Remote Networking

Reply
Contributor I
Posts: 49
Registered: ‎01-20-2010

RAPs not re-connecting after upgrade 3.4.2.2 -> 5.0.1.0

About two hours ago, I upgraded an Aruba 2400 from firmware 3.4.2.2 to version 5.0.1.0. Most of this went well.

However, my RAPs are not connecting anymore to the controller. Fortunately, one of them is at our site for testing purposes. So I can say that the RAPs firmware has been successfully upgraded to 5.0.1.0.

The RAPs are trying to connect to the controller. I can tell this because I can see them with their remote (public) IPs at Monitoring | Controller | Clients. The MAC addresses are all zeros and the user roles are logon.

What do I need to change in order to get them connected?

Regards
Dirk
Contributor I
Posts: 49
Registered: ‎01-20-2010

Re: RAPs not re-connecting after upgrade 3.4.2.2 -> 5.0.1.0

I also get the error messages "|authmgr| No server available for AAA client type VPN" and "|ike| IKE XAuth failed for RemoteAP".
Guru Elite
Posts: 20,815
Registered: ‎03-29-2007

What kind of RAP

What model of remote AP do you have?

The first message indicates that your Layer3 Authentication VPN Settings does not have a server group to authenticate usernames and passwords for those remote APs: Make sure there is something in there:


The second message indicates that you do not have the RAPs mac address in the RAP whitelist (if it is a RAP2 or RAP5).

There could also be other issues, as well.
What model controller is this?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 49
Registered: ‎01-20-2010

Re: RAPs not re-connecting after upgrade 3.4.2.2 -> 5.0.1.0

The RAPs are RAP-65. The controller is a 2400.

The server group is still defined and pointing to our RADIUS servers. Since we use that connection for authentication on our captive portals, I am pretty sure it is working.
Guru Elite
Posts: 20,815
Registered: ‎03-29-2007

To be clear


The RAPs are RAP-65. The controller is a 2400.

The server group is still defined and pointing to our RADIUS servers. Since we use that connection for authentication on our captive portals, I am pretty sure it is working.




To be clear, a RAP65 requires an IKE Preshared key, a username and a password to connect to a 2400. Your first Xauth error says that the IKE preshared key is incorrect on the incoming device. The second message says that the username and password configured on that device could not be authenticated, because a server group is not configured. Maybe you want to post more lines of the show log security so that we can get more context.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 49
Registered: ‎01-20-2010

Re: RAPs not re-connecting after upgrade 3.4.2.2 -> 5.0.1.0

This was working for years before I upgraded the firmware today :-(

Jun 23 10:58:11 :124056:   |authmgr|  No server available for AAA client type VPN
Jun 23 10:58:11 :103048: |ike| IKE XAuth failed for RemoteAP3
Jun 23 10:58:13 :199802: |authmgr| server_group.c, ncfg_server_getnext:185: Unknown or empty server group ""MPIDR" (method=VPN, user=RemoteAP4)
Jun 23 10:58:13 :124056: |authmgr| No server available for AAA client type VPN
Jun 23 10:58:13 :103048: |ike| IKE XAuth failed for RemoteAP4
Jun 23 10:58:19 :199802: |authmgr| server_group.c, ncfg_server_getnext:185: Unknown or empty server group ""MPIDR" (method=VPN, user=RemoteAP2)
Jun 23 10:58:19 :124056: |authmgr| No server available for AAA client type VPN
Jun 23 10:58:19 :103048: |ike| IKE XAuth failed for RemoteAP2
Jun 23 10:58:24 :199802: |authmgr| server_group.c, ncfg_server_getnext:185: Unknown or empty server group ""MPIDR" (method=VPN, user=RemoteAP1)
Jun 23 10:58:24 :124056: |authmgr| No server available for AAA client type VPN
Jun 23 10:58:24 :103048: |ike| IKE XAuth failed for RemoteAP1
Jun 23 10:58:25 :199802: |authmgr| server_group.c, ncfg_server_getnext:185: Unknown or empty server group ""MPIDR" (method=VPN, user=RemoteAP3)
Jun 23 10:58:25 :124056: |authmgr| No server available for AAA client type VPN
Jun 23 10:58:25 :103048: |ike| IKE XAuth failed for RemoteAP3
Jun 23 10:58:27 :199802: |authmgr| server_group.c, ncfg_server_getnext:185: Unknown or empty server group ""MPIDR" (method=VPN, user=RemoteAP4)
Jun 23 10:58:27 :124056: |authmgr| No server available for AAA client type VPN
Jun 23 10:58:27 :103048: |ike| IKE XAuth failed for RemoteAP4
Jun 23 10:58:33 :199802: |authmgr| server_group.c, ncfg_server_getnext:185: Unknown or empty server group ""MPIDR" (method=VPN, user=RemoteAP2)

Actually, the server group isn't called "MPIDR" as in the log but "MPIDR RADIUS server group". I created a new one called "MPIDR_RADIUS_server_group" to get rid of the spaces and applied this one. Unfortunately, it did not help.

