Wireless Access

I'm trying to get my isa firewall to allow the traffic from an external rap to my controller in the dmz.  I have opened port 4500 both ways.  I see traffic hitting the controller but the layer 2 mac address is the outside firewall address, not the address of the rap.  I have rebuilt the whole firewall over the weekend but to no avail it still does the same thing.  Anyone work with this before and have an idea what I am missing.  Thanks

The MAC address you see will always be from the device on the same VLAN.  When a packet traverses a layer-3 link, the MAC address is changed to the device that forwards the packet into the VLAN (the firewall in this case).  The MAC address of the RAP is in the packet, but not in the header.

What issue are you trying to fix?  Is the FW dropping the packets?  Do you see the packets hitting the controller ("show datapath session | include x.x.x.x (where x.x.x.x is the IP address of your RAP) will tell you if the traffic is making it to the controller).

On the controller I use the gui, monitoring, clients.  I see the ip add listed, get a status and see port 4500.  I also see the logon name is logon which is wrong and the mac address is the outside of my firewall.  The rap whitelist is the mac address of the rap itself. 

Do you have an outer IP listed in the GUI?  Also, is IPSec enabled or disabled? 

I usually use the CLI to troubleshoot issues.  Can you login to the CLI and do a "show ap database" and send the output for this specific RAP?  That will tell us a lot.

Also, have you looked through chapter 7 of the users guide? It is a step by step procedure for how to get a RAP up and running.

I've read chapter 7 so many times I could recite it.  Followed every section perfectly i guess its not getting thru correctly.  Thats where I am stuck.  I haven't gotten the rap to talk to the controller correctly.  I checked the cli.  Sh ap database shows no RAP.

I've opened 4500 and 514 both way on the isa server.  See the traffic hitting isa and connection initiated. But its not getting thru.  I called aruba they said its because the mac address on the firewall is hitting the controller and not the mac on of the rap.

Is the ISA server doing NAT for you or do you have a public IP on the controller (or is some other device doing NAT)? 

Do you have a default route on the controller pointing back to the ISA server?

Do a "show log security all" and "show log system all" and look for the IP and MAC of the RAP.  See if you see any messages that would help debug this.

Are you sure you have the format of the RAP MAC address right in the DB?  Do a "show local-userdb-ap" and make sure the MAC is correct (I think you have already done this though..).  It should be all lower case and have ":"s between every 2 characters.

Sorry if you have already done some of this, but we have to start at the start to get to the bottom of it.

Name               AP-Group        AP-Name       Full-Name  Authen-Username  Rev oke-Text  AP_Authenticated  Description  Date-Added                Enabled  Remo te-IP ----               --------        -------       ---------  ---------------  --- --------  ----------------  -----------  ----------                -------  ---- ----- 00:08:b6:66:d3:e5  RemoteRAPGroup  PreaknessRAP  RemoteAP           Provisioned                    Mon Nov 21 01:43:41 2011  Yes      108. 58.108.98

AP Entries: 1

sh local dbase

Nov 18 00:47:07 :103048:  <ERRS> |ike|  IKE XAuth failed for 00:0b:86:66:de:e5 Nov 18 00:47:22 :133019:  <ERRS> |localdb|  User 00:0b:86:66:de:e5 was not found  in the database

This is interesting.  But it is correct and in the whitelist.

It looks like you missed the user account setup for the RAP. Go back through the steps in the user guide.

Zach

ok will go thru it  again.   thanks for the help.  will post in a few

See the output of show "user-table verbose" command. The inner ip is always assigned ap-role or sys-ap-role depending on whether CPsec is enabled on the controller or not and the outter ip is always assgined logon role.

Use the show crypto isakmp sa and show crypto ipsec sa to see whether the isakmp and ipsec sa are formed properly.

Use "sh log all | include authmgr"  to see auth failures

Use "sh log all | include ike"  to see other ike errors

(rc1-sunnyvale-3600) #show user-table verbose

Users
-----
    IP               MAC            Name              Role        Age(d:h:m)  Auth  VPN link        AP name             Roaming             Essid/Bssid/Phy                 Profile     Forward mode  Type  Server    Vlan  Bwm
----------      ------------       ------             ----        ----------  ----  --------        -------             -------             ---------------                 -------     ------------  ----  ------    ----  ---
192.168.161.57  00:00:00:00:00:00                     logon       00:00:21                          N/A                                                                     default     tunnel                        1
10.169.136.51   00:00:00:00:00:00  00:0b:86:66:7a:d1  ap-role     00:00:02    VPN   192.168.171.95  N/A                                                                     default     tunnel              Internal  1
10.169.136.50   00:00:00:00:00:00  00:0b:86:66:8a:2b  ap-role     00:00:02    VPN   192.168.171.83  N/A                                                                     default     tunnel              Internal  1
172.16.25.55    00:00:00:00:00:00  rap-105            ap-role     00:00:18    VPN   192.168.161.57  N/A                                                                     default     tunnel              Internal  1
192.168.171.95  00:00:00:00:00:00                     logon       00:00:21    VPN                   N/A                                                                     default     tunnel                        1
192.168.171.83  00:00:00:00:00:00                     logon       00:00:21    VPN                   N/A                                                                     default     tunnel                        1
                        1

User Entries: 6/6


(rc1-sunnyvale-3600) #show crypto isakmp sa

ISAKMP SA Active Session Information
------------------------------------
Initiator IP     Responder IP   Flags       Start Time      Private IP
------------     ------------   -----     ---------------   ----------
192.168.161.57   172.16.1.8     r-m-p-x-R Nov 21 12:02:50   172.16.25.55
192.168.171.83   172.16.1.8     r-v2-c-R  Nov 21 12:19:21   10.169.136.50
192.168.171.95   172.16.1.8     r-v2-c-R  Nov 21 12:19:22   10.169.136.51

Flags: i = Initiator; r = Responder
       m = Main Mode; a = Agressive Mode v2 = IKEv2
       p = Pre-shared key; c = Certificate/RSA Signature; e =  ECDSA Signature
       x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled
       3 = 3rd party AP; C = Campus AP; R = RAP
       V = VIA; S = VIA over TCP

Total ISAKMP SAs: 3


Total IPSEC SAs: 3

(rc1-sunnyvale-3600) #show crypto ipsec sa

IPSEC SA Active Session Information
-----------------------------------
Initiator IP     Responder IP     InitiatorID         ResponderID         Flags    Start Time      Inner IP
------------     ------------     -----------         -----------         -----  ---------------   --------
192.168.161.57   172.16.1.8       172.16.25.55/32     0.0.0.0/0           UT     Nov 21 12:02:50   172.16.25.55

IPSEC SA (V2) Active Session Information
-----------------------------------
Initiator IP     Responder IP     SPI(IN/OUT)        Flags Start Time        Inner IP
------------     ------------     ----------------   ----- ---------------   --------
192.168.171.83   172.16.1.8       13448d00/a1c4fd00  UT2   Nov 21 12:19:22   10.169.136.50
192.168.171.95   172.16.1.8       b693d500/aa93b200  UT2   Nov 21 12:19:23   10.169.136.51

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
       L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2

Total IPSEC SAs: 3

Just to ask on this one, what type of AP are you using as your RAP and how did you provision it? This isn't so important if it's a RAP2 or 5, but if it's something else, this might be very important.

Second question, once you've provisioned your RAP, if you try it on the inside of your firewall (your LAN) does it connect?

Last thing, paste us a "show ap data" here please? Did it ever appear in there?

Oh and don't try provisioning a RAP on a LAN where it could discover the controller via ADP or any other method. Try it on a LAN segment where it can't dynamically find the controller or you'll get odd results possibly.

Can you post the output from "show local-userdb-ap"?

00:08:b6:66:d3:e5  RemoteRAPGroup  PreaknessRAP  RemoteAP           Provisioned                    Mon Nov 21 01:43:41 2011  Yes      108. 58.108.98

AP Entries: 1

Here it is.

Looks like you swapped an "8" for a "b", and a 3 for an e.

White List:

00:08:b6:66:d3:e5

Should be:

00:0b:86:66:de:e5

At least according to your logs.

Zach

Ok Let me check.  Maybe this time. but I deleted it all and reset it this morning so i must have put it in wrong today.  copy and pasted it last week..  That connection is from last friday. 

I'm reconnecting the rules on my isa server so when i get a current log I will post it.

Thanks

Be back in a few.

Thanks for all your help much appreciated.