Wireless Access

Hi community,

we have a 650er Controller with Aruba OS 6.4.0.3 and some APs (135er + 105er).

We have some rap3 they work fine, we hava iap105 convert to a rap it works also fine.

So now I want to convert a Controller AP to a RAP, under AP installation I mark the ap and deploy it like the other RAPs (whitelist it, giver group and external IP of controller...).

The AP restarts but it don´t come up to the controller, I cannot find anything in the eventlog.

Anyona an idea?

Thanks

HI,

In order to provision an AP as a RAP you should meet the following requirements,

1. VPN settings in the controller ( IKE pool and IKE PSK)

2. RAP whitelist in case if you are provisioning cert based RAP

3. a valid username and password ( Local Db) for PSK based deployment.

3. UDP 4500 traffic should be allowed in the network.

To ensure the above please run the following show commands,

1. Show log security -- to confirm IKE related config and whitelist

2. Show datapsth sessio -- to confirm whether 4500 traffic is flowing or not

If possible please share the output of "show datapath session"

Please feel free for any further help on this.

Hi,

ok, here is the putty log with the informations:

I hope you find something

Attachment(s)

putty.txt   309 KB 1 version

Hi,

I couldn't find any 4500 traffic in the datapath and IKE messages in the log. I suspect the configuration itself. please verify the configuration once again.

Hope the attached document will help you on solving the issue.

Please feel free for any further help on this.

Attachment(s)

RAP Installation-Updated.pdf   1.17 MB 1 version

ok, but why does IAP and RAPs work fine?

Hi,

Please confirm me whether you are trying to deploy it as PSK based or Certbased ? I hope you are trying to deploy it in PSK based, so please ensure the PSK and username ans password are properly configured in both controller and RAP.

Please feel free for any further help on this.

Hi 

I use PSK, it ist the same PSK and username as the RAPs, so I don´t understand it...

Hi,

I'm not seeing any 4500 traffic (NATT) between the AP and Controller. you need to work on this.

please enable IKE logging level (logging level debugging security process  crypto subcat ike) also ensure the IKE pool is not exhausted.

The ike logging leven is on debugging.

How can I check that the ike pool is not exhausted?

I see natt is not enabled, but the raps and iaps work fine without...

You need to configure logging:

config t
logging level debugging security subcat ike
logging level debugging security process aaa
logging level debugging security process authmgr

 After you have done that, try to connect the RAP.  After you try, we need to see the output of "show log security all | include ike" to understand what is happening.

Hi,

here is the logging output:

Attachment(s)

putty.txt   883 B 1 version

The problem is not solved yet.

I found a work arround, but thant´s not the easyest way to get ist work...

It looks like the ap105er do not set the RAP flag correct, when I provissioned it as RAP from the controller.

This is my workarround now:

I set it hardcore:

apboot>  purge

apboot>  setenv master remote.arubanetworks.com (where this is the URL of your RAP controller).

apboot>  setenv remote_ap 1

apboot>  save

apboot>  boot

Than it works fine as rap...

Maybe anyone have a idea for that problem

If it is not working when you provision it from the controller, we need to see the audit-trail of when you are provisioning it to see what is wrong:

"show audit-trail"

ok, thanks.

I check this tomorrow and post the result.