Wireless Access

Hello,

 

i'm new to Aruba and currently on a test-environment. Today i've tried to access our Mobility Controller (which is connected to the internet by our router having DNATs for Port 500 and 4500) using a RAP2 from my homeoffice. Connectivity seems ok, but the web-gui of the RAP tells about an IKE Error.

How can i find the source of the problem? Where can i look at? There must be some kind of log, but where?

---

@Oliver.geisen@kreisbote.de wrote:

Hello,

 

i'm new to Aruba and currently on a test-environment. Today i've tried to access our Mobility Controller (which is connected to the internet by our router having DNATs for Port 500 and 4500) using a RAP2 from my homeoffice. Connectivity seems ok, but the web-gui of the RAP tells about an IKE Error.

How can i find the source of the problem? Where can i look at? There must be some kind of log, but where?

---

Start with the IKE Error.  What is it?  

A common IKE error which is occurs when the RAP is not added to the RAP whitelist is RC_ERROR_IKE_XAUTH_AUTHORIZATION_FAILED. If this is your error message then make sure you have added the RAP to the RAP whilelist on the master controller.

 

Regards,

Sathya

Is the rap in the rap white list on the controller ?

Currently not. I will add him and try again this evening. Reporting tomorrow.

Thanks for now!

Okay, did you also create an IPSec pool for your aps, as well?

So, i one step further. After adding the RAP using the Controller-Wizard it cames up on my home site and lights the WLAN LED. But it still don't transmitt any SSIDs. In the controller i can see that it seems ok (no longer mismatched or down).

I think i was missing some setup. What is this IPSec pool thing you mention?

Every RAP that authenticates successfully to  the controller requires a valid inner IP address for the IPsec tunnel. This inner IP address is issued from the address pool that is configured in the VPN services. 





 

 

Also on CLI type 

show ap debug received-config ap-name <name of AP> to check that the RAP has received all the required configurations such those related to the VAP and radio settings.

 

Regards,

Sathya

Oh, yes, i see. I already had this. My RAP gets 172.29.241.7, which is an inner IP address of a VLAN, specially created for VPN-Services (RAP and VIA). The VLAN is reachable via the controllers interface in the local network. Routing is pointed to that interface.

I can also PING the RAP from our coorporate network.

On the commandline of the controller, type "show ap bss-table" to see if your RAP is broadcasting anything, and what...

It don't seem so. Here is the console output of your suggested command:

(the RAP in question has the HWADDR 00:24:6c:cd:46:e5)

 

(Aruba3200) # show ap bss-table

fm (forward mode): T-Tunnel, S-Split, D-Decrypt Tunnel, B-Bridge (s-standard, p-persistent, b-backup, a-always)

Aruba AP BSS Table
------------------
bss                ess               s/p  ip            phy   type  ch/EIRP/max-EIRP  cur-cl  ap name            in-t(s)  tot-t        mtu   acl-state  acl  fm
---                ---               ---  --            ---   ----  ----------------  ------  -------            -------  -----        ---   ---------  ---  --
d8:c7:c8:83:3e:70  Kreisbote-Gast    1/0  172.29.2.244  a-HT  ap    136-/20.5/20.5    0       d8:c7:c8:c0:33:e6  0        11h:35m:21s  1500  -          6    T
d8:c7:c8:c5:22:b1  Kreisbote-VoIP    1/0  172.29.2.250  g-HT  ap    11/20/20          0       d8:c7:c8:c4:52:2b  0        11h:35m:23s  1500  -          49   T
d8:c7:c8:83:3e:71  Kreisbote-VoIP    1/0  172.29.2.244  a-HT  ap    136-/20.5/20.5    0       d8:c7:c8:c0:33:e6  0        11h:35m:21s  1500  -          49   T
d8:c7:c8:a1:2d:20  Kreisbote-Gast    1/0  172.29.3.244  g-HT  ap    6/20/20           0       d8:c7:c8:c2:12:d2  0        11h:35m:22s  1500  -          6    T
d8:c7:c8:c5:22:b2  Kreisbote-Intern  1/0  172.29.2.250  g-HT  ap    11/20/20          0       d8:c7:c8:c4:52:2b  0        11h:35m:23s  1500  -          1    T
d8:c7:c8:83:3e:72  Kreisbote-Intern  1/0  172.29.2.244  a-HT  ap    136-/20.5/20.5    0       d8:c7:c8:c0:33:e6  0        11h:35m:20s  1500  -          1    T
d8:c7:c8:a1:2d:21  Kreisbote-VoIP    1/0  172.29.3.244  g-HT  ap    6/20/20           0       d8:c7:c8:c2:12:d2  0        11h:35m:22s  1500  -          49   T
d8:c7:c8:83:42:50  Kreisbote-Gast    1/0  172.29.2.243  a-HT  ap    52+/20.5/20.5     0       d8:c7:c8:c0:34:24  0        11h:35m:21s  1500  -          6    T
d8:c7:c8:a1:2d:22  Kreisbote-Intern  1/0  172.29.3.244  g-HT  ap    6/20/20           0       d8:c7:c8:c2:12:d2  0        11h:35m:22s  1500  -          1    T
d8:c7:c8:83:42:51  Kreisbote-VoIP    1/0  172.29.2.243  a-HT  ap    52+/20.5/20.5     0       d8:c7:c8:c0:34:24  0        11h:35m:21s  1500  -          49   T
d8:c7:c8:83:42:52  Kreisbote-Intern  1/0  172.29.2.243  a-HT  ap    52+/20.5/20.5     0       d8:c7:c8:c0:34:24  0        11h:35m:21s  1500  -          1    T
d8:c7:c8:83:3e:60  Kreisbote-Gast    1/2  172.29.2.244  g-HT  ap    1/15.5/15.5       0       d8:c7:c8:c0:33:e6  0        11h:35m:20s  1500  -          6    T
d8:c7:c8:c5:22:b8  Kreisbote-Gast    1/0  172.29.2.250  a-HT  ap    116+/25/25        0       d8:c7:c8:c4:52:2b  0        11h:35m:23s  1500  -          6    T
d8:c7:c8:83:3e:61  Kreisbote-VoIP    1/2  172.29.2.244  g-HT  ap    1/15.5/15.5       0       d8:c7:c8:c0:33:e6  0        11h:35m:20s  1500  -          49   T
d8:c7:c8:c5:22:b9  Kreisbote-VoIP    1/0  172.29.2.250  a-HT  ap    116+/25/25        0       d8:c7:c8:c4:52:2b  0        11h:35m:23s  1500  -          49   T
d8:c7:c8:83:3e:62  Kreisbote-Intern  1/2  172.29.2.244  g-HT  ap    1/15.5/15.5       0       d8:c7:c8:c0:33:e6  0        11h:35m:20s  1500  -          1    T
d8:c7:c8:a1:29:90  Kreisbote-Gast    1/0  172.29.3.243  g-HT  ap    11/20/20          0       d8:c7:c8:c2:12:99  0        11h:35m:22s  1500  -          6    T
d8:c7:c8:a1:2d:28  Kreisbote-Gast    1/0  172.29.3.244  a-HT  ap    108+/25/25        0       d8:c7:c8:c2:12:d2  0        11h:35m:22s  1500  -          6    T
d8:c7:c8:c5:22:ba  Kreisbote-Intern  1/0  172.29.2.250  a-HT  ap    116+/25/25        0       d8:c7:c8:c4:52:2b  0        11h:35m:23s  1500  -          1    T
d8:c7:c8:83:42:40  Kreisbote-Gast    1/0  172.29.2.243  g-HT  ap    1/15.5/15.5       0       d8:c7:c8:c0:34:24  0        11h:35m:21s  1500  -          6    T
d8:c7:c8:a1:29:91  Kreisbote-VoIP    1/0  172.29.3.243  g-HT  ap    11/20/20          1       d8:c7:c8:c2:12:99  0        11h:35m:22s  1500  -          49   T
d8:c7:c8:a1:2d:29  Kreisbote-VoIP    1/0  172.29.3.244  a-HT  ap    108+/25/25        0       d8:c7:c8:c2:12:d2  0        11h:35m:22s  1500  -          49   T
d8:c7:c8:83:42:41  Kreisbote-VoIP    1/0  172.29.2.243  g-HT  ap    1/15.5/15.5       0       d8:c7:c8:c0:34:24  0        11h:35m:21s  1500  -          49   T
d8:c7:c8:a1:29:92  Kreisbote-Intern  1/0  172.29.3.243  g-HT  ap    11/20/20          1       d8:c7:c8:c2:12:99  0        11h:35m:22s  1500  -          1    T
d8:c7:c8:a1:2d:2a  Kreisbote-Intern  1/0  172.29.3.244  a-HT  ap    108+/25/25        0       d8:c7:c8:c2:12:d2  0        11h:35m:22s  1500  -          1    T
d8:c7:c8:c5:20:f0  Kreisbote-Gast    1/0  172.29.3.247  g-HT  ap    1/20/20           0       d8:c7:c8:c4:52:0f  0        11h:35m:22s  1500  -          6    T
d8:c7:c8:83:42:42  Kreisbote-Intern  1/0  172.29.2.243  g-HT  ap    1/15.5/15.5       0       d8:c7:c8:c0:34:24  0        11h:35m:21s  1500  -          1    T
d8:c7:c8:c5:20:f1  Kreisbote-VoIP    1/0  172.29.3.247  g-HT  ap    1/20/20           0       d8:c7:c8:c4:52:0f  0        11h:35m:22s  1500  -          49   T
d8:c7:c8:c5:20:f2  Kreisbote-Intern  1/0  172.29.3.247  g-HT  ap    1/20/20           0       d8:c7:c8:c4:52:0f  0        11h:35m:22s  1500  -          1    T
d8:c7:c8:a1:29:98  Kreisbote-Gast    1/0  172.29.3.243  a-HT  ap    120-/25/25        0       d8:c7:c8:c2:12:99  0        11h:35m:22s  1500  -          6    T
d8:c7:c8:a1:29:99  Kreisbote-VoIP    1/0  172.29.3.243  a-HT  ap    120-/25/25        0       d8:c7:c8:c2:12:99  0        11h:35m:22s  1500  -          49   T
d8:c7:c8:a1:29:9a  Kreisbote-Intern  1/0  172.29.3.243  a-HT  ap    120-/25/25        0       d8:c7:c8:c2:12:99  0        11h:35m:22s  1500  -          1    T
                                                  
Channel followed by "*" indicates channel selected due to unsupported configured channel.
"Spectrum" followed by "^" indicates Local Spectrum Override in effect.


fm (forward mode): T-Tunnel, S-Split, D-Decrypt Tunnel, B-Bridge (s-standard, p-persistent, b-backup, a-always)

Aruba AP BSS Table
------------------
bss                ess               s/p  ip            phy   type  ch/EIRP/max-EIRP  cur-cl  ap name            in-t(s)  tot-t        mtu   acl-state  acl  fm
---                ---               ---  --            ---   ----  ----------------  ------  -------            -------  -----        ---   ---------  ---  --
d8:c7:c8:c5:20:f8  Kreisbote-Gast    1/0  172.29.3.247  a-HT  ap    40-/23/23         0       d8:c7:c8:c4:52:0f  0        11h:35m:28s  1500  -          6    T
d8:c7:c8:c5:20:f9  Kreisbote-VoIP    1/0  172.29.3.247  a-HT  ap    40-/23/23         0       d8:c7:c8:c4:52:0f  0        11h:35m:28s  1500  -          49   T
d8:c7:c8:c5:20:fa  Kreisbote-Intern  1/0  172.29.3.247  a-HT  ap    40-/23/23         0       d8:c7:c8:c4:52:0f  0        11h:35m:28s  1500  -          1    T
d8:c7:c8:c5:22:b0  Kreisbote-Gast    1/0  172.29.2.250  g-HT  ap    11/20/20          1       d8:c7:c8:c4:52:2b  0        11h:35m:29s  1500  -          6    T
00:24:6c:cd:46:e5  N/A               1/3  172.29.241.8  e1    N/A   N/A               N/A     aruba-rap1         0        15h:9m:49s   1200  N/A        1    T

Channel followed by "*" indicates channel selected due to unsupported configured channel.
"Spectrum" followed by "^" indicates Local Spectrum Override in effect.

Num APs:37
Num Associations:3

 

We could'nt get this to work. So we created another AP-group, put the RAP into it, and voilá SSIDs comming up... something very strange is going on here.

Good to hear that the RAP is working but when it was not working did you try this command and see whether it got all its config.

 

show ap debug received-config ap-name <name of AP>

 

You can also use these commands to see if the IPSec tunnel was formed properly

 

(rc1-sunnyvale-3600) #show crypto ipsec sa

 

(rc1-sunnyvale-3600) #show crypto isakmp sa

 

To see whether a AP is active use the command 

 

(rc1-sunnyvale-3600) #show ap active  

 

 

Regards,

Sathya

 

 

Please help on below error  in Aruba rap 2Wg device.

That means it cannot reach the controller.

Dear sir,

Thnks for the reply.
How can it solved.

Connectivity is below in detail.
Leased line(192.168.10.1) conected to fortinet firewall. From firewall already allowed the ip 172.30.30.100 it is the master controller ip. From firewall is connected to hp switch.from hp switch to aruba 2wg device. 2 year it was working fine suddenly network was down on last saturday.

then reset the router many times.and tried to configure e0 to switch and e1 to laptop.while configuring the device at stage 3/4 getting the attached error.


kindly solve this



While configuring

You need to find out if anything has changed with your network configuration when it went down.  You should be allowing udp 4500 to your controller from the outside.  Find out if that was changed, somehow.

Can i have your whatsapp number sir.

Dear sir,

Please, it would great thankful to you if i get your whtsapp number .

Need your expertise help on this issue.


Regards,
Jose

I don't have a whatsapp number, but on the controller, you can type "show datapath session table <public ip address of rap>" to see if the traffic is coming into the controller.

 

Do this, while you are provisioning the AP to see if traffic is coming into the controller...

Dear sir

I have one doubt. If i take this aruba device in another branch location (172.16.59.1) network and try the device to configure. And if it gets configured successfull and bring back the device to orignal location (192.168.10.1) will it work?

It should work everywhere, unless you have UDP 4500 blocked somewhere in the path...

Can i get the customer support number so that they can solve the issue.
Location is from india

http://www.arubanetworks.com/support-services/contact-support/

Hi sir,

Please check and advice.

Your tests might not be conclusive.  The devices between your RAP and the controller might have ICMP and traceroute turned off.

 

Do you have a firewall in front of the controller?

Dear  colin,

 

If i get your number it would more thankful to you.

 

Regards,

jose jesuratnam

Dear sir,

 

Please help me on this.
we have a aruba device rap3 WN.

Mac id is already whitelisted  in Master aruba device. but am getting retrieve image failure error.

Is there a log in the popup Window?

What version of ArubaOS are you running?

Dear Sir,

 

Please, here is attached the pdf file configuration taken from my rap 3 device. kinldy check and help.

 

Regards,

jose jesuratnam