Wireless Access

Reply
Occasional Contributor I

IAP-105 - provisioned as RAP - status Rc2ID

Hi,


I am looking for an idea how to solve the problem.

 

IAP-105 provisioning as RAP to 650 controller.
When an AP connect to the controller I get a flag Rc2ID
The same AP as RAP connected to the controller 6000 works without a problem.
re-connection to 650 and again the flag Rc2ID (both controllers have the same thing this version 6.3.1.6)

any idea how to solve this problem?

Re: IAP-105 - provisioned as RAP - status Rc2ID

R = remote
c = certificate based
2 = IKE version
I = Inactive
D = dirty

Validate whether you have AP licenses installed or enough AP licenses left.

show license
show license-usage ap

 

Also check whether the group it is associated to is the proper one.

Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Aruba

Re: IAP-105 - provisioned as RAP - status Rc2ID

The D (dirty) flag could be for a variety of reasons.  On the controller that is having a problem; run the following to see if there are any profile errors that may be affecting its functionality on the 650 vs. the M3.

 

show profile-errors

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor I

Re: IAP-105 - provisioned as RAP - status Rc2ID




Hi,

 
I checked what it means RC2ID before sending this email.

Installed Licenses:
Access Points: 8 + 1
Next Generation Policy Enforcement Firewall Module: 8 +1

show license usage ap-

AP Licenses
-----------
Type Number
----------
AP Licenses 9
PEF Licenses 9
Overall AP License Limit 9

AP Usage
--------
Type Count
---------
Active CAPs 0
Standby CAPs 0
RAPs 2
Remote-node APs 0
Tunneled nodes 0
Total APs 2

Remaining Capacity AP
---------------------
Type Number
----------
CAPs 7
RAPs 7

So it seems that the licnecjemi is all right.

Occasional Contributor I

Re: IAP-105 - provisioned as RAP - status Rc2ID

Hi,


clembo wrote:

The D (dirty) flag could be for a variety of reasons.  On the controller that is having a problem; run the following to see if there are any profile errors that may be affecting its functionality on the 650 vs. the M3.

 

show profile-errors


show profile-errors

Invalid Profiles
----------------
Profile  Error
-------  -----

there are no errors and does not work

 

I checked the logs, and what I found
controller 650

show log user all | include VPN

May 22 08:45:14 :522018:  <WARN> |authmgr|  MAC=00:00:00:00:00:00 IP=?? Derived unknown role 'N/A' from server rules: server-group=default, authentication=VPN

 

but on 6000

May 22 08:47:40 :522038:  <INFO> |authmgr|  username=9c:1c:12:c9:65:61 MAC=9c:1c:12:c9:65:61 IP=79.187.221.239 Authentication result=Authentication Successful method=VPN server=Internal
May 22 08:47:40 :522017:  <INFO> |authmgr|  MAC=00:00:00:00:00:00 IP=?? Derived role 'N/A' from server rules: server-group=default, authentication=VPN
May 22 08:47:40 :522018:  <WARN> |authmgr|  MAC=00:00:00:00:00:00 IP=?? Derived unknown role 'N/A' from server rules: server-group=default, authentication=VPN
May 22 08:47:40 :522008:  <NOTI> |authmgr|  User Authentication Successful: username=9c:1c:12:c9:65:61 MAC=00:00:00:00:00:00 IP=10.1.1.40 role=ap-role VLAN=0 AP=N/A SSID=N/A AAA profile=default-rap auth method=VPN auth server=Internal
May 22 08:47:40 :522050:  <INFO> |authmgr|  MAC=00:00:00:00:00:00,IP=10.1.1.40 User data downloaded to datapath, new Role=ap-role/4, bw Contract=0/0, reason= IP up for non VPN transport, idle-timeout=300
May 22 08:47:40 :522050:  <INFO> |authmgr|  MAC=00:00:00:00:00:00,IP=79.187.221.239 User data downloaded to datapath, new Role=logon/1, bw Contract=0/0, reason=IP up for non VPN transport for external user, idle-timeout=300

Guru Elite

Re: IAP-105 - provisioned as RAP - status Rc2ID

In the ap system profile of that ap-group, do you have an LMS-ip?  If you do, is it a private ip address?  If yes, please remove the LMS-IP and try again.  It looks like you are making a connection, but your RAP could be redirected to an unreachable private ip address.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: IAP-105 - provisioned as RAP - status Rc2ID


cjoseph wrote:

In the ap system profile of that ap-group, do you have an LMS-ip?  If you do, is it a private ip address?  If yes, please remove the LMS-IP and try again.  It looks like you are making a connection, but your RAP could be redirected to an unreachable private ip address.


Hi,

I do not set the LMS-IP
vpn tunnel is connected - when I connect to the AP via console cable I can ping the local address of the controller (standard left him 172.16.0.254).

 

 

====

#show crypto ipsec sa


IPSEC SA (V2) Active Session Information
-----------------------------------
Initiator IP     Responder IP     SPI(IN/OUT)        Flags Start Time        Inner IP
------------     ------------     ----------------   ----- ---------------   --------
81.18.220.1      213.241.33.58    7cbc6500/8e6dfe00  UT2   May 23 10:22:08   192.168.202.2

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
       L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2

Total IPSEC SAs: 1

#show crypto isakmp sa

ISAKMP SA Active Session Information
------------------------------------
Initiator IP     Responder IP   Flags       Start Time      Private IP
------------     ------------   -----     ---------------   ----------
81.18.220.1      213.241.33.58  r-v2-c-R  May 23 10:22:07   192.168.202.2

Flags: i = Initiator; r = Responder
       m = Main Mode; a = Agressive Mode v2 = IKEv2
       p = Pre-shared key; c = Certificate/RSA Signature; e =  ECDSA Signature
       x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled
       3 = 3rd party AP; C = Campus AP; R = RAP;  Ru = Custom Certificate RAP; I = IAP
       V = VIA; S = VIA over TCP

Total ISAKMP SAs: 1


#show datapath session table | include 4500
213.241.33.58   81.18.220.1     17   4500  64247  0/0     0 0   18  1/5         c8f  0         0          F
81.18.220.1     213.241.33.58   17   64247 4500   0/0     0 0   0   1/5         c8f  0         0          FC
====

 

LG

 

Guru Elite

Re: IAP-105 - provisioned as RAP - status Rc2ID

This might be a difficult one if you don't open a support case.  The #1 reason for dirty in Raps is the LMS-IP,  the #2 being licensing, and #3 is a profile error like Clembo says.  #4 is usually that we are not allowing the correct firewall ports (which you are), or you have modified the logon or default-rap role so that it is blocking some traffic.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: IAP-105 - provisioned as RAP - status Rc2ID


cjoseph wrote:

This might be a difficult one if you don't open a support case.  The #1 reason for dirty in Raps is the LMS-IP,  the #2 being licensing, and #3 is a profile error like Clembo says.  #4 is usually that we are not allowing the correct firewall ports (which you are), or you have modified the logon or default-rap role so that it is blocking some traffic.


Thanks,

 

  I open a support case,  and tell you later were was the problem.

 

LG

Aruba Employee

Re: IAP-105 - provisioned as RAP - status Rc2ID

Do you have IP nat inside enabled on the controller s management vlan?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: