Wireless Access

Reply
Contributor II
Posts: 66
Registered: ‎01-25-2013

AP-105 behind Checkpoint vpn appliance

Hi,

 

we're having issues trying to enable an AP-105 in a Checkpoint (CP) vpn configuration.  Config :

 

AP-105 <-> CP vpn appliance remote site <-> CP vpn firewall HeadQuarters <-> Aruba cntrl

 

The AP comes up (it's been originally provisioned at HQ).  But when it tries to open an encrypted tunnel to the controller, that's it.  We never see it in the controllers list.  In the logs we see :

 

Apr 16 15:06:23sapd[579]: <311020> <ERRS> |AP AP-BE-DI-TEST1@192.168.61.10 sapd| An internal system error has occurred at file sapd_redun.c function sapd_proc_redun_msg line 4314 error Error: Received RC_OPCODE_ERROR lms 192.168.101.251 tunnel 0.0.0.0 RC_ERROR_RETRYIKEV1.

 

We believe this is because the CP vpn actually forwards the encrypted packet on UDP port 4500, unencrypted.  That basically is what is defined in the CP STAR network settings.  So basically the packet gets redirected, as it is unencrypted, to the internet.  And never reaches the Aruba controller.

 

Is there some way to change that port?  We can't change it on the CP configuration.  Any other solution?

Guru Elite
Posts: 21,029
Registered: ‎03-29-2007

Re: AP-105 behind Checkpoint vpn appliance

Hold on.

 

The CP devices are just providing site to site VPN service, right?  So the subnet with the AP is pretty much just another routed subnet within your environment?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 707
Registered: ‎12-01-2010

Re: AP-105 behind Checkpoint vpn appliance

We've had no trouble passing the standard GRE tunnel through our (Cisco) VPN. We did have to specifically include the GRE and UDP 8211 traffic in our ACL of "interesting" traffic.

 

I would expect using AP to Controller VPN inside your Checkpoint to Checkpoint VPN to work badly.

 

Is the remote site not a trunsted site?
 (Or am I totally confused?)

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Contributor II
Posts: 66
Registered: ‎01-25-2013

Re: AP-105 behind Checkpoint vpn appliance

Yes, the 'remote' subnet is a different vlan.  But i have no problem accessing anything else in that subnet.  Has been working perfectly for years.  So it's not a routing issue.  Interesting is we also tried a commbox, and this one does not exhibit the issue.

Search Airheads
Showing results for 
Search instead for 
Did you mean: