11-21-2011 06:58 AM
I'm trying to get my isa firewall to allow the traffic from an external rap to my controller in the dmz. I have opened port 4500 both ways. I see traffic hitting the controller but the layer 2 mac address is the outside firewall address, not the address of the rap. I have rebuilt the whole firewall over the weekend but to no avail it still does the same thing. Anyone work with this before and have an idea what I am missing. Thanks
11-21-2011 07:20 AM
The MAC address you see will always be from the device on the same VLAN. When a packet traverses a layer-3 link, the MAC address is changed to the device that forwards the packet into the VLAN (the firewall in this case). The MAC address of the RAP is in the packet, but not in the header.
What issue are you trying to fix? Is the FW dropping the packets? Do you see the packets hitting the controller ("show datapath session | include x.x.x.x (where x.x.x.x is the IP address of your RAP) will tell you if the traffic is making it to the controller).
11-21-2011 07:24 AM
On the controller I use the gui, monitoring, clients. I see the ip add listed, get a status and see port 4500. I also see the logon name is logon which is wrong and the mac address is the outside of my firewall. The rap whitelist is the mac address of the rap itself.
11-21-2011 07:34 AM
Do you have an outer IP listed in the GUI? Also, is IPSec enabled or disabled?
I usually use the CLI to troubleshoot issues. Can you login to the CLI and do a "show ap database" and send the output for this specific RAP? That will tell us a lot.
Also, have you looked through chapter 7 of the users guide? It is a step by step procedure for how to get a RAP up and running.
11-21-2011 07:39 AM
I've read chapter 7 so many times I could recite it. Followed every section perfectly i guess its not getting thru correctly. Thats where I am stuck. I haven't gotten the rap to talk to the controller correctly. I checked the cli. Sh ap database shows no RAP.
I've opened 4500 and 514 both way on the isa server. See the traffic hitting isa and connection initiated. But its not getting thru. I called aruba they said its because the mac address on the firewall is hitting the controller and not the mac on of the rap.
11-21-2011 07:45 AM
Is the ISA server doing NAT for you or do you have a public IP on the controller (or is some other device doing NAT)?
Do you have a default route on the controller pointing back to the ISA server?
Do a "show log security all" and "show log system all" and look for the IP and MAC of the RAP. See if you see any messages that would help debug this.
Are you sure you have the format of the RAP MAC address right in the DB? Do a "show local-userdb-ap" and make sure the MAC is correct (I think you have already done this though..). It should be all lower case and have ":"s between every 2 characters.
Sorry if you have already done some of this, but we have to start at the start to get to the bottom of it.
11-21-2011 07:51 AM
Name AP-Group AP-Name Full-Name Authen-Username Rev oke-Text AP_Authenticated Description Date-Added Enabled Remo te-IP ---- -------- ------- --------- --------------- --- -------- ---------------- ----------- ---------- ------- ---- ----- 00:08:b6:66:d3:e5 RemoteRAPGroup PreaknessRAP RemoteAP Provisioned Mon Nov 21 01:43:41 2011 Yes 108. 58.108.98
AP Entries: 1
sh local dbase
11-21-2011 07:54 AM
Nov 18 00:47:07 :103048: <ERRS> |ike| IKE XAuth failed for 00:0b:86:66:de:e5 Nov 18 00:47:22 :133019: <ERRS> |localdb| User 00:0b:86:66:de:e5 was not found in the database
This is interesting. But it is correct and in the whitelist.