Regards
Dirk
Guru Elite
Posts: 20,815
Registered: ‎03-29-2007

Server Group


This was working for years before I upgraded the firmware today :-(

Jun 23 10:58:11 :124056:   |authmgr|  No server available for AAA client type VPN
Jun 23 10:58:11 :103048: |ike| IKE XAuth failed for RemoteAP3
Jun 23 10:58:13 :199802: |authmgr| server_group.c, ncfg_server_getnext:185: Unknown or empty server group ""MPIDR" (method=VPN, user=RemoteAP4)
Jun 23 10:58:13 :124056: |authmgr| No server available for AAA client type VPN
Jun 23 10:58:13 :103048: |ike| IKE XAuth failed for RemoteAP4
Jun 23 10:58:19 :199802: |authmgr| server_group.c, ncfg_server_getnext:185: Unknown or empty server group ""MPIDR" (method=VPN, user=RemoteAP2)
Jun 23 10:58:19 :124056: |authmgr| No server available for AAA client type VPN
Jun 23 10:58:19 :103048: |ike| IKE XAuth failed for RemoteAP2
Jun 23 10:58:24 :199802: |authmgr| server_group.c, ncfg_server_getnext:185: Unknown or empty server group ""MPIDR" (method=VPN, user=RemoteAP1)
Jun 23 10:58:24 :124056: |authmgr| No server available for AAA client type VPN
Jun 23 10:58:24 :103048: |ike| IKE XAuth failed for RemoteAP1
Jun 23 10:58:25 :199802: |authmgr| server_group.c, ncfg_server_getnext:185: Unknown or empty server group ""MPIDR" (method=VPN, user=RemoteAP3)
Jun 23 10:58:25 :124056: |authmgr| No server available for AAA client type VPN
Jun 23 10:58:25 :103048: |ike| IKE XAuth failed for RemoteAP3
Jun 23 10:58:27 :199802: |authmgr| server_group.c, ncfg_server_getnext:185: Unknown or empty server group ""MPIDR" (method=VPN, user=RemoteAP4)
Jun 23 10:58:27 :124056: |authmgr| No server available for AAA client type VPN
Jun 23 10:58:27 :103048: |ike| IKE XAuth failed for RemoteAP4
Jun 23 10:58:33 :199802: |authmgr| server_group.c, ncfg_server_getnext:185: Unknown or empty server group ""MPIDR" (method=VPN, user=RemoteAP2)

Actually, the server group isn't called "MPIDR" as in the log but "MPIDR RADIUS server group". I created a new one called "MPIDR_RADIUS_server_group" to get rid of the spaces and applied this one. Unfortunately, it did not help.

Regards
Dirk




Okay, on what server is the user "RemoteAP2"? Is it in the internal database or an external radius server? That server must be in the server group MPIDR, is what the messages are saying. Open the server group MPIDR and see what is in it.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 49
Registered: ‎01-20-2010

Re: RAPs not re-connecting after upgrade 3.4.2.2 -> 5.0.1.0

The user RemoteAP2 is defined on our RADIUS server. The server is part of the server group. I just double checked.

I also created a new server group called temp_RADIUS and assigned our RADIUS servers to this group.





The messages in the security log still show MPIDR :-(

Jun 23 11:21:06 :124056:   |authmgr|  No server available for AAA client type VPN
Jun 23 11:21:06 :103048: |ike| IKE XAuth failed for RemoteAP1
Jun 23 11:21:08 :199802: |authmgr| server_group.c, ncfg_server_getnext:185: Unknown or empty server group ""MPIDR" (method=VPN, user=RemoteAP2)
Jun 23 11:21:08 :124056: |authmgr| No server available for AAA client type VPN
Jun 23 11:21:08 :103048: |ike| IKE XAuth failed for RemoteAP2
Jun 23 11:21:15 :199802: |authmgr| server_group.c, ncfg_server_getnext:185: Unknown or empty server group ""MPIDR" (method=VPN, user=RemoteAP3)

Dirk
Guru Elite
Posts: 20,815
Registered: ‎03-29-2007

There is more to this


The user RemoteAP2 is defined on our RADIUS server. The server is part of the server group. I just double checked.

I also created a new server group called temp_RADIUS and assigned our RADIUS servers to this group.





The messages in the security log still show MPIDR :-(

Jun 23 11:21:06 :124056:   |authmgr|  No server available for AAA client type VPN
Jun 23 11:21:06 :103048: |ike| IKE XAuth failed for RemoteAP1
Jun 23 11:21:08 :199802: |authmgr| server_group.c, ncfg_server_getnext:185: Unknown or empty server group ""MPIDR" (method=VPN, user=RemoteAP2)
Jun 23 11:21:08 :124056: |authmgr| No server available for AAA client type VPN
Jun 23 11:21:08 :103048: |ike| IKE XAuth failed for RemoteAP2
Jun 23 11:21:15 :199802: |authmgr| server_group.c, ncfg_server_getnext:185: Unknown or empty server group ""MPIDR" (method=VPN, user=RemoteAP3)

Dirk




There are quite a few more questions that need to be asked, logs to be collected, etc. If this is mission critical, you should open a support case. I could keep asking you questions, but it will take awhile....


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 49
Registered: ‎01-20-2010

Re: RAPs not re-connecting after upgrade 3.4.2.2 -> 5.0.1.0

Meanwhile I created a user RemoteAP2 in the internal database and assigned that database to the VPN profile - no success.

I also typed in the IKE shared secret once again to be sure - no success either.

Thanks for your help. I will create a support case.

Regards
Dirk
Search Airheads
Showing results for 
Search instead for 
Did you mean: