04-16-2013 07:32 AM
we're having issues trying to enable an AP-105 in a Checkpoint (CP) vpn configuration. Config :
AP-105 <-> CP vpn appliance remote site <-> CP vpn firewall HeadQuarters <-> Aruba cntrl
The AP comes up (it's been originally provisioned at HQ). But when it tries to open an encrypted tunnel to the controller, that's it. We never see it in the controllers list. In the logs we see :
Apr 16 15:06:23sapd: <311020> <ERRS> |AP AP-BE-DI-TEST1@192.168.61.10 sapd| An internal system error has occurred at file sapd_redun.c function sapd_proc_redun_msg line 4314 error Error: Received RC_OPCODE_ERROR lms 192.168.101.251 tunnel 0.0.0.0 RC_ERROR_RETRYIKEV1.
We believe this is because the CP vpn actually forwards the encrypted packet on UDP port 4500, unencrypted. That basically is what is defined in the CP STAR network settings. So basically the packet gets redirected, as it is unencrypted, to the internet. And never reaches the Aruba controller.
Is there some way to change that port? We can't change it on the CP configuration. Any other solution?
04-16-2013 07:51 AM
The CP devices are just providing site to site VPN service, right? So the subnet with the AP is pretty much just another routed subnet within your environment?
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
04-16-2013 11:15 AM
We've had no trouble passing the standard GRE tunnel through our (Cisco) VPN. We did have to specifically include the GRE and UDP 8211 traffic in our ACL of "interesting" traffic.
I would expect using AP to Controller VPN inside your Checkpoint to Checkpoint VPN to work badly.
Is the remote site not a trunsted site?
(Or am I totally confused?)
if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
04-17-2013 05:44 AM
Yes, the 'remote' subnet is a different vlan. But i have no problem accessing anything else in that subnet. Has been working perfectly for years. So it's not a routing issue. Interesting is we also tried a commbox, and this one does not exhibit the issue.