Wireless Access

Reply
Frequent Contributor I

ArubaGRE between IAP and Controller

I have a IAP-315 that is managed though Central and trying to create a L2 GRE tunnel to a Aruba 7005 controller, to tunnel a Guest network to the remote AP.

 

I want to continue using Central to manage the APs and only use the controller to terminate GRE tunnels from remote IAP clusters.

 

Currently in my lab I only have this single IAP and a controller:

IAP IP: 192.168.100.111/23

IAP VC IP: 192.168.101.250/23

Controller IP: 192.168.52.251

 

Routing between AP and Controller is though a Palo Alto firewall that is allowing GRE and UDP/4500 bidirectionally, and I don't see anything blocked.

 

I've successfully managed to configure a Manual GRE tunnel to achieve what I want, but I'm now trying to get ArubaGRE/Automatic GRE working but not beeing very successful.

 

On the controller I've configured:

 

 

interface gigabitethernet 0/0/1
   description "GuestWiFi"
   trusted
   trusted vlan 1-4094
   switchport access vlan 114

whitelist-db rap add mac-address 34:fc:b9:c6:6a:22 ap-group default
iap trusted-branch-db allow-all
ip local pool "rapng" 172.16.1.100 172.16.1.200

 

Licenses:

Access Points: 1

Next Generation Policy Enforcement Firewall Module: 1

 

Controller Version:  6.4.3.8

IAP Version: 6.5.1.0-4.3.1.1

 

(ArubaCTL) #show user

Users
-----
    IP                MAC            Name              Role              Age(d:h:m)  Auth  VPN link         AP name  Roaming  Essid/Bssid/Phy  Profile      Forward mode  Type  Host Name
----------       ------------       ------             ----              ----------  ----  --------         -------  -------  ---------------  -------      ------------  ----  ---------
192.168.100.111  00:00:00:00:00:00                     logon             00:01:49    VPN                    N/A                                             tunnel              
172.16.1.107     00:00:00:00:00:00  34:fc:b9:c6:6a:22  default-vpn-role  00:00:00    VPN   192.168.100.111  N/A                                default-iap  tunnel              

User Entries: 2/2
 Curr/**bleep** Alloc:2/211 Free:0/209 Dyn:2 AllocErr:0 FreeErr:0
 
 (ArubaCTL) #show iap table 

Trusted Branch Validation: Disabled
IAP Branch Table
----------------
Name  VC MAC Address  Status  Inner IP  Assigned Subnet  Assigned Vlan
----  --------------  ------  --------  ---------------  -------------

Total No of UP Branches   : 0
Total No of DOWN Branches : 0
Total No of Branches      : 0

(ArubaCTL) #show packet-capture controlpath-pcap 

14:14:30.685389 IP 192.168.100.111.64604 > 192.168.52.251.4500: NONESP-encap: isakmp: parent_sa ikev2_init[I]
14:14:30.685670 IP 192.168.52.251.4500 > 192.168.100.111.64604: NONESP-encap: isakmp: parent_sa ikev2_init[R]
14:14:30.687886 IP 192.168.100.111.64604 > 192.168.52.251.4500: NONESP-encap: isakmp: parent_sa ikev2_init[I]
14:14:30.689738 IP 192.168.52.251.4500 > 192.168.100.111.64604: NONESP-encap: isakmp: parent_sa ikev2_init[R]
14:14:31.155025 IP 192.168.100.111.64604 > 192.168.52.251.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
14:14:31.155122 IP 192.168.100.111.64604 > 192.168.52.251.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
14:14:31.155175 IP 192.168.100.111.64604 > 192.168.52.251.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
14:14:31.155227 IP 192.168.100.111.64604 > 192.168.52.251.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
14:14:31.155281 IP 192.168.100.111.64604 > 192.168.52.251.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]

(ArubaCTL) #show log security  50 | include INFO
Apr 3 15:47:35 :124003:  <INFO> |authmgr|  Authentication result=Authentication Successful(0), method=VPN, server=Internal, user=34:fc:b9:c6:6a:22 
Apr 3 06:47:35 :103082:  <INFO> |ike|  IKEv2 Client-Authentication succeeded for 172.16.1.108 (External 192.168.100.111) for default-vpn-role
Apr 3 06:47:35 :103077:  <INFO> |ike|  IKEv2 IKE_SA succeeded for peer 192.168.100.111:53201
Apr 3 06:47:35 :103076:  <INFO> |ike|  IKEv2 IPSEC Tunnel created for peer 192.168.100.111:53201
Apr 3 06:47:35 :103078:  <INFO> |ike|  IKEv2 CHILD_SA successful for peer 192.168.100.111:53201
Apr 3 06:48:06 :103101:  <INFO> |ike|  IPSEC SA deleted for peer 192.168.100.111
Apr 3 06:48:06 :103102:  <INFO> |ike|  IKE SA deleted for peer 192.168.100.111
Apr 3 15:48:06 :124038:  <INFO> |authmgr|  Reused server Internal for method=VPN; user=34:fc:b9:c6:6a:22,  essid=<>, domain=<>, server-group=default
Apr 3 06:48:06 :133005:  <INFO> |localdb|  User 34:fc:b9:c6:6a:22  Successfully Authenticated
Apr 3 15:48:06 :124003:  <INFO> |authmgr|  Authentication result=Authentication Successful(0), method=VPN, server=Internal, user=34:fc:b9:c6:6a:22 
Apr 3 06:48:06 :103082:  <INFO> |ike|  IKEv2 Client-Authentication succeeded for 172.16.1.109 (External 192.168.100.111) for default-vpn-role
Apr 3 06:48:06 :103077:  <INFO> |ike|  IKEv2 IKE_SA succeeded for peer 192.168.100.111:53203
Apr 3 06:48:06 :103076:  <INFO> |ike|  IKEv2 IPSEC Tunnel created for peer 192.168.100.111:53203
Apr 3 06:48:06 :103078:  <INFO> |ike|  IKEv2 CHILD_SA successful for peer 192.168.100.111:53203
Apr 3 06:48:36 :103101:  <INFO> |ike|  IPSEC SA deleted for peer 192.168.100.111
Apr 3 06:48:36 :103102:  <INFO> |ike|  IKE SA deleted for peer 192.168.100.111
Apr 3 15:48:36 :124038:  <INFO> |authmgr|  Reused server Internal for method=VPN; user=34:fc:b9:c6:6a:22,  essid=<>, domain=<>, server-group=default
Apr 3 06:48:36 :133005:  <INFO> |localdb|  User 34:fc:b9:c6:6a:22  Successfully Authenticated
Apr 3 15:48:36 :124003:  <INFO> |authmgr|  Authentication result=Authentication Successful(0), method=VPN, server=Internal, user=34:fc:b9:c6:6a:22 
Apr 3 06:48:36 :103082:  <INFO> |ike|  IKEv2 Client-Authentication succeeded for 172.16.1.110 (External 192.168.100.111) for default-vpn-role
Apr 3 06:48:36 :103077:  <INFO> |ike|  IKEv2 IKE_SA succeeded for peer 192.168.100.111:53205
Apr 3 06:48:36 :103076:  <INFO> |ike|  IKEv2 IPSEC Tunnel created for peer 192.168.100.111:53205
Apr 3 06:48:36 :103078:  <INFO> |ike|  IKEv2 CHILD_SA successful for peer 192.168.100.111:53205
Apr 3 06:49:06 :103101:  <INFO> |ike|  IPSEC SA deleted for peer 192.168.100.111
Apr 3 06:49:06 :103102:  <INFO> |ike|  IKE SA deleted for peer 192.168.100.111

From the IAP I never see the VPN getting established though:

34:fc:b9:c6:6a:22# show vpn status


profile name:default
--------------------------------------------------
current using tunnel                            :unselected tunnel
current tunnel using time                       :0
ipsec is preempt status                         :disable
ipsec is fast failover status                   :disable
ipsec hold on period                            :600s
ipsec tunnel monitor frequency (seconds/packet) :5
ipsec tunnel monitor timeout by lost packet cnt :6

ipsec     primary tunnel crypto type            :Cert
ipsec     primary tunnel peer address           :192.168.52.251
ipsec     primary tunnel peer tunnel ip         :0.0.0.0
ipsec     primary tunnel ap tunnel ip           :0.0.0.0
ipsec     primary tunnel using interface        :
ipsec     primary tunnel using MTU              :0
ipsec     primary tunnel current sm status      :Retrying
ipsec     primary tunnel tunnel status          :Down
ipsec     primary tunnel tunnel retry times     :101
ipsec     primary tunnel tunnel uptime          :0

ipsec      backup tunnel crypto type            :Cert
ipsec      backup tunnel peer address           :N/A
ipsec      backup tunnel peer tunnel ip         :N/A
ipsec      backup tunnel ap tunnel ip           :N/A
ipsec      backup tunnel using interface        :N/A
ipsec      backup tunnel using MTU              :N/A
ipsec      backup tunnel current sm status      :Init
ipsec      backup tunnel tunnel status          :Down
ipsec      backup tunnel tunnel retry times     :0
ipsec      backup tunnel tunnel uptime          :0

34:fc:b9:c6:6a:22# show log vpn-tunnel 30

2017-04-03 16:00:13 [primary tunnel] tunnel_start_up_timer(786): tunnel primary tunnel start up timer
2017-04-03 16:00:13 [primary tunnel] tunnel_stop_up_timer(651): stop up timer.
2017-04-03 16:00:14 [primary tunnel] cli_proc_rapper_msg(864): Receive rapper msg from 59168 port.
2017-04-03 16:00:14 [primary tunnel] Error!!!: Received RC_OPCODE_ERROR lms 192.168.52.251 tunnel 0.0.0.0 RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED
2017-04-03 16:00:14 tunnel_err_msg_recv 1624: Cause tunnel down by ipsec error, index primary tunnel
2017-04-03 16:00:43 [primary tunnel] tunnel_up_timeout(723): tunnel primary tunnel up timeout.
2017-04-03 16:00:43 [primary tunnel] tunnel_up_timeout(769): primary tunnel tunnel is not up by retry 105 times, the max retry times on one tunnel is 2.  try itself
2017-04-03 16:00:43 [primary tunnel] State TUNNEL_STATE_RETRY Event TUNNEL_EVENT_TUNNEL_RETRY Next state TUNNEL_STATE_RETRY
2017-04-03 16:00:43 [primary tunnel] tunnel_retry(201): tunnel primary tunnel, type ipsec tunnel, peer public address 192.168.52.251
2017-04-03 16:00:43 [primary tunnel] tunnel_retry(222): setting up tunnel to primary tunnel, retry=106
2017-04-03 16:00:43 [primary tunnel] ipsec_tunnel_connect(1384): connect to primary tunnel, peer address 192.168.52.251. 
2017-04-03 16:00:43 [primary tunnel] ipsec_tunnel_connect(1390): stop primary tunnel first before connect to it
2017-04-03 16:00:43 [primary tunnel] stop_rapper: client->pid=29638, tunnel public ip 0.0.0.0, peer tunnel ip 0.0.0.0, tunnel ip 0.0.0.0, port 8423
2017-04-03 16:00:43 [primary tunnel] stop_rapper(1324): Kill client->pid=29638.
2017-04-03 16:00:43 [primary tunnel] stop_rapper(1345): Waiting until the client 29638 is killed 
2017-04-03 16:00:43 [primary tunnel] stop_rapper(1357): result of wait4 29638 for pid (client->pid) 29638
2017-04-03 16:00:43 [primary tunnel] ipsec_tunnel_connect(1410): primary tunnel, cli_local_ip 192.168.100.111 netmask 255.255.254.0
2017-04-03 16:00:43 addroute(490):Dst fb34a8c0 mask 0 gw fe64a8c0
2017-04-03 16:00:43 set_route_af: ioctl (SIOCADDRT) failed error no(17)
2017-04-03 16:00:43 [primary tunnel] ipsec_tunnel_connect(1431): add route table destination 192.168.52.251, gw 192.168.100.254, interface br0.
2017-04-03 16:00:43 [primary tunnel] Starting rapper with lifetime p1 = 28000 p2 = 7200
2017-04-03 16:00:43 [primary tunnel] Starting IAP rapper 0 to 192.168.52.251:8423 attmpt 0
2017-04-03 16:00:43 [primary tunnel] lauch rapper command: rapper -c 192.168.52.251 -b 1 -i br0 -x -G 0 -r 8423 -l 28000 -L 7200 -w 1 -o /tmp/rapper.txt
2017-04-03 16:00:43 [primary tunnel] Eth - Populate the PID 29936 in file /tmp/rapper_pid_1
2017-04-03 16:00:43 [primary tunnel] tunnel_retry(277): setting up tunnel to primary tunnel, success.
2017-04-03 16:00:43 [primary tunnel] tunnel_start_up_timer(786): tunnel primary tunnel start up timer
2017-04-03 16:00:43 [primary tunnel] tunnel_stop_up_timer(651): stop up timer.
2017-04-03 16:00:44 [primary tunnel] cli_proc_rapper_msg(864): Receive rapper msg from 59168 port.
2017-04-03 16:00:44 [primary tunnel] Error!!!: Received RC_OPCODE_ERROR lms 192.168.52.251 tunnel 0.0.0.0 RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED
2017-04-03 16:00:44 tunnel_err_msg_recv 1624: Cause tunnel down by ipsec error, index primary tunnel


34:fc:b9:c6:6a:22# show log rapper

Insert Timer  type 1 Sec 70 uSec 0 
Apr 03, 16:00:14: IKE2_msgRecv:1737 exit:
Apr 03, 16:00:14: IKE2_msgRecv:1406 original ike_context created

#RECV 900 bytes from 192.168.52.251[4500] (0.0)(pid:29638)  time:2017-04-03 16:00:14

 spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
 exchange=IKE_AUTH msgid=1 len=896
ike2.c (670): errorCode = ERR_FRAGMENTATION_REQUIRED
Apr 03, 16:00:14: IKE2_xchgIn:1148  bResponse=1 status=-90023
 spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
 exchange=IKE_AUTH msgid=1 len=896
Apr 03, 16:00:14: IKE2_msgRecv:1737 exit:
Apr 03, 16:00:14: IKE2_msgRecv:1406 original ike_context created

#RECV 900 bytes from 192.168.52.251[4500] (0.0)(pid:29638)  time:2017-04-03 16:00:14

 spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
 exchange=IKE_AUTH msgid=1 len=896
ike2.c (670): errorCode = ERR_FRAGMENTATION_REQUIRED
Apr 03, 16:00:14: IKE2_xchgIn:1148  bResponse=1 status=-90023
 spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
 exchange=IKE_AUTH msgid=1 len=896
Apr 03, 16:00:14: IKE2_msgRecv:1737 exit:
Apr 03, 16:00:14: IKE2_msgRecv:1406 original ike_context created

#RECV 900 bytes from 192.168.52.251[4500] (0.0)(pid:29638)  time:2017-04-03 16:00:14

 spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
 exchange=IKE_AUTH msgid=1 len=896
ike2.c (670): errorCode = ERR_FRAGMENTATION_REQUIRED
Apr 03, 16:00:14: IKE2_xchgIn:1148  bResponse=1 status=-90023
 spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
 exchange=IKE_AUTH msgid=1 len=896
Apr 03, 16:00:14: IKE2_msgRecv:1737 exit:
Apr 03, 16:00:14: IKE2_msgRecv:1406 original ike_context created

#RECV 900 bytes from 192.168.52.251[4500] (0.0)(pid:29638)  time:2017-04-03 16:00:14

 spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
 exchange=IKE_AUTH msgid=1 len=896
ike2.c (670): errorCode = ERR_FRAGMENTATION_REQUIRED
Apr 03, 16:00:14: IKE2_xchgIn:1148  bResponse=1 status=-90023
 spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
 exchange=IKE_AUTH msgid=1 len=896
Apr 03, 16:00:14: IKE2_msgRecv:1737 exit:
Apr 03, 16:00:14: IKE2_msgRecv:1406 original ike_context created

#RECV 900 bytes from 192.168.52.251[4500] (0.0)(pid:29638)  time:2017-04-03 16:00:14

 spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
 exchange=IKE_AUTH msgid=1 len=896
ike2.c (670): errorCode = ERR_FRAGMENTATION_REQUIRED
Apr 03, 16:00:14: IKE2_xchgIn:1148  bResponse=1 status=-90023
 spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
 exchange=IKE_AUTH msgid=1 len=896
Apr 03, 16:00:14: IKE2_msgRecv:1737 exit:
Apr 03, 16:00:14: IKE2_msgRecv:1406 original ike_context created

#RECV 816 bytes from 192.168.52.251[4500] (0.0)(pid:29638)  time:2017-04-03 16:00:14

 spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
 exchange=IKE_AUTH msgid=1 len=812
ike2.c (670): errorCode = ERR_FRAGMENTATION_REQUIRED
Apr 03, 16:00:14: IKE2_xchgIn:1148  bResponse=1 status=-90023
 spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
 exchange=IKE_AUTH msgid=1 len=812
Apr 03, 16:00:14: IKE2_fragRecv Rcvd all 7 fragments

Delete Timer Type 1 
Apr 03, 16:00:14: IKE2_msgRecv:1406 original ike_context created

#RECV 5968 bytes from 192.168.52.251[4500] (0.0)(pid:29638)  time:2017-04-03 16:00:14

 spi={d80a77acff556c34 3b0bcd03eaf5d009} np=E{IDr}
 exchange=IKE_AUTH msgid=1 len=5964
  I <--
Apr 03, 16:00:14: InId: cert_DN in ID Payload:CN=CP0016110::00:0b:86:bf:77:70 wIdLen=54
Apr 03, 16:00:14: InId:6974 ERROR: failed to read /tmp/is_cert_rap
Apr 03, 16:00:14: |ocsp| check_rap = 0
Apr 03, 16:00:14: |ocsp| check_rap = 0
Apr 03, 16:00:14: |ocsp| check_rap = 0
Apr 03, 16:00:14: |ocsp| check_rap = 0
Apr 03, 16:00:14: sort_certificate_chain: Size of certificate chain to be sorted: 4
Apr 03, 16:00:14: sort_certificate_chain: Current cert index being considered: 0
Apr 03, 16:00:14: sort_certificate_chain: Cert at index 1 is an issuer cert for cert at  index 0
Apr 03, 16:00:14: sort_certificate_chain: Current cert index being considered: 1
Apr 03, 16:00:14: sort_certificate_chain: Cert at index 0 is not an issuer cert for cert at  index 1
Apr 03, 16:00:14: sort_certificate_chain: Cert at index 2 is an issuer cert for cert at  index 1
Apr 03, 16:00:14: sort_certificate_chain: Current cert index being considered: 2
Apr 03, 16:00:14: sort_certificate_chain: Cert at index 0 is not an issuer cert for cert at  index 2
Apr 03, 16:00:14: sort_certificate_chain: Cert at index 1 is not an issuer cert for cert at  index 2
Apr 03, 16:00:14: sort_certificate_chain: Cert at index 3 is an issuer cert for cert at  index 2
Apr 03, 16:00:14: sort_certificate_chain: Current cert index being considered: 3
Apr 03, 16:00:14: sort_certificate_chain: Cert at index 0 is not an issuer cert for cert at  index 3
Apr 03, 16:00:14: sort_certificate_chain: Cert at index 1 is not an issuer cert for cert at  index 3
Apr 03, 16:00:14: sort_certificate_chain: Cert at index 2 is not an issuer cert for cert at  index 3
Apr 03, 16:00:14: sort_certificate_chain: Last cert has n parent in chain
Apr 03, 16:00:14: CERT_ComputeCertificateHash: status :0
Apr 03, 16:00:14: CERT_verifyRSACertSignature: comparison result 0
Apr 03, 16:00:14: CERT_ComputeCertificateHash: status :0
Apr 03, 16:00:14: CERT_verifyRSACertSignature: comparison result 0
Apr 03, 16:00:14: CERT_ComputeCertificateHash: status :0
Apr 03, 16:00:14: CERT_verifyRSACertSignature: comparison result 0
Apr 03, 16:00:14: IKE_certGetKey(peer:c0a834fb): isCSS:0 Check in ArubaTrustedCaCerts, numCaCerts:2
Apr 03, 16:00:14: IKE_certGetKey(): Cert trying ArubaTrustedCaCerts[0]
Apr 03, 16:00:14: IKE_certGetKey(): verify the validity
Apr 03, 16:00:14: IKE_certGetKey(): Cert trying ArubaTrustedCaCerts[1]
Apr 03, 16:00:14: IKE_certGetKey(): verify the validity
Apr 03, 16:00:14: CERT_ComputeCertificateHash: status :0
Apr 03, 16:00:14: CERT_verifyRSACertSignature: comparison result 0
Apr 03, 16:00:14: IKE_certGetKey(): iset the key value 0x1fdf6a4
ike2_state.c (5861): errorCode = ERR_RSA_DECRYPTION
Apr 03, 16:00:14: IKE_SAMPLE_ikeStatHdlr(CHILD_SA): dwPeerAddr:c0a834fb index:0 mPeerType:0
Apr 03, 16:00:14: IKE SA failed reason = ERR_RSA_DECRYPTION, errorcode = -7702 ikeVer 2
Apr 03, 16:00:14: send_sapd_error: InnerIP:0  error:50 debug_error:0

Apr 03, 16:00:14: send_sapd_error: error:50 debug_error:0

Apr 03, 16:00:14: rapper_log_error: buf = d8 0a 77 ac ff 55 6c 34 32


Apr 03, 16:00:14: |ocsp| IKE2_delSa: 1008
Apr 03, 16:00:14: IKE_SAMPLE_ikeStatHdlr(SA): dwPeerAddr:c0a834fb index:0 mPeerType:0
Apr 03, 16:00:14: IKE_SA [v2 I] (id=0x9bd8093a) flags 0x41000015 failed reason = ERR_RSA_DECRYPTION, errorcode = -7702
Apr 03, 16:00:14: IKE_SAMPLE_ikeStatHdlr(IST_FAIL): g_ikeversion:2
Apr 03, 16:00:14: |ocsp| IKE2_delSa: 1090
Apr 03, 16:00:14: |ocsp| ap_remove_certmgr_packet: start
Timer ID: 1 Deleted 
Apr 03, 16:00:14: IKE2_xchgIn:1148  bResponse=1 status=-7702
Apr 03, 16:00:14: IKE2_msgRecv:1737 exit:
Apr 03, 16:00:14: |ocsp| cleanup_context_data:1984
Apr 03, 16:00:14: IKE2_msgRecv:1561 status=-7702
Apr 03, 16:00:14: IKE2_msgRecv:1737 exit:
Apr 03, 16:00:14: |ocsp| cleanup_context_data:1984
rapperSendStatusCB

Any suggestions on how to further troubleshoot the issue?

