Remote Networking

Reply
Occasional Contributor I
Posts: 5
Registered: ‎06-24-2011

problems connecting RAP2's to Controller remotely

Hi,

I got a problem with the RAP2's. If I provision and test them locally on the wired network they work like a dream, but in the moment I provision a unit and it leaves our offices, it doesn't work ...

The RAP's bring up an error "RC_ERROR_IKE_SA_ERROR"

I am testing with 3 RAPs:

Name               AP-Group   AP-Name   Full-Name  Authen-Username  Revoke-Text  AP_Authenticated  Description  Date-Added                Enabled  Remote-IP
---- -------- ------- --------- --------------- ----------- ---------------- ----------- ---------- ------- ---------
00:24:6c:c2:4f:a0 remote-ap ra_ap3 rap1 Provisioned Fri Jun 24 16:44:44 2011 Yes 0.0.0.0
00:24:6c:c2:4f:df remote-ap ra_ap2 rap1 Provisioned Fri Jun 24 16:45:22 2011 Yes 0.0.0.0
00:24:6c:c2:4f:ef remote-ap ra_ap1 rap1 Provisioned Sat Jun 25 02:45:37 2011 Yes 0.0.0.0


in different szenarios:

- directly connected (works well)
- via a external firewall with NAT (and 2 different ISP's by now)
- via an old pptp tunnel these units supposed to replace (no firewalled ports or protocols, routed remote subnet) to make sure that it wasn't a NAT, Provider or Firewall issue

I can see that the Controller and RAP's talk on port UDP/4500 with each other.
Wireshark gives out warnings for this connection sporadically on udp/4500 - ISAKMP:


this is one attempt seen in the sec logs (via tunnel, the internet attempt gave same error):

Jun 25 13:25:34 :103063: |ike| exchange_free_reassemblyList: reset exchange reassembly state
Jun 25 13:25:47 :103063:   |ike|  exchange_setup_p1: ID is IPv4
Jun 25 13:25:47 :103063: |ike| exchange_setup_p1: USING exchange type ID_PROT
Jun 25 13:25:47 :103063: |ike| Aruba RAP detected
Jun 25 13:25:47 :103063: |ike| IKE Fragmentation
Jun 25 13:25:47 :103060: |ike| ike_phase_1.c:ike_phase_1_responder_recv_SA:897 Recvd VPN IKE Phase 1 SA transform negotiation (1st packet) from IP 192.168.1.22.
Jun 25 13:25:47 :103060: |ike| ike_phase_1.c:ike_phase_1_responder_recv_SA:926 Found our AP vendor ID from external IP 192.168.1.22
Jun 25 13:25:47 :103060: |ike| ike_phase_1.c:attribute_unacceptable:2847 Proposal match failed in key length, configured=32, peer using=16
Jun 25 13:25:47 :103060: |ike| ike_phase_1.c:attribute_unacceptable:2818 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG
Jun 25 13:25:47 :103060: |ike| ike_phase_1.c:attribute_unacceptable:2807 Proposal match failed in hash algo, configured=SHA, peer using=MD5
Jun 25 13:25:47 :103060: |ike| ike_phase_1.c:attribute_unacceptable:2847 Proposal match failed in key length, configured=32, peer using=24
Jun 25 13:25:47 :103060: |ike| ike_phase_1.c:attribute_unacceptable:2818 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG
Jun 25 13:25:47 :103060: |ike| ike_phase_1.c:attribute_unacceptable:2807 Proposal match failed in hash algo, configured=SHA, peer using=MD5
Jun 25 13:25:47 :103060: |ike| ike_phase_1.c:ike_phase_1_responder_recv_SA:1041 Ike Phase 1 received SA
Jun 25 13:25:47 :103063: |ike| ike_phase_1_responder_send_SA_NAT_T Accepted 1 of the Proposals, sending Response for exchange:192.168.1.22
Jun 25 13:25:47 :103060: |ike| nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 192.168.1.5 Port 500
Jun 25 13:25:47 :103060: |ike| nat_traversal.c:nat_t_exchange_check_nat_d_has_us:556 Did not find our matching NAT-D payload for Port:500 in their packet
Jun 25 13:25:47 :103060: |ike| nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 192.168.1.5 Port 4500
Jun 25 13:25:47 :103060: |ike| nat_traversal.c:nat_t_exchange_check_nat_d_has_us:564 This peer initiated IKE to dst-port 4500
Jun 25 13:25:47 :103060: |ike| nat_traversal.c:nat_t_exchange_check_nat_d_has_us:567 Found our matching NAT-D payload for Port:4500 in their packet
Jun 25 13:25:47 :103060: |ike| xlr_lib.c:xlr_send_dh_request:777 DH1 request: exch name:192.168.1.22 step:3 flags:158 dhflags:1 sos_pending:10145254
Jun 25 13:25:47 :103063: |ike| exchange_run: initiator:1 step 3 done:1 DH-request sent to SOS
Jun 25 13:25:47 :103063: |ike| process_xlr_dh1_response exch:192.168.1.22
Jun 25 13:25:47 :103060: |ike| xlr_lib.c:xlr_send_dh_request:780 DH2 request: exch name:192.168.1.22 step:3 flags:158 dhflags:7 sos_pending:10145254
Jun 25 13:25:47 :103060: |ike| nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 192.168.1.22 Port 1029
Jun 25 13:25:47 :103060: |ike| nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 192.168.1.5 Port 4500
Jun 25 13:25:47 :103060: |ike| nat_traversal.c:nat_t_exchange_add_nat_d:377 NAT-T added hashes for src=192.168.1.5:4500, dst=192.168.1.22:4500
Jun 25 13:25:47 :103063: |ike| ike_phase_1_send_KE_NONCE 192.168.1.22
Jun 25 13:25:47 :103063: |ike| ike_phase_1_post_exchange_KE_NONCE: ignoring since g_xy is null
Jun 25 13:25:47 :103063: |ike| process_xlr_dh2_response exch:192.168.1.22
Jun 25 13:25:47 :103063: |ike| ike_phase_1_post_exchange_KE_NONCE done 192.168.1.22
Jun 25 13:25:49 :103063: |ike| message_fragment_reassemble insert fragment ID:1 Num:1 DataLen:988 fragSize:1024
Jun 25 13:25:49 :103063: |ike| message_fragment_reassemble insert fragment ID:1 Num:2 DataLen:988 fragSize:1024
Jun 25 13:25:54 :103063: |ike| message_fragment_reassemble Dropping duplicate Fragment Num 1 ID 1
Jun 25 13:25:54 :103063: |ike| message_recv: Fragment storage error
Jun 25 13:25:54 :103063: |ike| message_fragment_reassemble Dropping duplicate Fragment Num 2 ID 1
Jun 25 13:25:54 :103063: |ike| message_recv: Fragment storage error
Jun 25 13:25:54 :103063: |ike| message_fragment_reassemble insert fragment ID:1 Num:3 DataLen:988 fragSize:1024
Jun 25 13:26:07 :103063: |ike| exchange_free_reassemblyList: reset exchange reassembly state

192.168.1.22 is a router handling the pptp connections. Something I don't like, that the IP of the RAP doesn't show up here, although it is routed and no NATting inbetween. The remote subnet is set as a static route on the controller, just to be on the secure site.

thats out of the RAP log:

  Main Initiator 4 <--
ike_state.c (7475): errorCode = -8909
IKE_checkExpSa notfinished timeout 20 sec
IKE_SA (id=0x20860553) flags 0x125 status -8909 failed
send_sapd_error: error:64 debug_error:-8909


this is on a 3000-series controller with AOS 5.0.2.0. without a PEF license

I am trying since a couple of days now and I am sure it must be something stupid simple, but I didn't found it yet :) ...

anybody has an idea what is going on here ?

cheers,

Raik
Guru Elite
Posts: 20,819
Registered: ‎03-29-2007

Re: problems connecting RAP2's to Controller remotely

Need a network diagram as to how everything is connected.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 5
Registered: ‎06-24-2011

Re: problems connecting RAP2's to Controller remotely

this is pretty straight forward:

Office #1 (192.168.1.0/24)
- hosting the controller
- default route pointing to Internet Router
- VPN Router (DD-WRT) configured as client

Office #2 (192.168.121.0/24)
- RAP's sit here
- default route pointing to Internet Router
- VPN Server is the Internet Router

We also tried with a third Router terminating on a 3G network with the same
results.

Can this be a issue relating to Internet connectivity ? As we only have one provider
on the Controllers site in Office #1. I am in Africa, Internet is everything else
then optimal ... got < 256 kb/s connectivity outbound Office #1 and up to 10% packet
loss on that line ... The PPTP tunnel can handle it pretty well though, as do all applications we run on it, like IP phones ...

I checked out ports and protocols between the sites via the Internet and the tunnel and udp/4500, udp/500 and protocol 50 is open and working ...

If I use the Internet directly to connect the RAP's, the external IP of Office #2 shows up in the datapath list, which should be correct, but the errors are the same ...
Guru Elite
Posts: 20,819
Registered: ‎03-29-2007

Re: problems connecting RAP2's to Controller remotely

Of the three scenarios, the only one that might not work is the pptp tunnel because of the MTU of that tunnel.

Let us focus on the external firewall with NAT. Do you have the messages from that failure?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 5
Registered: ‎06-24-2011

Re: problems connecting RAP2's to Controller remotely

yes, of coarse:

Jun 26 15:40:15 :103063:   |ike|  exchange_setup_p1: ID is IPv4                               
Jun 26 15:40:15 :103063: |ike| exchange_setup_p1: USING exchange type ID_PROT
Jun 26 15:40:15 :103063: |ike| Aruba RAP detected
Jun 26 15:40:15 :103063: |ike| IKE Fragmentation
Jun 26 15:40:15 :103060: |ike| ike_phase_1.c:ike_phase_1_responder_recv_SA:897 Recvd VPN IKE Phase 1 SA transform negotiation (1st packet) from IP 41.198.3X.XX6.
Jun 26 15:40:15 :103060: |ike| ike_phase_1.c:ike_phase_1_responder_recv_SA:926 Found our AP vendor ID from external IP 41.198.3X.XX6
Jun 26 15:40:15 :103060: |ike| ike_phase_1.c:attribute_unacceptable:2847 Proposal match failed in key length, configured=32, peer using=16
Jun 26 15:40:15 :103060: |ike| ike_phase_1.c:attribute_unacceptable:2818 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG
Jun 26 15:40:15 :103060: |ike| ike_phase_1.c:attribute_unacceptable:2807 Proposal match failed in hash algo, configured=SHA, peer using=MD5
Jun 26 15:40:15 :103060: |ike| ike_phase_1.c:attribute_unacceptable:2847 Proposal match failed in key length, configured=32, peer using=24
Jun 26 15:40:15 :103060: |ike| ike_phase_1.c:attribute_unacceptable:2818 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG
Jun 26 15:40:15 :103060: |ike| ike_phase_1.c:attribute_unacceptable:2807 Proposal match failed in hash algo, configured=SHA, peer using=MD5
Jun 26 15:40:15 :103060: |ike| ike_phase_1.c:ike_phase_1_responder_recv_SA:1041 Ike Phase 1 received SA
Jun 26 15:40:15 :103063: |ike| ike_phase_1_responder_send_SA_NAT_T Accepted 1 of the Proposals, sending Response for exchange:41.198.3X.XX6
Jun 26 15:40:15 :103060: |ike| nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 192.168.1.5 Port 500
Jun 26 15:40:15 :103060: |ike| nat_traversal.c:nat_t_exchange_check_nat_d_has_us:556 Did not find our matching NAT-D payload for Port:500 in their packet
Jun 26 15:40:15 :103060: |ike| nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 192.168.1.5 Port 4500
Jun 26 15:40:15 :103060: |ike| nat_traversal.c:nat_t_exchange_check_nat_d_has_us:567 Did not find our matching NAT-D payload for Port:4500 in their packet
Jun 26 15:40:15 :103060: |ike| ike_phase_1.c:ike_phase_1_recv_KE_NONCE:1270 Responder, enabling NAT-T.
Jun 26 15:40:15 :103060: |ike| xlr_lib.c:xlr_send_dh_request:777 DH1 request: exch name:41.198.3X.XX6 step:3 flags:58 dhflags:1 sos_pending:1015ea94
Jun 26 15:40:15 :103063: |ike| exchange_run: initiator:1 step 3 done:1 DH-request sent to SOS
Jun 26 15:40:15 :103063: |ike| process_xlr_dh1_response exch:41.198.3X.XX6
Jun 26 15:40:15 :103060: |ike| xlr_lib.c:xlr_send_dh_request:780 DH2 request: exch name:41.198.3X.XX6 step:3 flags:58 dhflags:7 sos_pending:1015ea94
Jun 26 15:40:15 :103060: |ike| nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 41.198.3X.XX6 Port 4500
Jun 26 15:40:15 :103060: |ike| nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 192.168.1.5 Port 4500
Jun 26 15:40:15 :103060: |ike| nat_traversal.c:nat_t_exchange_add_nat_d:377 NAT-T added hashes for src=192.168.1.5:4500, dst=41.198.3X.XX6:4500
Jun 26 15:40:15 :103063: |ike| ike_phase_1_send_KE_NONCE 41.198.3X.XX6
Jun 26 15:40:15 :103063: |ike| ike_phase_1_post_exchange_KE_NONCE: ignoring since g_xy is null
Jun 26 15:40:15 :103063: |ike| process_xlr_dh2_response exch:41.198.3X.XX6
Jun 26 15:40:15 :103063: |ike| ike_phase_1_post_exchange_KE_NONCE done 41.198.3X.XX6
Jun 26 15:40:16 :103063: |ike| message_fragment_reassemble insert fragment ID:1 Num:1 DataLen:988 fragSize:1024
Jun 26 15:40:17 :103063: |ike| message_fragment_reassemble insert fragment ID:1 Num:2 DataLen:988 fragSize:1024
Jun 26 15:40:17 :103063: |ike| message_fragment_reassemble insert fragment ID:1 Num:3 DataLen:988 fragSize:1024
Jun 26 15:40:21 :103063: |ike| message_fragment_reassemble Dropping duplicate Fragment Num 1 ID 1
Jun 26 15:40:21 :103063: |ike| message_recv: Fragment storage error
Jun 26 15:40:21 :103063: |ike| message_fragment_reassemble Dropping duplicate Fragment Num 2 ID 1
Jun 26 15:40:21 :103063: |ike| message_recv: Fragment storage error
Jun 26 15:40:21 :103063: |ike| message_fragment_reassemble Dropping duplicate Fragment Num 3 ID 1
Jun 26 15:40:21 :103063: |ike| message_recv: Fragment storage error
Jun 26 15:40:26 :103063: |ike| message_fragment_reassemble Dropping duplicate Fragment Num 1 ID 1
Jun 26 15:40:26 :103063: |ike| message_recv: Fragment storage error
Jun 26 15:40:26 :103063: |ike| message_fragment_reassemble Dropping duplicate Fragment Num2 ID 1
Jun 26 15:40:26 :103063: |ike| message_recv: Fragment storage error
Jun 26 15:40:26 :103063: |ike| message_fragment_reassemble insert fragment ID:1 Num:5 DataLen:720 fragSize:1024
Jun 26 15:40:30 :103063: |ike| message_fragment_reassemble Dropping duplicate Fragment Num1 ID 1
Jun 26 15:40:30 :103063: |ike| message_recv: Fragment storage error
Jun 26 15:40:30 :103063: |ike| message_fragment_reassemble Dropping duplicate Fragment Num2 ID 1
Jun 26 15:40:30 :103063: |ike| message_recv: Fragment storage error
Jun 26 15:40:30 :103063: |ike| message_fragment_reassemble Dropping duplicate Fragment Num3 ID 1
Jun 26 15:40:30 :103063: |ike| message_recv: Fragment storage error
Jun 26 15:40:35 :103063: |ike| exchange_free_reassemblyList: reset exchange reassembly state
Jun 26 15:40:36 :103063: |ike| message_recv: invalid cookie(s) a1269bf3759550c3 4b18bce048bfdc70
Jun 26 15:40:36 :103060: |ike| message.c:message_drop:2681 Message drop from 41.198.3X.XX6port 4500 due to notification type INVALID_COOKIE
Jun 26 15:40:36 :103063: |ike| message_recv: invalid cookie(s) a1269bf3759550c3 4b18bce048bfdc70
Jun 26 15:40:36 :103060: |ike| message.c:message_drop:2681 Message drop from 41.198.3X.XX6port 4500 due to notification type INVALID_COOKIE
Jun 26 15:40:36 :103063: |ike| message_recv: invalid cookie(s) a1269bf3759550c3 4b18bce048bfdc70
Jun 26 15:40:36 :103060: |ike| message.c:message_drop:2681 Message drop from 41.198.3X.XX6port 4500 due to notification type INVALID_COOKIE


and the RAP:

#RECV 232 bytes from 41.198.3X.XX2:4500 (9.0)
(pid:1855) time:1999-12-31 16:02:48

cookies={c22c54e7e4c87faf 5e3ab24c8c4e692a} np=KE
exchange=Main len=228
IKE_fragCheckFragment: next payload is 4
Main Initiator 4 <--
ike_state.c (7475): errorCode = -8909


the MTU is 1492 / MRU is 1480 for both Internet connections ...


thank you for looking into that !

Raik
Guru Elite
Posts: 20,819
Registered: ‎03-29-2007

Re: problems connecting RAP2's to Controller remotely

The logs are inconclusive. Please open a case with tac as there is much more information that can be looked at to get to the bottom of this.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 5
Registered: ‎06-24-2011

Re: problems connecting RAP2's to Controller remotely

Ok, let me do that,

in the mean time:

I upgraded the controller to 6.0.1.2 (just in case) last night, reprovisioned the RAP's and I had a partial success. It works now with one of the two ISP's. With the other ISP is still gives out the error as above.

I also tried using the RAP to initialize the pppoe session on one end with the same effects. A simultaneous packet dump on both ends actually showed that my ISP is dropping quite some UDP packets ...

Though, with the overall connectivity, pptp seems to be much more patient with this (although retransmissions and packet loss are quite high)

cheers !

Raik
Search Airheads
Showing results for 
Search instead for 
Did you mean: