Remote Networking

Reply
Occasional Contributor I

Trouble connecting RAP-2WG to A200 running AOS 5.0.0.0

In my lab I'm trying to set up the RAP with "zero touch provisioning" but I'm running into a lot of problems.

Just a question for understanding purposes: Is possible to connect a zero-touch RAP to a A200-controller with ArubaOS 5.0.0.0?
At http://airheads.arubanetworks.com/vBulletin/showthread.php?t=1800 Andy Logan wrote that it's only supported on 3000 or M3 controllers. But this thread might be older than ArubaOS 5.0.0.0. :)

While searching this forum, i've found a really great troubleshooting guide called "VBN_VRD.pdf". But there are still some problems while trying to establish IKE phase 1 and still some questions while examining the logs.

The RAP says "RC_ERROR_IKEP1_PKT5" while trying to connect to the controller. I've tried "RAP in same subnet" (learned that's not recommended, because ARP lookups, and .... ), at next: "RAP in Layer3 separated subnet without NAT" and finally "RAP on the Internet with NAT".

Some infos about the environment:

Controller: A200 running ArubaOS 5.0.0.0 Build 23711
RAP-Model: RAP-2WG running ArubaOS 5.0.0.0 Build 23711 (was updated by the controller?!)

Regarding to the troubleshooting guide:

1. "show crypto isakmp sa" shows no output (shows only 1 CAP, but not the RAP)
2. "show datapath session table" shows a NAT-T Session while the RAP is trying to connect (between the reboots)
3. "show crypto isakmp policy" shows the default settings as described in the troubleshooting guide.
4. did "configure terminal logging level debugging security process crypto" to enable crypto debugging.
5. By the way: yes I've whitelisted the RAP. "show local-userdb-ap" shows


AP-entry Details
----------------
Name AP-Group AP-Name Full-Name Authen-Username Revoke-Text AP_Authenticated Description Date-Added Enabled Remote-IP
---- -------- ------- --------- --------------- ----------- ---------------- ----------- ---------- ------- ---------
00:0b:86:c3:5d:bf default rap1 rap1 Provisioned Wed Apr 7 13:49:35 2010 Yes 0.0.0.0

AP Entries: 1




6. "show log security all | include ike" shows a lot :-) and something of that makes sense but not all.



Apr 8 18:50:50 :103063:   |ike|  exchange_setup_p1: ID is IPv4
Apr 8 18:50:50 :103063: |ike| exchange_setup_p1: USING exchange type ID_PROT
Apr 8 18:50:50 :103063: |ike| IKE Fragmentation

what does it mean? should I keep track on this?

Apr 8 18:50:50 :103060:   |ike|  ike_phase_1.c:ike_phase_1_responder_recv_SA:897 Recvd VPN IKE Phase 1 SA transform negotiation (1st packet) from IP 178.24.xyz.xyz.
Apr 8 18:50:50 :103060: |ike| ike_phase_1.c:ike_phase_1_responder_recv_SA:926 Found our AP vendor ID from external IP 178.24.xyz.xyz

hey, looks good ... "found our AP vendor ID". Yes, it's an Aruba RAP :-)

Apr 8 18:50:50 :103060:   |ike|  ike_phase_1.c:attribute_unacceptable:2847 Proposal match failed in key length, configured=32, peer using=16
Apr 8 18:50:50 :103060: |ike| ike_phase_1.c:attribute_unacceptable:2818 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG
Apr 8 18:50:50 :103060: |ike| ike_phase_1.c:attribute_unacceptable:2807 Proposal match failed in hash algo, configured=SHA, peer using=MD5
Apr 8 18:50:50 :103060: |ike| ike_phase_1.c:attribute_unacceptable:2847 Proposal match failed in key length, configured=32, peer using=24
Apr 8 18:50:50 :103060: |ike| ike_phase_1.c:attribute_unacceptable:2818 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG
Apr 8 18:50:50 :103060: |ike| ike_phase_1.c:attribute_unacceptable:2807 Proposal match failed in hash algo, configured=SHA, peer using=MD5

might be only informational? controller is testing the phase1-proposals and is looking for matching them? Am I right?


Apr 8 18:50:50 :103060:   |ike|  ike_phase_1.c:ike_phase_1_responder_recv_SA:1041 Ike Phase 1 received SA
Apr 8 18:50:50 :103063: |ike| ike_phase_1_responder_send_SA_NAT_T Accepted 1 of the Proposals, sending Response for exchange:178.24.xyz.xyz

ok, matched!

Apr 8 18:50:50 :103060:   |ike|  nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 192.168.6.227 Port 500
Apr 8 18:50:50 :103060: |ike| nat_traversal.c:nat_t_exchange_check_nat_d_has_us:556 Did not find our matching NAT-D payload for Port:500 in their packet

regarding to the troubleshooting guide here should be something similiar to "Found our matching NAT-D payload in their packet", but it's not.

Apr 8 18:50:50 :103060:   |ike|  nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 192.168.6.227 Port 4500
Apr 8 18:50:50 :103060: |ike| nat_traversal.c:nat_t_exchange_check_nat_d_has_us:567 Did not find our matching NAT-D payload for Port:4500 in their packet
Apr 8 18:50:50 :103060: |ike| ike_phase_1.c:ike_phase_1_recv_KE_NONCE:1270 Responder, enabling NAT-T.
Apr 8 18:50:50 :103060: |ike| nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 178.24.xyz.xyz Port 4500
Apr 8 18:50:50 :103060: |ike| nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 192.168.6.227 Port 4500
Apr 8 18:50:50 :103060: |ike| nat_traversal.c:nat_t_exchange_add_nat_d:377 NAT-T added hashes for src=192.168.6.227:4500, dst=178.24.xyz.xyz:4500

Hmm... is phase 1 now established or not? I'm not sure. BTW: 192.168.6.227 is the controller's ip address.

Apr 8 18:50:50 :103063:   |ike|  ike_phase_1_send_KE_NONCE 178.24.xyz.xyz
Apr 8 18:50:51 :103063: |ike| ike_phase_1_post_exchange_KE_NONCE done 178.24.xyz.xyz
Apr 8 18:50:52 :103063: |ike| message_fragment_reassemble insert fragment ID:1 Num:1 DataLen:988 fragSize:1024
Apr 8 18:50:52 :103063: |ike| message_fragment_reassemble insert fragment ID:1 Num:2 DataLen:988 fragSize:1024
Apr 8 18:50:52 :103063: |ike| message_fragment_reassemble insert fragment ID:1 Num:3 DataLen:988 fragSize:1024
Apr 8 18:50:52 :103063: |ike| message_fragment_reassemble insert fragment ID:1 Num:4 DataLen:988 fragSize:1024
Apr 8 18:50:52 :103063: |ike| message_fragment_reassemble insert fragment ID:1 Num:5 DataLen:720 fragSize:1024
Apr 8 18:50:52 :103063: |ike| exchange_free_reassemblyList: reset exchange reassembly state
Apr 8 18:50:52 :103063: |ike| message_recv: Reassembly complete

not sure what it mean but sounds good.

Apr 8 18:50:52 :103060:   |ike|  ike_phase_1.c:ike_phase_1_recv_ID:2218 received IKE ID Type 9 exchange:178.24.xyz.xyz
Apr 8 18:50:52 :103063: |ike| exchange_find_serverCert: found Device Server-Cert for RAP
Apr 8 18:50:52 :103063: |ike| exchange_find_serverCert(cert): Server Cert is invalid for client/cap/rap

"Server cert invalid" sounds definitly not good but some lines below everythings fine.



BTW: thats the correct serial number and mac-adress.

Apr 8 18:50:52 :103063:   |ike|  rsa_sig_validate_cert_id: cert-ID matches with phase-1 ID len 49
Apr 8 18:50:52 :103063: |ike| rsa_sig_validate_cert_id: cert-ID length 103 mismatched with phase-1 ID length 49
Apr 8 18:50:52 :103063: |ike| rsa_sig_validate_cert_id: cert-ID length 149 mismatched with phase-1 ID length 49
Apr 8 18:50:52 :103063: |ike| rsa_sig_decode_hash: numcerts:3 stackedcerts:2
Apr 8 18:50:52 :103063: |ike| rsa_sig_validate_cert: validating CERT againstCa /tmp/tempCertKey/ArubaTrustedCerts.pem
Apr 8 18:50:52 :103063: |ike| x509_stack_validate_with_ca: succeeded validation with CA-cert /tmp/tempCertKey/ArubaTrustedCerts.pem

"succeeded validation" ... ok, the "invalid server cert" seems not to be the problem....

Apr 8 18:50:52 :103063:   |ike|  rsa_sig_validate_cert: Factory Cert
Apr 8 18:50:52 :103063: |ike| rsa_sig_decode_hash: get username from Certificate
Apr 8 18:50:52 :103063: |ike| x509_cert_get_username: subjAltname type: 4
Apr 8 18:50:52 :103063: |ike| x509_cert_get_username after GENERAL_NAMES_free
Apr 8 18:50:52 :103063: |ike| x509_cert_get_username: AP MAC CN 00:0b:86:c3:5d:bf
Apr 8 18:50:52 :103063: |ike| rsa_sig_decode_hash: succeeded
Apr 8 18:50:52 :103015: |ike| IKE Main Mode Phase 1 succeeded for peer 178.24.xyz.xyz

succeeded? But "#show crypto isakmp sa" do not shows any phase 1!!!

Apr 8 18:50:52 :103060: |ike| sa.c:sa_check_peer:358 sa_check_peer: Can not find SA for 178.24.xyz.xyz

as I said. Can not find SA too? :-(

Apr 8 18:50:52 :103063:   |ike|  ipsec_handle_leftover_payload: received INITIAL-CONTACT
Apr 8 18:50:52 :103063: |ike| ike_phase_1_send_ID(cert): find Server Cert
Apr 8 18:50:52 :103063: |ike| exchange_find_serverCert: found Device Server-Cert for RAP
Apr 8 18:50:52 :103063: |ike| exchange_find_serverCert(cert): Server Cert is invalid for client/cap/rap
Apr 8 18:50:52 :103063: |ike| ike_phase_1_send_ID(cert): Server Cert is invalid
Apr 8 18:50:52 :103060: |ike| ike_main_mode.c:responder_send_ID_AUTH:203 Phase 1 failed in sending ID.
Apr 8 18:50:52 :103063: |ike| exchange_run: doi->responder (0x102e54c4) failed retval:-1

I'm trying to get this running since a couple of days and I think "that can't be so difficult, because zero touch provisioning makes it easy". Am I stupid?

Thanks for reading this post! Any ideas????

Timo
Aruba Employee

Re: Trouble connecting RAP-2WG to A200 running AOS 5.0.0.0

No, you're not stupid and no, its not that difficult.

The problem is that the zero touch provision is only supported on the M3 and 3x00 series controllers. The A200 controller you have won't let you do it.

You can, however, use the 200 for non-zero touch provisioned Remote APs.
Moderator

Re: Trouble connecting RAP-2WG to A200 running AOS 5.0.0.0

Just to clarify - the 1st generation controllers do not have TPM chips which are required to hold the certificates to do certificate-based auth/crypto (which is what zero-touch uses). You can still terminate RAP-2's and RAP-5's on a 1st gen controller but you will need to provision it like a regular AP by going to the AP installation page in the GUI and assigning a username, password, and IPSec pre-shared key.
--
Christopher Leach - CISSP, ACDX, ACMX
Director, Training and Certification
Occasional Contributor I

Re: Trouble connecting RAP-2WG to A200 running AOS 5.0.0.0

Christopher, thank you for your reply,

just a question: should the RAP2/5 be available at the Provisioning Page (under Configuration -> Wireless -> AP Installation)? I'm asking because there isn't any AP which I could provision with username/password/psk.

I've put the RAP into the same layer 2 broadcast domain as the controller and typed the controller ip into the "where to connect" field at the RAP-GUI.
BTW: Still getting the Error "RC_ERROR_IKEP1_PKT5" at the RAP-GUI while trying to connecting to the controller.

I guess that this szenario (RAP2 or RAP5 on 1st generation controller) isn't supported by Aruba?

best regards,
Timo
Occasional Contributor I

Re: Trouble connecting RAP-2WG to A200 running AOS 5.0.0.0


No, you're not stupid and no, its not that difficult.

The problem is that the zero touch provision is only supported on the M3 and 3x00 series controllers. The A200 controller you have won't let you do it.

You can, however, use the 200 for non-zero touch provisioned Remote APs.




Dear Olin,

thank you too for your reply. I'll do an update to ArubaOS 5.0.0.0 at a customer's controller tomorrow which is an 3600. After this I can try to configure it as planned, but I hate it to test things/features at customers equipment. That's why I've tried to set it up a my lab-200.

best regards,
Timo
Occasional Contributor II

Re: Trouble connecting RAP-2WG to A200 running AOS 5.0.0.0

How is it with the newer 600er series controller? Do they support zero touch provisioning?

Thanks,
Stefan
Aruba Employee

Re: Trouble connecting RAP-2WG to A200 running AOS 5.0.0.0

Yes they do. It's a matter of the controller having a TPM module with a certificate. The M3, 3000 series, and 600 series have these. The original controller line does not have either the module or the certificates, hence the lack of support.

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Occasional Contributor II

Re: Trouble connecting RAP-2WG to A200 running AOS 5.0.0.0

Ok.
Thank you very much for your feedback!
Aruba Employee

Re: Trouble connecting RAP-2WG to A200 running AOS 5.0.0.0

Andy - There's no RN 3.1 release for the 600-series controllers, so is it safe to assume ZTP is only available in 5.0.0 with the 600 controllers?
Aruba Employee

Re: Trouble connecting RAP-2WG to A200 running AOS 5.0.0.0

Hi Mike,

Yes, that's correct. 5.0 is the upgrade path from the RN code base, and 600 support is included in that release.

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: