Wireless Access

last person joined: 21 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

AP205 over VPN

This thread has been viewed 12 times

  • 1.  AP205 over VPN

    Posted Jul 03, 2015 05:24 AM
      |   view attached

    Hi all,

      in my test lab i'm simulating a remote network that i have with a branch where they will buy directly some AP205

     

    So I set a network AP205 -- Firewall --IPSEC Tunnel -- Firewall -- Aruba7030

    I set DHCP Option 43 and 60 to point to my controller via ip.

     

    AP start with factory firmware ArubaOS Version 6.4.1.0 and the 1st time i see it on my controller (default group - see attachment) and it start automatically to upgrade to 6.4.3.2

     

    During the upgrade the session table is:

    show datapath session table 10.168.2.201


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       r - Route Nexthop
       A - Application Firewall Inspect


Source IP       Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
10.5.0.100      10.168.2.201    6    21    58714  0/0     0    0   2   0/0/0       22   14         976        I
10.168.2.201    10.5.0.100      6    49483 1053   1/4098  0    0   0   0/0/0       20   894        35780      CU
10.5.0.100      10.168.2.201    6    1053  49483  0/0     0    0   0   0/0/0       20   1732       2458064
10.168.2.201    10.5.0.100      6    58714 21     1/4098  0    0   2   0/0/0       22   17         824        CUI

    and the tunnel table is (MTU 1200)

    show datapath tunnel table | include 10.168.2.201
96      10.5.0.100      10.168.2.201    47   9000  1200  0    0    0    0    0     04:BD:88:C1:CC:B8          0          0          0 TES

    The AP reboot itself to the new firmware and i lost it

    The session table report connection to the ap and i receive the boot log

    #show datapath session table 10.168.2.201


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       r - Route Nexthop
       A - Application Firewall Inspect


Source IP       Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
10.168.2.201    10.5.0.100      17   60799 514    1/4099  0    0   1   0/0/0       e    1          100        FC
10.5.0.100      10.168.2.201    17   514   60799  0/0     0    0   1   0/0/0       e    0          0          FY

     

    Jul 3 12:30:18 :311002:  <WARN> |AP 04:bd:88:c1:cc:b8@10.168.2.201 sapd|  Rebooting: SAPD: Rebooting after setting cert_cap=1. Need to open a secure channel(IPSEC)
Jul 3 12:30:19 :303086:  <ERRS> |AP 04:bd:88:c1:cc:b8@10.168.2.201 nanny| Process Manager (nanny) shutting down - AP will reboot!
Jul 3 12:31:55 :303022:  <WARN> |AP 04:bd:88:c1:cc:b8@10.168.2.201 nanny|  Reboot Reason: AP rebooted Fri Jul 3 12:30:19 CEST 2015; SAPD: Rebooting after setting cert_cap=1. Need to open a secure channel(IPSEC)

    I just try, as I found in some topics, to adjust MTU to 1200 or 1400 with no luck (The vpn tunnel is set 1424 but i try to set to 1500 or 1200 with no luck)

     

    Other ideas?

     

    Thanks

    Riccardo

     


    #AP205


  • 2.  RE: AP205 over VPN

    Posted Jul 03, 2015 08:26 AM

    After continuos reboot of the ap it report

     

    Getting an IP address...
[   17.892000] ADDRCONF(NETDEV_UP): bond0: link is not ready
[   19.896000] bond0: link up (1000FD)
[   19.898000] ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
10.168.2.201 255.255.255.0 10.168.2.1
Running ADP...Done. Master is 10.5.0.100
[   23.912000] wifi0: AP type AP-205, radio 0, max_bssids 16
[   23.986000] wifi1: AP type AP-205, radio 1, max_bssids 16
AP rebooted Wed Dec 31 16:12:01 PST 1969; Unable to set up IPSec tunnel to saved lms, Error:RC_ERROR_IKEV2_TIMEOUT
shutting down watchdog process (nanny will restart it)...

        <<<<<       Welcome to the Access Point     >>>>>

~ #

     



  • 3.  RE: AP205 over VPN

    EMPLOYEE
    Posted Jul 03, 2015 11:23 AM
    Are you blocking UDP 4500 anywhere? This is required if you have CPSec enabled.

    Run show datapath session table | include 4500 to see if you the traffic is getting to the controller.


    Thanks,
    Tim


  • 4.  RE: AP205 over VPN

    Posted Jul 06, 2015 04:43 AM

    i don't block any service or port on the vpn but i don't see any connection on port 4500 from aruba controller.

     

    It i try to simulate  from a remote pc a connection via a telnet 10.5.0.100 4500 i see the connection

     

    (Aruba7030-SIT) #show datapath session table | include 4500
10.168.2.203    10.5.0.100      6    57982 4500   0/0     0    4   0   0/0/0       2    1          60         FDYC

    The strange is the ap work the 1st time with factory firmware 6.4.1.0 but it stops to works with the last one 6.4.3.2



  • 5.  RE: AP205 over VPN

    Posted Jul 06, 2015 06:39 AM

    Hi

     

    Looks to me that you have Control Plane Security enabled, if so try disabling it.

    If the AP should operate in a Campus mode, there is no reason for it to try set up a IPSec tunnel.

     

    I just set up Campus AP's running 6.4.3.2 for a customer with a VPN between 2 locations. The MTU is 1462 on the link, AP is up no matter what MTU i set on the AP group.

     

    Roar

     



  • 6.  RE: AP205 over VPN

    Posted Jul 08, 2015 02:57 AM

    with firewall support we're finding that the problem is related to port 4500/udp due AP need to open a tunnel with source port 4500/udp and destination port 4500/udp that our firewall don't like (the packet go into the vpn tunnel from Remote firewall but it losts somewhere due i don't see it in my HQ firewall)

     

    Now i'm working with them to find a solution about, but I ask to you if is possible to change something in aruba controller to bypass this issue.

     

    With Control Plane Security disabled the problem is not resolve.

     

    Thanks



  • 7.  RE: AP205 over VPN
    Best Answer

    MVP
    Posted Aug 17, 2015 10:09 AM

    A bit late but if the problem is indeed your firewall intercepting those udp 4500 packets then disableing Control Plane Security should resolve that bit.

    Without control plan security the AP's use PAPI (udp 8211) rather than IPSEC (udp 4500) anymore but rather.