Wireless Access

Reply
Occasional Contributor II
Posts: 16
Registered: ‎11-07-2011

Help With ISA Server Firewall and RAP5wn Connection

I'm trying to get my isa firewall to allow the traffic from an external rap to my controller in the dmz.  I have opened port 4500 both ways.  I see traffic hitting the controller but the layer 2 mac address is the outside firewall address, not the address of the rap.  I have rebuilt the whole firewall over the weekend but to no avail it still does the same thing.  Anyone work with this before and have an idea what I am missing.  Thanks

 

 

Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Help With ISA Server Firewall and RAP5wn Connection

The MAC address you see will always be from the device on the same VLAN.  When a packet traverses a layer-3 link, the MAC address is changed to the device that forwards the packet into the VLAN (the firewall in this case).  The MAC address of the RAP is in the packet, but not in the header.

 

What issue are you trying to fix?  Is the FW dropping the packets?  Do you see the packets hitting the controller ("show datapath session | include x.x.x.x (where x.x.x.x is the IP address of your RAP) will tell you if the traffic is making it to the controller).

Occasional Contributor II
Posts: 16
Registered: ‎11-07-2011

Re: Help With ISA Server Firewall and RAP5wn Connection

On the controller I use the gui, monitoring, clients.  I see the ip add listed, get a status and see port 4500.  I also see the logon name is logon which is wrong and the mac address is the outside of my firewall.  The rap whitelist is the mac address of the rap itself. 

 

Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Help With ISA Server Firewall and RAP5wn Connection

Do you have an outer IP listed in the GUI?  Also, is IPSec enabled or disabled? 

 

I usually use the CLI to troubleshoot issues.  Can you login to the CLI and do a "show ap database" and send the output for this specific RAP?  That will tell us a lot.

 

Also, have you looked through chapter 7 of the users guide? It is a step by step procedure for how to get a RAP up and running.

Occasional Contributor II
Posts: 16
Registered: ‎11-07-2011

Re: Help With ISA Server Firewall and RAP5wn Connection

I've read chapter 7 so many times I could recite it.  Followed every section perfectly i guess its not getting thru correctly.  Thats where I am stuck.  I haven't gotten the rap to talk to the controller correctly.  I checked the cli.  Sh ap database shows no RAP.

 

I've opened 4500 and 514 both way on the isa server.  See the traffic hitting isa and connection initiated. But its not getting thru.  I called aruba they said its because the mac address on the firewall is hitting the controller and not the mac on of the rap.

 

 

Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Help With ISA Server Firewall and RAP5wn Connection

Is the ISA server doing NAT for you or do you have a public IP on the controller (or is some other device doing NAT)? 

 

Do you have a default route on the controller pointing back to the ISA server?

 

Do a "show log security all" and "show log system all" and look for the IP and MAC of the RAP.  See if you see any messages that would help debug this.

 

Are you sure you have the format of the RAP MAC address right in the DB?  Do a "show local-userdb-ap" and make sure the MAC is correct (I think you have already done this though..).  It should be all lower case and have ":"s between every 2 characters.

 

Sorry if you have already done some of this, but we have to start at the start to get to the bottom of it.

Occasional Contributor II
Posts: 16
Registered: ‎11-07-2011

Re: Help With ISA Server Firewall and RAP5wn Connection

Name               AP-Group        AP-Name       Full-Name  Authen-Username  Rev oke-Text  AP_Authenticated  Description  Date-Added                Enabled  Remo te-IP ----               --------        -------       ---------  ---------------  --- --------  ----------------  -----------  ----------                -------  ---- ----- 00:08:b6:66:d3:e5  RemoteRAPGroup  PreaknessRAP  RemoteAP           Provisioned                    Mon Nov 21 01:43:41 2011  Yes      108. 58.108.98

AP Entries: 1

 

sh local dbase

 

Occasional Contributor II
Posts: 16
Registered: ‎11-07-2011

Re: Help With ISA Server Firewall and RAP5wn Connection

Nov 18 00:47:07 :103048:  <ERRS> |ike|  IKE XAuth failed for 00:0b:86:66:de:e5 Nov 18 00:47:22 :133019:  <ERRS> |localdb|  User 00:0b:86:66:de:e5 was not found  in the database

 

This is interesting.  But it is correct and in the whitelist.

 

Aruba Employee
Posts: 571
Registered: ‎04-17-2009

Re: Help With ISA Server Firewall and RAP5wn Connection

It looks like you missed the user account setup for the RAP. Go back through the steps in the user guide.

 

Zach

Thanks,

Zach Jennings
Occasional Contributor II
Posts: 16
Registered: ‎11-07-2011

Re: Help With ISA Server Firewall and RAP5wn Connection

ok will go thru it  again.   thanks for the help.  will post in a few

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: