Wireless Access

Reply
Occasional Contributor I

AP205 over VPN

Hi all,

  in my test lab i'm simulating a remote network that i have with a branch where they will buy directly some AP205

 

So I set a network AP205 -- Firewall --IPSEC Tunnel -- Firewall -- Aruba7030

I set DHCP Option 43 and 60 to point to my controller via ip.

 

AP start with factory firmware ArubaOS Version 6.4.1.0 and the 1st time i see it on my controller (default group - see attachment) and it start automatically to upgrade to 6.4.3.2

 

During the upgrade the session table is:

show datapath session table 10.168.2.201


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       r - Route Nexthop
       A - Application Firewall Inspect


Source IP       Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
10.5.0.100      10.168.2.201    6    21    58714  0/0     0    0   2   0/0/0       22   14         976        I
10.168.2.201    10.5.0.100      6    49483 1053   1/4098  0    0   0   0/0/0       20   894        35780      CU
10.5.0.100      10.168.2.201    6    1053  49483  0/0     0    0   0   0/0/0       20   1732       2458064
10.168.2.201    10.5.0.100      6    58714 21     1/4098  0    0   2   0/0/0       22   17         824        CUI

and the tunnel table is (MTU 1200)

show datapath tunnel table | include 10.168.2.201
96      10.5.0.100      10.168.2.201    47   9000  1200  0    0    0    0    0     04:BD:88:C1:CC:B8          0          0          0 TES

The AP reboot itself to the new firmware and i lost it

The session table report connection to the ap and i receive the boot log

#show datapath session table 10.168.2.201


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       r - Route Nexthop
       A - Application Firewall Inspect


Source IP       Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
10.168.2.201    10.5.0.100      17   60799 514    1/4099  0    0   1   0/0/0       e    1          100        FC
10.5.0.100      10.168.2.201    17   514   60799  0/0     0    0   1   0/0/0       e    0          0          FY

 

Jul 3 12:30:18 :311002:  <WARN> |AP 04:bd:88:c1:cc:b8@10.168.2.201 sapd|  Rebooting: SAPD: Rebooting after setting cert_cap=1. Need to open a secure channel(IPSEC)
Jul 3 12:30:19 :303086:  <ERRS> |AP 04:bd:88:c1:cc:b8@10.168.2.201 nanny| Process Manager (nanny) shutting down - AP will reboot!
Jul 3 12:31:55 :303022:  <WARN> |AP 04:bd:88:c1:cc:b8@10.168.2.201 nanny|  Reboot Reason: AP rebooted Fri Jul 3 12:30:19 CEST 2015; SAPD: Rebooting after setting cert_cap=1. Need to open a secure channel(IPSEC)

I just try, as I found in some topics, to adjust MTU to 1200 or 1400 with no luck (The vpn tunnel is set 1424 but i try to set to 1500 or 1200 with no luck)

 

Other ideas?

 

Thanks

Riccardo

 

Occasional Contributor I

Re: AP205 over VPN

After continuos reboot of the ap it report

 

Getting an IP address...
[   17.892000] ADDRCONF(NETDEV_UP): bond0: link is not ready
[   19.896000] bond0: link up (1000FD)
[   19.898000] ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
10.168.2.201 255.255.255.0 10.168.2.1
Running ADP...Done. Master is 10.5.0.100
[   23.912000] wifi0: AP type AP-205, radio 0, max_bssids 16
[   23.986000] wifi1: AP type AP-205, radio 1, max_bssids 16
AP rebooted Wed Dec 31 16:12:01 PST 1969; Unable to set up IPSec tunnel to saved lms, Error:RC_ERROR_IKEV2_TIMEOUT
shutting down watchdog process (nanny will restart it)...

        <<<<<       Welcome to the Access Point     >>>>>

~ #

 

Guru Elite

Re: AP205 over VPN

Are you blocking UDP 4500 anywhere? This is required if you have CPSec enabled.

Run show datapath session table | include 4500 to see if you the traffic is getting to the controller.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: AP205 over VPN

i don't block any service or port on the vpn but i don't see any connection on port 4500 from aruba controller.

 

It i try to simulate  from a remote pc a connection via a telnet 10.5.0.100 4500 i see the connection

 

(Aruba7030-SIT) #show datapath session table | include 4500
10.168.2.203    10.5.0.100      6    57982 4500   0/0     0    4   0   0/0/0       2    1          60         FDYC

The strange is the ap work the 1st time with factory firmware 6.4.1.0 but it stops to works with the last one 6.4.3.2

Frequent Contributor II

Re: AP205 over VPN

Hi

 

Looks to me that you have Control Plane Security enabled, if so try disabling it.

If the AP should operate in a Campus mode, there is no reason for it to try set up a IPSec tunnel.

 

I just set up Campus AP's running 6.4.3.2 for a customer with a VPN between 2 locations. The MTU is 1462 on the link, AP is up no matter what MTU i set on the AP group.

 

Roar

 

Occasional Contributor I

Re: AP205 over VPN

with firewall support we're finding that the problem is related to port 4500/udp due AP need to open a tunnel with source port 4500/udp and destination port 4500/udp that our firewall don't like (the packet go into the vpn tunnel from Remote firewall but it losts somewhere due i don't see it in my HQ firewall)

 

Now i'm working with them to find a solution about, but I ask to you if is possible to change something in aruba controller to bypass this issue.

 

With Control Plane Security disabled the problem is not resolve.

 

Thanks

MVP

Re: AP205 over VPN

A bit late but if the problem is indeed your firewall intercepting those udp 4500 packets then disableing Control Plane Security should resolve that bit.

Without control plan security the AP's use PAPI (udp 8211) rather than IPSEC (udp 4500) anymore but rather.

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: