Wireless Access

We have the aboved network, and we send lms ip is 47.104.193.111 as follow:

(AOS83) [mynode] #show ap system-profile rap

AP system profile "rap"
-----------------------
Parameter Value
--------- -----
RF Band g
Recovery Mode auto
RF Band for AM mode scanning all
Native VLAN ID 1
Tunnel Heartbeat Interval 1
Session ACL ap-uplink-acl
Corporate DNS Domain N/A
SNMP sysContact N/A
LED operating mode (11n/11ac APs only) normal
LED override Disabled
Driver log level warnings
Console log level emergencies
SAP MTU N/A
RAP MTU 1200 bytes
LMS IP 47.104.193.111
Backup LMS IP N/A

Why when we debuy rap ipsec connection, we found our LMS IP 47.104.193.111 have been changed into 52.4.31.172 ???

Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> xauth_responder_recv_ipreq peer:111.37.21.182
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> xauth_responder_recv_statusack peer:111.37.21.182
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> xauth_responder_recv_userrep peer:111.37.21.182
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> xauth_responder_send_iprep peer:111.37.21.182 innerip:172.16.200.20
Jul 2 16:02:50 isakmpd[3839]: <103063> <3839> <DBUG> |ike| 111.37.21.182:25649-> xauth_responder_send_iprep: Sending Aruba LMS IP 52.4.31.172

We never set the ip 52.4.31.172 in  anywhere 

and we even never khow where this ip come from ?

but you have 172.31.4.52 defined and the debug print likely has an endianness issue (e.g. harmeless accidental swapping of the byte order of the debug string).

For basic rap connectivity you dont need to put anything in the lms-ip field, simply reprovisioning the AP with master=your public ip would be enough. Besides, as you can see, the controller ignores this and sends the IP of the controller itself to the RAP, so it can communicate up the ipsec tunnel to the actual switch IP of the controller

172.31.5.52 is our lookback ip 172.31.5.52/255.255.255.255

172.31.5.52 is our lookback ip 172.31.5.52/255.255.255.255

our vlan1 ip is 172.31.5.51/255.255.240.0

for full detail you can see here

https://community.arubanetworks.com/t5/Wireless-Access/Aruba-RAP-contact-to-public-IP-VMC-AOS8-3-problem-need-help/td-p/438204

(AOS83) [mynode] #show ip interface bri

Interface IP Address / IP Netmask Admin Protocol VRRP-IP
vlan 1 172.31.4.51 / 255.255.240.0 up up
loopback 172.31.4.52 / 255.255.255.255 up up
mgmt unassigned / unassigned up up
(AOS83) [mynode] #show controller-ip

Switch IP Address: 172.31.4.52

Switch IP is configured to be loopback interface

Switch IPv6 address is not configured.

If you think the problem because the loopback ip ,we can remove the loopback ip , It maybe same problem

Please take a look the ip address now ! and VMC send 52.4.31.172 is not controller IP!!!!!

Controller  Ip is 172.31.4.52 and 47.104.193.111  ONLY!!!

(AOS83) [mynode] #show ip interface bri

Interface IP Address / IP Netmask Admin Protocol VRRP-IP
vlan 1 172.31.4.51 / 255.255.240.0 up up
loopback unassigned / unassigned up up
mgmt unassigned / unassigned up up
(AOS83) [mynode] #show controller-ip

Switch IP Address: 172.31.4.51

Switch IP is configured to be Vlan Interface: 1

Switch IPv6 address is not configured.

(AOS83) [mynode] #

(AOS83) [mynode] #show ip interface bri

Interface IP Address / IP Netmask Admin Protocol VRRP-IP
vlan 1 172.31.4.51 / 255.255.240.0 up up
loopback 172.31.4.52 / 255.255.255.255 up up
mgmt unassigned / unassigned up up
(AOS83) [mynode] #show controller-ip

Switch IP Address: 172.31.4.52

Switch IP is configured to be loopback interface

Switch IPv6 address is not configured.

ap system-profile "rap"
lms-ip 47.104.193.111
ap-console-password 70af4f67be883683097e00475e9595cbc5b0f76b629f3b60
bkup-passwords 64411df59b3d25b256a07de2e464f85004b11f8c1bb8be17
!
ap system-profile "rap_apsys_ui"
session-acl ""
lms-ip 172.31.4.51
ap-console-password 617a97df5078ffe812346fc49a1519e08a12f034a3699eeb
bkup-passwords a9cfa3576fcf7fa0b34191567cb5f20a14101ff563a5fb8c

it is a simple byte ordering issue - it's not really sending that IP, it's backwards due to VM vs. appliance byte ordering, it's cosmetic.

we have done erase all and reconfig our VMC, make sure there no lms ip config,but the same problem

So we make one network in our local networks, and want to see if they are work well

This pictures is our VMC run in our local network, the switch ip is 192.168.9.60, and it also send lms ip 192.168.9.60,So anything work well

and VMC also send the right LMS ip to RAP, RAP work well !

