-2WGs and place them on a cable modem network they will not connect. I am unable to get to the diagnostic webpage (eth1 is configured to provide wired remote service), but I can watch the activity over wireshark at the AP. It appears that the RAP is attempting to TFTP back to the controller, looking for file mips.ari . I don't think I see this behavior when the RAP is on the campus network.

Although the boot images appeared to match before, I issued an apflash just in case. No change. I've tried to use the controller IP address or the controller hostname with no apparent change. The hostname is what was configured and continues to work for the campus-connected device. I can see the RAP trying the hostname in wireshark and it eventually gets it right (it's trying permutations of the name with DNS information from the cablemodem). DNS doesn't appear to be the issue as eventually the TFTP attempts to initiate to a valid controller IP.

So I'm stuck on the TFTP thing - this shouldn't be happening and it's not reasonable to open TFTP through the firewall.

As an aside I have a number of AP-65s configured as remote, working in production - have been for some time.

Have I missed something? I looked quickly for this issue and no one else seems to report it. I don't see it as a known or corrected issue in the 5.x code line.

What am I missing?

Thanks.

-Brad


Here is some commonly requested diagnostic output for a RAP-2WG on the campus network:

(Aruba-Green) #show ap image version ip-addr 192.168.201.78

AP Image Versions On Controller
-------------------------------
5.0.0.1(p4build@cyprus)#24178 Tue May 18 16:25:20 PDT 2010
5.0.0.1(p4build@cyprus)#24178 Tue May 18 16:32:04 PDT 2010
5.0.0.1(p4build@cyprus)#24178 Tue May 18 16:19:19 PDT 2010

Access Points Image Version
---------------------------
AP Running Image Version String Flash (Production) Image Version String Flash (Provisioning/Backup) Image Version String Matches Num Matches Num Mismatches Bad Checksums Bad Provisioning Checksums Image Load Status
-- ---------------------------- --------------------------------------- ------------------------------------------------ ------- ----------- -------------- ------------- -------------------------- -----------------
192.168.201.78 5.0.0.1(p4build@cyprus)#24178 Tue May 18 16:19:19 PDT 2010 5.0.0.1(p4build@cyprus)#24178 Tue May 18 16:19:19 PDT 2010 5.0.0.1(p4build@cyprus)#24178 Tue May 18 16:19:19 PDT 2010 Yes 2 0 0 0 Done

(Aruba-Green) #

(Aruba-Green) #show crypto ipsec sa peer 159.91.vvv.www


Initiator IP: 159.91.vvv.www
Responder IP: 159.91.xxx.yy
Initiator: No
Initiator cookie:a6bdd1df4d67e1f9 Responder cookie:fa4f0fba339b0d5b
SA Creation Date: Tue Feb 8 09:55:44 2011
Life secs: 7200
Initiator Phase2 ID: 192.168.201.78/255.255.255.255
Responder Phase2 ID: 0.0.0.0/0.0.0.0
Phase2 Transform: EncAlg:esp-3des HMAC:esp-sha-hmac
Encapsulation Mode:Tunnel
PFS: No
OUT SPI 50025600, IN SPI 8ba1ca00
Inner IP 192.168.201.78, internal type C
Aruba AP
Reference count: 3

(Aruba-Green) #show datapath session table 159.91.vvv.www

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
I - Deep inspect, U - Locally destined

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- -----
159.91.xxx.yy 159.91.vvv.www 17 4500 4500 0 0 0 1 0/0 91 F
0 0 0 0 local
159.91.vvv.www 159.91.xxx.yy 17 4500 4500 0 0 0 0 0/0 91 FC
0 0 0 0 local

(Aruba-Green) #show datapath session table 192.168.201.78

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
I - Deep inspect, U - Locally destined

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- -----
159.91.xxx.yy 192.168.201.78 17 514 49153 0 0 0 1 tunnel 131 b FY
0 0 0 0 local
192.168.201.78 159.91.xxx.yy 17 49153 514 0 0 0 1 tunnel 131 b FC
0 0 0 0 local
159.91.xxx.yy 192.168.201.78 17 8209 8209 0 0 0 1 tunnel 131 9a F
0 0 0 0 local
192.168.201.78 159.91.xxx.yy 47 0 0 0 0 0 0 local 99 F
0 0 0 0 local
159.91.xxx.yy 192.168.201.78 47 0 0 0 0 0 0 local 99 FC
0 0 0 0 local
192.168.201.78 159.91.xxx.yy 17 8209 8209 0 0 0 1 tunnel 131 9a FC
0 0 0 0 local

(Aruba-Green) #
Guru Elite
Posts: 21,279
Registered: ‎03-29-2007

Re: RAP-2wg tries TFTP to boot when remote

Is there any way to find out if UDP 4500 traffic is hitting the firewall? Did you try a different RAP2WG?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 7
Registered: ‎04-12-2010

Re: RAP-2wg tries TFTP to boot when remote

I have two RAP-2wg's set up (I should have more in a box somewhere that have never been provisioned), and both are non-functional when connected off-campus. I was actually considering resetting one and watching it attempt to provision through the cable modem.

The 2's are each in two different AP groups created specifically for my application (though they can be moved to the same one if necessary). Both groups are still in development, the intended differences being VLANs associated with the wired or wireless.

As for traffic hitting port 4500, it's something I can check if you think that would help. I have the option to check on the firewall as well as to watch via wireshark; I don't recall connections to port 4500 coming by on the 'shark - only attempts to establish TFTP. But I admit I wasn't looking since I expected a systemic port 4500 problem would manifest itself with the other RAPs: I have four or five AP-65s configured as RAPs running at this time that have been in place for almost a year. No problems.

If it's worth anything, here are the previous diagnostic commands' output for one of the running AP-65 RAPs. Does this provide confirmation or other useful information? Or maybe I'm misunderstanding the direction you're thinking of?

Thanks for your assistance.
-Brad


(Aruba-Green) #show datapath session table 69.141.vvv.www

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
I - Deep inspect, U - Locally destined

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- -----
69.141.vvv.www 159.91.xxx.yy 17 4500 4500 0 0 0 0 0/0 35dd FC
0 0 0 0 local
159.91.xxx.yy 69.141.vvv.www 17 4500 4500 0 0 0 1 0/0 35dd F
0 0 0 0 local

(Aruba-Green) #show datapath session table 192.168.201.66

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
I - Deep inspect, U - Locally destined

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- -----
159.91.xxx.yy 192.168.201.66 17 8209 8209 0 0 0 0 tunnel 523 35ea F
0 0 0 0 local
192.168.201.66 159.91.xxx.yy 47 0 0 0 0 0 0 tunnel 523 35e9 FC
0 0 0 0 local
159.91.xxx.yy 192.168.201.66 47 0 0 0 0 0 0 tunnel 523 35e9 F
0 0 0 0 local
192.168.201.66 159.91.xxx.yy 17 8209 8209 0 0 0 0 tunnel 523 35ea FC
0 0 0 0 local

(Aruba-Green) #show crypto ipsec sa peer 69.141.vvv.www


Initiator IP: 69.141.vvv.www
Responder IP: 159.91.xxx.yy
Initiator: No
Initiator cookie:6adf2167bf281591 Responder cookie:aa4e4098ac2e00fc
SA Creation Date: Tue Feb 8 09:03:58 2011
Life secs: 7200
Initiator Phase2 ID: 192.168.201.66/255.255.255.255
Responder Phase2 ID: 0.0.0.0/0.0.0.0
Phase2 Transform: EncAlg:esp-3des HMAC:esp-sha-hmac
Encapsulation Mode:Tunnel
PFS: No
OUT SPI cfa19200, IN SPI 51db4400
Inner IP 192.168.201.66, internal type C
Aruba AP
Reference count: 3

(Aruba-Green) #show ap image version ip-addr 192.168.201.66

AP Image Versions On Controller
-------------------------------
5.0.0.1(p4build@cyprus)#24178 Tue May 18 16:25:20 PDT 2010
5.0.0.1(p4build@cyprus)#24178 Tue May 18 16:32:04 PDT 2010
5.0.0.1(p4build@cyprus)#24178 Tue May 18 16:19:19 PDT 2010

Access Points Image Version
---------------------------
AP Running Image Version String Flash (Production) Image Version String Flash (Provisioning/Backup) Image Version String Matches Num Matches Num Mismatches Bad Checksums Bad Provisioning Checksums Image Load Status
-- ---------------------------- --------------------------------------- ------------------------------------------------ ------- ----------- -------------- ------------- -------------------------- -----------------
192.168.201.66 5.0.0.1(p4build@cyprus)#24178 Tue May 18 16:19:19 PDT 2010 5.0.0.1(p4build@cyprus)#24178 Tue May 18 16:19:19 PDT 2010 Yes 1 0 0 0 Done
Guru Elite
Posts: 21,279
Registered: ‎03-29-2007

Re: RAP-2wg tries TFTP to boot when remote

Hold on. Do you have any of the AP65s working "outside" the firewall, like you want to deploy those Rap2s? You say s 6000s, do you have an M3 controller or a Sup I or Sup II?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 7
Registered: ‎04-12-2010

Re: RAP-2wg tries TFTP to boot when remote

The AP65s are working outside the firewall. All of them on various cable modem connections around the area.

I have M3 controllers - M3mk1 shows in the inventory. No Sup's.

-Brad
Guru Elite
Posts: 21,279
Registered: ‎03-29-2007

Re: RAP-2wg tries TFTP to boot when remote

Turn on crypto logging when the RAP2s try to bootup:

logging level debugging security subcat ike
logging level debugging security process aaa
logging level debugging security process authmgr


show log security 50

Also, you should be using Zero Touch provisioning method (the RAP Whitelist) to enter the RAP mac address for the RAP2.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 7
Registered: ‎04-12-2010

Re: RAP-2wg tries TFTP to boot when remote

I believe I'm using zero-touch. At least I know I'm using Whitelisting for the RAP2s.

I'm not seeing anything in the log as the RAP2 connects (successfully) on the campus network. If I change the level for authmgr then I see a tremendous amount of stuff associated with my users logging in and the AMs monitoring the network. If I turn authmgr logging down but leave aaa and ike up (presuming the commands work), I still see nothing but authmgr warnings (less of them though) associated with users and AMs.

So I guess I'm not sure how to focus logging to this RAP. I expect that I would see something for it when it's connecting on campus (which I know works) but I don't.
Occasional Contributor I
Posts: 7
Registered: ‎04-12-2010

Re: RAP-2wg tries TFTP to boot when remote

So I did a Wireshark capture of the RAP2 connected to the cable modem. The attached text file should be the pertinent packets. There wasn't much else to see since the RAP and my laptop are the only devices on the cable modem router.

You'll see it does a DHCP request, then some ARPs and some ADP inquiries. Then it goes into attempting TFTP to the controller for mips.ari . And then it starts over.
Occasional Contributor I
Posts: 7
Registered: ‎04-12-2010

Re: RAP-2wg tries TFTP to boot when remote

Just to confirm that there isn't some obvious problem with the cable modem setup in my office, I have another AP-65 configured as a RAP that had been working but was taken offline. It works on the local network and I just confirmed that it works on the same cable modem interface that I've been trying to use with the RAP2.
Occasional Contributor I
Posts: 7
Registered: ‎04-12-2010

Re: RAP-2wg tries TFTP to boot when remote

I see the following entries on the web UI, "Local Events", for the RAP2 connected to the campus network (and working). I don't know where to find this in the system logs however.

2011-02-11 16:44:35 User 192.168.201.99 with MAC address 00:00:00:00:00:00 and name 00:24:6c:c2:0b:69 is authenticated with authentication mechanism 3 and the Role given is sys-ap-role
2011-02-11 16:44:35 User 192.168.201.99 with MAC address 00:00:00:00:00:00 and name 00:24:6c:c2:0b:69 was authenticated with authentication mechanism 3 and the role assigned was sys-ap-role
2011-02-11 16:44:35 User with MAC address 00:00:00:00:00:00 and IP address 192.168.201.99 has changed: Change type is 3
Search Airheads
Showing results for 
Search instead for 
Did you mean: