07-12-2012 08:21 AM
I'm having issues provisioning raps. I have set up 4 rap scenarios and they all worked a gem; but for some reason they don't want to connect to The controller. I keep getting "ethernet rc_error_ikep1" when trying to provision on a separate network. I know this network allows you to provision raps because I can provision them to another site that I have. I have also managed to provision them on The same LAN as The controller (using provisioning profiles with The public IP in it) and it came up but as soon as I put it back on The other network then it just wouldn't work (although it did give me an IP of 192.168.11.x and I could surf The web but couldn't get to anything on The RAP network).
The set up I have is a basic one. It is just a modem going into a firewall then The firewall is going to The 650 controller. this is just a test setup to copy what one of my customers is having.
The rap passes all The tests but The master connectivity. I can see Any hits on my firewall at all. I have tested The log files by trying to telnet to The controller using port forwarding and by entering The public IP address - this test worked. I also have forwarded port 4500 to The internal IP address of The controller. I have tested this by statically setting my IP address of my PC to The same as The controller, I have then disconnected The controller and got a laptop to vnc to The public IP address which then gave them connectivity to my PC.
I'm not sure if I'm missing some programming on The controller or if it is an ISP issue or a firewall issue.
Any help will be appreciated.
I have an Aruba 650 controller (v 22.214.171.124) with a smooth wall fire wall.
07-12-2012 10:09 AM
Is it a cert-based RAP or PSK? Do we have entries (mac-address or PSK) correctly entered on the controller. IKE is failing in phase 1. If you enable "logging level debugging security" on the controller and grep the logs for IKE, you should be able to get more details.
07-13-2012 04:47 AM
Thanks for your reply.
It is a cert based RAP and I have triple checked the mac addresses in the white list. anyway it is a different error you get when provisioning if the mac address isn't in the white list.
I have enabled the debugging security on the controller and when I view the logs (after trying to provision the rap again) I get this:
authmgr: <124004> <DBUG> |authmgr| Rx message 14001/5221, length 233 from 127.0.0.1:8235
im not sure if that has anything to do with the raps or not. In my test situation I couldn't see the rap hitting the firewall at all. have you heard of this before?
07-14-2012 11:27 AM
Debugging/logging on the controller is not going to yield fruit until you can see the RAP 'hitting' the firewall.
Can you do a port mirror/insert a hub at the connection of the RAP's E0 port in your test set up and wireshark what you are seeing there to/from the RAP itself? (doesn't sound like much)
07-17-2012 02:04 AM
I found out what could be the issue.
The customer has the routing wrong on their site. they have told all traffic to go out on a separate public IP address. this means that the RAP isn't listening on that IP.
We found this out by doing a trace route from the switch to our IP address. We did this in SSH
I will double check with the customer but I think that this is the issue.
Thanks for all your help.