We have also done the same test on local network It send right Controller-IP 

yes, your observation is expected, it's a byte ordering problem (VM vs. appliance), please google "endianness" or read https://en.wikipedia.org/wiki/Endianness (x86_64 vs. Aruba hardware is using different byte order).

it *should* be the case that this is a purely cosmetic issue in the debug output only, it may not be however. You can log into the RAP and go into the /tmp and check the output in /tmp/rapper.txt and /tmp/sapd_debug.txt and see if the debug is showing the backwards IP address or not, that will be a simple test to see if it's really just cosmetic or wrong "on the wire".

If the debug on the RAP shows the backwards IP, then you have found a bug. If the debug on the RAP shows the correct IP always, then it should just be cosmetic.

Please double check your 1:1 NAT at the 47.x.x.x address is natting udp/4500 and udp/500 to the controller IP. To keep things simple you can get rid of .52 and point the PNAT to .51 - then everything is simple and consistent.

I can log in RAP,but we can do only ifconfig and route -n

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.16.200.22 P-t-P:172.16.200.22 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1300 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:64
RX bytes:0 (0.0 B) TX bytes:8197 (8.0 KiB)

~ # ls
ls: Permission denied
~ # pw
pw: Permission denied
~ #
~ #
~ #
~ # ls
ls: Permission denied
~ # pwd
pwd: Permission denied
~ # cd /tmp
cd: Permission denied
~ #

press "esc+ctrl+k" and you will gain access to the shell, then "cd /tmp" and then "cat rapper.txt" and "cat sapd_debug_log" (please use ls to find the actual names)

