Wireless Access

Reply
Contributor I

CPSec issue

On a controller I have following issue. AP is in a rebooting loop with Hold certificate state. Modifing cert to approved switch-cert or factory-cert during provisioning gives no result.

 

On show log system I get constant message log in a loop:

Feb 17 19:08:47 :311020:  <ERRS> |AP 9c:1c:12@10.10.10.6 sapd|  An internal system error has occurred at file sapd_redun.c function redun_retry_tunnel line 4555 error redun_retry_tunnel: Switching to clear. Error:RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED. Ipsec not successful after reboot.
Feb 17 19:09:56 :311002:  <WARN> |AP 9c:1c:12@10.10.10.6 sapd|  Rebooting: SAPD: Rebooting after setting cert_cap=1. Need to open a secure channel(IPSEC)
Feb 17 19:09:56 :303086:  <ERRS> |AP 9c:1c:12@10.10.10.6 nanny| Process Manager (nanny) shutting down - AP will reboot!
Feb 17 19:11:12 :303022:  <WARN> |AP 9c:1c:12@10.10.10.6 nanny|  Reboot Reason: AP rebooted Fri Feb 17 19:09:56 CET 2017; SAPD: Rebooting after setting cert_cap=1. Need to open a secure channel(IPSEC)
Feb 17 19:12:30 :311020:  <ERRS> |AP 9c:1c:12@10.10.10.6 sapd|  An internal system error has occurred at file sapd_redun.c function redun_retry_tunnel line 4550 error redun_retry_tunnel: Ipsec not successful to saved lms. Error:RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED. rebooting.
Feb 17 19:12:31 :311002:  <WARN> |AP 9c:1c:12@10.10.10.6 sapd|  Rebooting: Unable to set up IPSec tunnel to saved lms, Error:RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED
Feb 17 19:12:31 :303086:  <ERRS> |AP 9c:1c:12@10.10.10.6 nanny| Process Manager (nanny) shutting down - AP will reboot!
Feb 17 19:13:47 :303022:  <WARN> |AP 9c:1c:12@10.10.10.6 nanny|  Reboot Reason: AP rebooted Fri Dec 31 16:02:06 PST 1999; Unable to set up IPSec tunnel to saved lms, Error:RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED

This IAP103 (converted, controller managed) used to work fine with this controller 6.5.0.3. After resetting controller to factory defaults, this issue came up.

 

Is it possible that controller cert is somehow damaged? How to verify this? Is there a way to fix this cert by software upgrade?

 

Contributor I

Re: CPSec issue

Based on the logs you have IKE phase 1 issue.

 

I would re check the setup in case something got changed in the upgrade

 

 

Check the IAP mac is still in the whitelist

Check the VPN pool make sure it non routable ip range

Check default-vpn-role

show references user-role default-vpn-role

References to User Role "default-vpn-role"
------------------------------------------
aaa authentication vpn "default" default-role
aaa authentication vpn "default-iap" default-role
aaa authentication vpn "default-rap" default-role

 

 

Run the following commands, if you still have issue

 

- show datapath session table <ipaddress> | include 4500 

- show crypto ipsec sa

-show user-table verbose 

 

Make sure UDP/4500 is allowed

 

 

Aruba Employee

Re: CPSec issue

- Are all APs affected?
- This could be due to cert
- Is this a master controller?

Collect output for commands below;

show tpm cert-info
Show tpm error

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: