Wireless Access

I was given a RAP that I have been tasked with trying to get it connected to our controller.  For some reason I am having great difficulty, and an extra set of eyes would be more than helpful at this point.

 I am given a "RC_ERROR_IKEP2_PKT1" error when attempting to connect to the controller from our internal network (just to try to get things working first)..  After asking google, I found that the RAP may not be connecting to the controller, and followed instructions I found elsewhere to troubleshoot. My output is as follows:

(Aruba) #show datapath session table | include 4500
X.X.X.X    X.X.X.X       17   4500  4500   0/0     0 0   0   1/1         1c   1      1      F
X.X.X.X    X.X.X.X       17   4500  4500   0/0     0 0   0   1/1         1c   0      0      FC

I followed the AP wizard, and set my configuration to AP specific for this AP.

The RAP is whitelisted (tried with and without an IP assigned)

Under VPN Services I have L2TP & XAuth enabled.  Authentication Protocals is PAP only.  DNS info is listed, address pool is setup.  Nat-T is enabled.

Any guidance would be appreciated!

Execute these commands:

config t
logging level debugging security subcat ike
logging level debugging security process aaa
logging level debugging security process authmgr
logging level debugging security subcat l2tp
logging level debugging security subcat vpn

 Boot up the RAP2Wg.  When it fails, type "show log security 50" to see what happened.

What AOS do you have installed ?

please run the following command :
show crypto ipsec sa

show crypto isakmp sa

---

@victorfabian wrote:

 

What AOS do you have installed ?

 

please run the following command :
show crypto ipsec sa

show crypto isakmp sa

 

 

---

ArubaOS (MODEL: Aruba3600-US), Version 6.1.3.3

show crypto ipsec sa

% No active IPSEC SA

show crypto isakmp sa

% No active ISAKMP SA

Do you by any chance upgrade the flash on that RAP ?

http://community.arubanetworks.com/t5/Command-of-the-Day/COTD-apflash-backup-partition-or-how-do-I-upgrade-my-RAP5/m-p/5829/highlight/true#M258

I took the RAP to the subnet that the controller is on, and it did an upgrade automatically.  The software version on the RAP is now: ArubaOS Version 6.1.3.3 Build# 34156.

The RAP now shows in the controller after upgrade, so that is at least a step forward.  From here i've tried provisioning the AP like our 105's (but also selecting remote AP).  Status will say AP Rebooting...   and never change on the RAP end after provisioning.  I can not get the RAP to do anything even after 15 minutes.  I reset and let it upgrade again.  I set a manual address this time.  Now the RAP says "Continuing......."  with nothing else showing.  AP rebooted twice while I let it sit.  AP does not show in controller.  Finally I reset again, let it upgrade, and only entered the controller IP.  It showed in the controller, but disapeared after entering the IP on the RAP.  RAP says "Continuing..."  and nothing more :(.

I won't be able to look at this again until thursday morning.  Thanks for your help thus far. :)

I will be around today if anyone has any more suggestions.

Thanks in advance!

Put the RAP on the same subnet that the controller is on and let it connect to it.  After some time, run the command "show ap image version" and see if the backup partition is 5.x ".  If it is only 3.x, you will have to contact support to get help to upgrade it to 5.x, UNLESS youhave a controller that is on 5.x.  You cannot upgrade the backup partition with a controller that is 6.x.  See the article here:  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1425 

---

@cjoseph wrote:

Put the RAP on the same subnet that the controller is on and let it connect to it.  After some time, run the command "show ap image version" and see if the backup partition is 5.x ".  If it is only 3.x, you will have to contact support to get help to upgrade it to 5.x, UNLESS youhave a controller that is on 5.x.  You cannot upgrade the backup partition with a controller that is 6.x.  See the article here:  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1425 

 

 

---

Thank you for that information :)

Once again, I appreciate the help thus far.  I was able downgrade the controller and upgrade the backups to 5.0.4.13 on our two RAPS.  We are now back at 6.1.3.3 again.  I have one RAP that I setup to test with internal IP of controller.  It seems to connect properly, and the wireless light turns on.  It shows in the controller, everything looks great (but can't fully test wireless connection because I can't distinguish this AP's SSID vs. our live network).

Since everything looked great on that rap, I tried the other rap from an outside cable modem using our external address of controller.  We had success up until it rebooted.  The device reboots, Eth1 gets a self assigned ip.  Can't connect to RAP's webpage to see status.   Status light on rap continues to blink, and no wireless light comes on.  I have attached a picture for reference.  Any guidance would be appreciated.

Thanks!

Try "show ap database" when that RAP is connecting to see its status

HOLD ON:

You are saying that it does not work externally?  In the ap-group of the RAP, in the AP system profile of that ap-group, do you have an LMS-IP?  If you do, remove it.

Yes, that seems to have done the trick!  Thank You!

I added a new ssid so I can see that it is working apart from our normal network, and it is working properly.  At this point I am happy to have it working wirelessly, but the only thing not 100% is port E1.  After being assigned an internal address, if I go to the web it still points me toward the RAP website that does not load.  Again wireless works fine.  Thanks again :)

---

@ucf wrote:

Yes, that seems to have done the trick!  Thank You!

 

I added a new ssid so I can see that it is working apart from our normal network, and it is working properly.  At this point I am happy to have it working wirelessly, but the only thing not 100% is port E1.  After being assigned an internal address, if I go to the web it still points me toward the RAP website that does not load.  Again wireless works fine.  Thanks again :)

---

In the Wired AP profile, you need to make sure it is enabled and Trusted Under Ethernet Interface port 1 configuration:

cjoseph, I can't thank you enough for your assistance.  I overlooked the trusted check box, and works perfectly now with it checked.  If I can ever return the favor, please let me know.

Thanks!

ucf

You are welcome, and happy new year, ucf!