/tmp # cat rapper.txt
Dec 31, 16:07:17: The current state is 9

calling XchangeOut from UpdateSadp2
Dec 31, 16:07:22: The current state is 19

Dec 31, 16:07:22: The current state is 8

calling XchangeOut from UpdateSadp2
Dec 31, 16:07:27: The current state is 19

Dec 31, 16:07:27: The current state is 7

calling XchangeOut from UpdateSadp2
Dec 31, 16:07:32: The current state is 19

Dec 31, 16:07:32: The current state is 6

calling XchangeOut from UpdateSadp2
Dec 31, 16:07:37: The current state is 19

Dec 31, 16:07:37: The current state is 5

calling XchangeOut from UpdateSadp2

/tmp # cat sapd_debug_log
[2826]1969-12-31 16:01:16 no offline acls saved
[2826]1969-12-31 16:01:16 no offline vaps saved
[2826]1969-12-31 16:01:16 State REDUN_STATE_INIT Event REDUN_EVENT_INIT Next state REDUN_STATE_TUNNEL_MASTER
[2826]1969-12-31 16:01:16 Setting up fallback ssid
[2826]1969-12-31 16:01:16 sapd_check_rap_dhcp_pool: Subnets of LMS:0 and RAP-DHCP-Server:c0a80b00
[2826]1969-12-31 16:01:16 sapd_redun_config_dnsmasq: Rewrite dnsmasq config file
[2826]1969-12-31 16:01:16 Killing dnsmasq. Config changed.
[2826]1969-12-31 16:01:16 bringup_ld_bridge_ports: LD: Bringing down ports
[2826]1969-12-31 16:01:16 bringup_ld_bridge_ports: LD: No ports brought up for LD
[2826]1969-12-31 16:01:16 get_usb_type: usb_type is 0
[2826]1969-12-31 16:01:16 redun_init:3566 - Ignoring tunnel down signal
[2826]1969-12-31 16:01:16 redun_init_tunnel_master: sapd_cur_lms=0 setting up primary tunnel sapd_lms_addrs[0]=0.0.0.0
[2826]1969-12-31 16:01:16 sapd_setup_uplink: ETHERNET Link state is 1
[2826]1969-12-31 16:01:16 sapd_setup_uplink: Using uplink ETHERNET
[2826]1969-12-31 16:01:16 Setting up IP over ethernet
[2826]1969-12-31 16:01:18 IP over ethernet Successful
[2826]1969-12-31 16:01:18 Got IP over ethernet: 192.168.100.244
[2826]1969-12-31 16:01:18 redun_configure_fw: offline.native_vlan=0 vlan=1
[2826]1969-12-31 16:01:18 redun_configure_fw:2053 gw=192.168.100.222 ifname=br0
[2826]1969-12-31 16:01:18 sapd_add_lms_by_name: Resolving: 47.104.193.111
[2826]1969-12-31 16:01:18 sapd_add_lms_by_addr: Resolved-IP: sapd_lms_addrs[0] = 47.104.193.111
[2826]1969-12-31 16:01:18 sapd_set_lms: newip=47.104.193.111, sapd_lms.ipaddr=47.104.193.111, sapd_lms_switchip[0]=0.0.0.0, sapd_lms_addrs[0]=47.104.193.111
[2826]1969-12-31 16:01:18 restarting syslog/ntp
[2826]1969-12-31 16:01:19 setup_dhcp: sapd_am_init succeeded
[2826]1969-12-31 16:01:19 setup_ipsec: sapd_num_lms=1 sapd_cur_lms=0 ip=47.104.193.111, client=0
[2826]1969-12-31 16:01:19 setup_ipsec: sapd_local_ip 192.168.100.244 netmask 255.255.255.0
[2826]1969-12-31 16:01:19 setup_ipsec: adding route ip 47.104.193.111 mask 255.255.255.255 gw 192.168.100.222 interface br0
[2826]1969-12-31 16:01:19 setup_ipsec: deleting route to ip 47.104.193.111 interface tun0
[2826]1969-12-31 16:01:19 setup_ipsec: deleting route to ip 47.104.193.111 interface tun1
[2826]1969-12-31 16:01:19 setup_ipsec: deleting route to ip 47.104.193.111 interface tun2
[2826]1969-12-31 16:01:19 sapd_bk_init_vap_cfg[384] radio 0
[2826]1969-12-31 16:01:19 sapd_bk_init_vap_cfg[384] radio 1
[2826]1969-12-31 16:01:19 sapd_proc_redun_msg: recv restart message from rapper, reset ipsec tunnel
[2826]1969-12-31 16:01:19 R>> Received RC_OPCODE_PPP_UP lms 47.104.193.111 tunnel 172.16.200.24 srcdev br0
[2826]1969-12-31 16:01:20 State REDUN_STATE_TUNNEL_MASTER Event REDUN_EVENT_TUNNEL_UP Next state REDUN_STATE_TUNNEL_LMS
[2826]1969-12-31 16:01:20 Tunnel 0 up, tun tun0, papi port 8423, ip 172.16.200.24, srcdev br0
[2826]1969-12-31 16:01:20 redun_tunnel_up: LMS is not VRRP. unsetting is_lms_ip_vrrp flag

[2826]1969-12-31 16:01:20 sapd_set_lms: newip=172.31.4.51, sapd_lms.ipaddr=172.31.4.51, sapd_lms_switchip[0]=172.31.4.51, sapd_lms_addrs[0]=47.104.193.111
[2826]1969-12-31 16:01:20 restarting syslog/ntp
[2826]1969-12-31 16:01:20 redun_tunnel_up: sapd_local_ip: 192.168.100.244 netmask: 255.255.255.0 switch-ip: 172.31.4.51
[2826]1969-12-31 16:01:28 SAPD log_to_file_lvl set to emerg(0)
[2826]1969-12-31 16:05:20 sapd_next_lms: HELLO-TIMEOUT. Bringing tunnel down
[2826]1969-12-31 16:05:20 State REDUN_STATE_TUNNEL_LMS Event REDUN_EVENT_TUNNEL_DOWN Next state REDUN_STATE_TUNNEL_LMS
[2826]1969-12-31 16:05:20 redun_tunnel_down: client not found lms:172.31.4.51
[2826]1969-12-31 16:05:20 State REDUN_STATE_TUNNEL_LMS Event REDUN_EVENT_RETRY Next state REDUN_STATE_TUNNEL_LMS
[2826]1969-12-31 16:05:20 redun_retry_tunnel: setting up tunnel to 0, retry=2 curr-dhcp-retry:0 total-dhcp-retry:0
[2826]1969-12-31 16:05:20 sapd_setup_uplink: ETHERNET Link state is 1
[2826]1969-12-31 16:05:20 sapd_setup_uplink: Using uplink ETHERNET
[2826]1969-12-31 16:05:20 sapd_check_eth_connectivity: syscmd is ping -c 2 192.168.100.222
[2826]1969-12-31 16:05:21 sapd_check_rap_dhcp_pool: Subnets of LMS:2f68c100 and RAP-DHCP-Server:c0a80b00
[2826]1969-12-31 16:05:21 sapd_redun_config_dnsmasq: Rewrite dnsmasq config file
[2826]1969-12-31 16:05:21 setup_ipsec: sapd_num_lms=1 sapd_cur_lms=0 ip=47.104.193.111, client=0
[2826]1969-12-31 16:05:21 setup_ipsec: sapd_local_ip 192.168.100.244 netmask 255.255.255.0
[2826]1969-12-31 16:05:21 setup_ipsec: adding route ip 47.104.193.111 mask 255.255.255.255 gw 192.168.100.222 interface br0
[2826]1969-12-31 16:05:21 setup_ipsec: deleting route to ip 47.104.193.111 interface tun0
[2826]1969-12-31 16:05:21 setup_ipsec: deleting route to ip 47.104.193.111 interface tun1
[2826]1969-12-31 16:05:21 setup_ipsec: deleting route to ip 47.104.193.111 interface tun2
[2826]1969-12-31 16:05:21 R>> Received RC_OPCODE_PPP_DOWN lms 47.104.193.111 tunnel 172.16.200.24 srcdev br0
[2826]1969-12-31 16:06:02 R>> Received RC_OPCODE_ERROR lms 47.104.193.111 tunnel 0.0.0.0 srcdev br0RC_ERROR_IKEP1
[2826]1969-12-31 16:06:21 State REDUN_STATE_TUNNEL_LMS Event REDUN_EVENT_TUNNEL_UP_TIMEOUT Next state REDUN_STATE_TUNNEL_LMS
[2826]1969-12-31 16:06:21 redun_retry_tunnel: setting up tunnel to 0, retry=3 curr-dhcp-retry:0 total-dhcp-retry:0
[2826]1969-12-31 16:06:21 sapd_setup_uplink: ETHERNET Link state is 1
[2826]1969-12-31 16:06:21 sapd_setup_uplink: Using uplink ETHERNET
[2826]1969-12-31 16:06:21 sapd_check_eth_connectivity: syscmd is ping -c 2 192.168.100.222
[2826]1969-12-31 16:06:22 sapd_check_rap_dhcp_pool: Subnets of LMS:2f68c100 and RAP-DHCP-Server:c0a80b00
[2826]1969-12-31 16:06:22 sapd_redun_config_dnsmasq: Rewrite dnsmasq config file
[2826]1969-12-31 16:06:22 setup_ipsec: sapd_num_lms=1 sapd_cur_lms=0 ip=47.104.193.111, client=0
[2826]1969-12-31 16:06:22 setup_ipsec: sapd_local_ip 192.168.100.244 netmask 255.255.255.0
[2826]1969-12-31 16:06:22 setup_ipsec: adding route ip 47.104.193.111 mask 255.255.255.255 gw 192.168.100.222 interface br0
[2826]1969-12-31 16:06:22 setup_ipsec: deleting route to ip 47.104.193.111 interface tun0
[2826]1969-12-31 16:06:22 setup_ipsec: deleting route to ip 47.104.193.111 interface tun1
[2826]1969-12-31 16:06:22 setup_ipsec: deleting route to ip 47.104.193.111 interface tun2
[2826]1969-12-31 16:06:57 R>> Received RC_OPCODE_PPP_UP lms 47.104.193.111 tunnel 172.16.200.25 srcdev br0
[2826]1969-12-31 16:06:57 State REDUN_STATE_TUNNEL_LMS Event REDUN_EVENT_TUNNEL_UP Next state REDUN_STATE_UP
[2826]1969-12-31 16:06:57 Tunnel 0 up, tun tun0, papi port 8423, ip 172.16.200.25, srcdev br0
[2826]1969-12-31 16:06:57 redun_tunnel_up: LMS is not VRRP. unsetting is_lms_ip_vrrp flag

[2826]1969-12-31 16:06:58 sapd_set_lms: newip=172.31.4.51, sapd_lms.ipaddr=172.31.4.51, sapd_lms_switchip[0]=172.31.4.51, sapd_lms_addrs[0]=47.104.193.111
[2826]1969-12-31 16:06:58 restarting syslog/ntp
[2826]1969-12-31 16:06:58 redun_tunnel_up: sapd_local_ip: 192.168.100.244 netmask: 255.255.255.0 switch-ip: 172.31.4.51
/tmp #