 

Frequent Contributor I

Re: ArubaGRE between IAP and Controller

I should add that I had to perform a factory reset of the controller. After that it complains on every login:

Ancillary files are not present
*********************************************************************
* WARNING:  An additional image upgrade is required to complete the *
* installation of the AP and WebUI files. Please upgrade the boot   *
* partition again and reload the controller.                        *
*********************************************************************

Could this be the root cause of my problems? I'm currently struggeling with getting the product registered properly so I can download the firmware as google says replay firmware twice to resolve that issue :)

Aruba Employee

Re: ArubaGRE between IAP and Controller

Hi,

 

This could be very weel related to the error that you are seeing related to missing files.

 

Can you please check the output for :

"show tpm cert-info"

 

It could be related to tpm cert corruption on the controller side.

Frequent Contributor I

Re: ArubaGRE between IAP and Controller

I've now upgraded the controller to 6.5.1.4 and no longer have the error message about missing files. Same status on the VPN though.

 

(ArubaCTL) #show tpm cert-info
=====================================
TPM manufacturing factory certificate
=====================================
subject= /CN=CP0016110::00:0b:86:bf:77:70
issuer= /DC=com/DC=arubanetworks/DC=dc-device-ca5/CN=device-ca5
serial=2C1C909700000083A306
notBefore=Aug  8 16:28:05 2016 GMT
notAfter=Sep 14 03:21:14 2032 GMT
=====================================
Generated Factory certificate
=====================================
subject= /CN=CP0016110::00:0b:86:bf:77:70/L=SW
issuer= /CN=CP0016110::00:0b:86:bf:77:70
serial=2C1C909700000083A306
notBefore=Aug  8 16:28:05 2016 GMT
notAfter=Sep 14 03:21:14 2032 GMT

But I think you're on the right track with the certificates as the IAP complains  about RSA DECRYPTION:

2017-04-03 21:39:01 [primary tunnel] Error!!!: Received RC_OPCODE_ERROR lms 192.168.52.251 tunnel 0.0.0.0 RC_ERROR_                                                 ISAKMP_N_RSA_DECRYPTION_FAILED

Do I have to enable Auto Cert Provisioning on the Controller?

 

(ArubaCTL) #show control-plane-security

Control Plane Security Profile
------------------------------
Parameter                    Value
---------                    -----
Control Plane Security       Enabled
Auto Cert Provisioning       Disabled
Auto Cert Allow All          Enabled
Auto Cert Allowed Addresses  N/A

I tried to disable CPsec in a hope for certificates not to be needed at all, but the IAP logs shows the same errors anyway.

Frequent Contributor I

Re: ArubaGRE between IAP and Controller

From the controller side everything looks good as far as I can see. Both IPsec P1 and P2 seems to esablish successfully, but the IAP never seems to be happy and keeps restarting the tunnel, requesting a new "Inner IP" each time:

 

 

(ArubaCTL) #show crypto ipsec sa

IPSEC SA (V2) Active Session Information
-----------------------------------
Initiator IP     Responder IP     SPI(IN/OUT)        Flags Start Time        Inner IP
------------     ------------     ----------------   ----- ---------------   --------
192.168.20.103   192.168.52.251   4a9d4800/edda1c00  UT2   Apr  3 22:18:18   172.16.1.172

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
       L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2

Total IPSEC SAs: 1

(ArubaCTL) #show crypto isakmp sa

ISAKMP SA Active Session Information
------------------------------------
Initiator IP     Responder IP   Flags       Start Time      Private IP
------------     ------------   -----     ---------------   ----------
192.168.20.103   192.168.52.251 r-v2-c-I  Apr  3 22:18:18   172.16.1.172


(ArubaCTL) #show crypto ipsec sa


IPSEC SA (V2) Active Session Information
-----------------------------------
Initiator IP     Responder IP     SPI(IN/OUT)        Flags Start Time        Inner IP
------------     ------------     ----------------   ----- ---------------   --------
192.168.20.103   192.168.52.251   e29cbf00/a924db00  UT2   Apr  3 22:18:48   172.16.1.173

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
       L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2

Total IPSEC SAs: 1

(ArubaCTL) #show crypto isakmp sa

ISAKMP SA Active Session Information
------------------------------------
Initiator IP     Responder IP   Flags       Start Time      Private IP
------------     ------------   -----     ---------------   ----------
192.168.20.103   192.168.52.251 r-v2-c-I  Apr  3 22:18:48   172.16.1.173

 

Aruba Employee

Re: ArubaGRE between IAP and Controller

If possible (given it is lab setup), please try converting the IAP in to RAP & see if it comes up.

 

As you have said, manual GRE works fine. Issue is only seen with AutoGRE.

 

The main difference involved between manual vs Auto-GRE is use of IPSEC traffic in Auto-GRE

 

RAP also makes use of IPSEC.

 

 

Frequent Contributor I

Re: ArubaGRE between IAP and Controller

Thanks, I'll try to find some time today to test that. First I'll test to put the IAP on the same subnet as the controller to bypass the firewall just to make sure it's not messing with the traffic like this as I do see references to packets beeing fragmented, but afaics this option is not enabled in their firewall:

 

https://live.paloaltonetworks.com/t5/Management-Articles/VPN-session-does-not-come-up-when-passing-through-a-Palo-Alto/ta-p/66025

 

Another question, most guides sais I need to create a new user-profile and apply to default-iaf so I've created:

 

ip access-list session iaprole
   any any any permit
user-role iaprole
    session-acl iaprole

However when I try to apply this to aaa authentication vpn default-iap, there is no knob called default-role:

 

ArubaCTL) (config) #aaa authentication vpn default-iap
(ArubaCTL) (VPN Authentication Profile "default-iap") #server-group default
(ArubaCTL) (VPN Authentication Profile "default-iap") #default-role iaprole
                                                                    ^
% Invalid input detected at '^' marker.


(ArubaCTL) (VPN Authentication Profile "default-iap") #?
cert-cn-lookup          Check certificate common name against AAA server.
                        Default is enabled.
clone                   Copy data from another VPN Authentication Profile
export-route            Whether to export server-returned VPN ip address as
                        a route to external world.  Default is enabled.
max-authentication-fa.. Maximum auth failures before user is blacklisted.
                        Range: 1-10. Default: 0.
no                      Delete Command
pan-integration         Require IP mapping at Palo Alto Networks firewalls
radius-accounting       Configure server group for radius accounting
server-group            Name of server group
user-idle-timeout       User idle timeout value. Valid range is 30-15300
                        seconds in multiples of 30 seconds

Is this step no longer needed, or do you why I don't have this knob?

Frequent Contributor I

Re: ArubaGRE between IAP and Controller

I've now tested deploying a new IAP-315 on the same IP subnet as the controller, so the firewall is not involved, but it shows the exact same symptoms.

Frequent Contributor I

Re: ArubaGRE between IAP and Controller

I've tried to convert one IAP-315 to RAP with:

convert-aos-ap RAP 192.168.52.251

But it fails to create the VPN tunnel to the controller:

Apr  4 11:35:22  cli[24405]: <341101> <WARN> |AP 34:fc:b9:c6:6a:22@192.168.100.111 cli|  Execute command-convert-aos-ap RAP 192.168.52.251                .
Apr  4 11:35:22  cli[3407]: <341098> <WARN> |AP 34:fc:b9:c6:6a:22@192.168.100.111 cli|  recv_convert_ap: Convert AP url-, mode-1, master-1                92.168.52.251.
Apr  4 11:35:22  cli[3407]: <341182> <WARN> |AP 34:fc:b9:c6:6a:22@192.168.100.111 cli|  Setup vpn for rap conversion - 192.168.52.251.
Apr  4 11:36:24  cli[3407]: <341184> <WARN> |AP 34:fc:b9:c6:6a:22@192.168.100.111 cli|  Downloading rap image via vpn timeout - count 21.
Frequent Contributor I

Re: ArubaGRE between IAP and Controller

I've spent 3h on the phone with the Aruba TAC today, but they couldn't find the issue either, so they will now try to reproduce the problem in their lab.

 

Is there anyone here on the forum successfully using ArubaGRE? Mind sharing your config/setup?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: