Wireless Access

Reply
Contributor I
Posts: 23
Registered: ‎02-15-2012

IPSEC tunnel flapping


Hi,

I'm experiencing this problem:

------
Continual Changes to the L2TP IP address
If you use the show user-table command or show crypto ipsec sa command several times and see
a different L2TP IP address in each instance of command output for the same peer, this may indicate
IPsec tunnel flapping.
-------

And the ap's don't become active.

The network design is the following:

Controller<-->Firewall<-->Private WAN<-->Branch offices with ap's 105 working as RAP.

Only one of the branch offices is having the problem. This branch office was provisioned and working fine before. The firewall is managing all the branchs with /16 network, so all they have applied the same firewall policy.

The virtual branch networks VRD guide indicates that the problem could be a possible packet loss on the path. We are checking the Wan but I am not sure that it will be the problem.


The ipsec tunnel is established but is deleted automatically.

Mar 25 17:02:59 :103063:  <DBUG> |ike|   ipc_mocana_setup_ipsec_dp_sa sa src=[controller ip]:4500,dst=[ap ip address]:49196,srcnet:0.0.0.0/0.0.0.0 dstnet:0.0.0.0/0.0.0.0
Mar 25 17:02:59 :103063:  <DBUG> |ike|   ipc_mocana_setup_ipsec_dp_sa innerip:192.168.124.117
Mar 25 17:02:59 :103063:  <DBUG> |ike|   ipc_mocana_setup_ipsec_dp_sa: out:0 natt:1 mode:1 proto:1 cipher:4 auth:2 spi:f1858700 oppspi:1eaac200 esrc:a3cbb05 edst:ac13000a dstnet:0 dstmask:0 nattport:49196 trust:0 dpd:0
Mar 25 17:02:59 :103063:  <DBUG> |ike|    Setup the IPSEC SA --- DONE  !!
Mar 25 17:02:59 :103063:  <DBUG> |ike|   IKE_deleteSaByInnerIPExtIP delete IKE SA [ap ip address]:(inner:192.168.124.117)
Mar 25 17:02:59 :103063:  <DBUG> |ike|   IKE2_delSa sa:0x1027bcb4 peer:[ap ip address]:49196 id:2395091297 err:-90035 saflags:51 arflags
Mar 25 17:02:59 :103063:  <DBUG> |ike|   IKE2_delSa before IKE2_delXchg
Mar 25 17:02:59 :103063:  <DBUG> |ike|   IKE2_delSa before send-info-delete
Mar 25 17:02:59 :103063:  <DBUG> |ike|   IKE2_newXchg oExchange:37 bReq:1 dwMsgId:0
Mar 25 17:02:59 :103063:  <DBUG> |ike|     I -->   Deleted: 1  IKE_ SA
Mar 25 17:02:59 :103063:  <DBUG> |ike|       IKE2_delSa(peer=[ap ip address] cookies={4dd3806355a42b0d 8b673f041231a876})
Mar 25 17:02:59 :103063:  <DBUG> |ike|    spi={4dd3806355a42b0d 8b673f041231a876} np=E{D}
Mar 25 17:02:59 :103063:  <DBUG> |ike|    exchange=INFORMATIONAL msgid=0 len=76
Mar 25 17:02:59 :103063:  <DBUG> |ike|   #SEND 80 bytes to [ap ip address](49196) (966281.195)
Mar 25 17:02:59 :103040:  <INFO> |ike|  IKE XAuth idle timeout for 192.168.124.117 (External [ap ip address])


(CONTROLLER) # show crypto ipsec sa peer [ap ip address]

 Initiator IP: [ap ip address]
 Responder IP: [controller ip]
 Initiator: No
 SA Creation Date: Mon Mar 25 18:02:47 2013
 Life secs: 7200
 Exchange Type: IKE_SA (IKEV2)
 Phase2 Transform:Encryption Alg: AES 256 Authentication Alg: SHA1
 Encapsulation Mode Tunnel
 PFS: no
 IN SPI: C4D97C00, OUT SPI: A6F6A100
 CFG Inner-IP 192.168.124.150
 Responder IP: [controller ip]

(CONTROLLER) #show crypto isakmp sa peer [ap ip address]

 Initiator IP: [ap ip address]
 Responder IP: [controller ip]
 Initiator: No
 Initiator cookie:f2fd63d2447a327a Responder cookie:53b6f205a6625f45
 SA Creation Date: Mon Mar 25 18:03:52 2013
 Life secs: 28800
 Initiator Phase1 ID: CN=BE0313093::d8:c7:c8:c6:c9:03
 Responder Phase1 ID: CN=A00012152::00:0b:86:14:9e:80 L=SW
 Exchange Type: IKE_SA (IKEV2)
 Phase1 Transform:EncrAlg:AES HashAlg:HMAC_SHA1_96 DHGroup:2
 Authentication Method: RSA Digital Signature 2048-bits
 CFG Inner-IP 192.168.124.168
 IPSEC SA Rekey Number: 0
 Aruba AP


In the datapath session appears the D flag.

(CONTROLLER) #show datapath session table [ap ip address]

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       u - User Index

  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge UsrIdx UsrVer Flags
--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- ------ ------ -----
[ap ip address]     [controller ip]     17   49352 4500   0/0     0 0   0   pc0         10   10e    1f4d   FC
                                                  0/0     0 0   149 pc0                            FYC
[controller ip]     [ap ip address]     17   4500  49352  0/0     0 0   1   pc0         10   ce     ce     F
                                                  0/0     0 0   0   pc0                            FY
[controller ip]     [ap ip address]     17   4500  49174  0/0     0 0   0   local       6    ce     ce     FDYC
                                                  0/0     0 0   149 local                          FDYC

Any ideas about what could be the cause of the problem. The only test we haven't done is to purge or factory reset the ap.

Thanks
Jose

Guru Elite
Posts: 21,001
Registered: ‎03-29-2007

Re: IPSEC tunnel flapping

This can be a very complicated problem.

 

Please open a TAC case to get to the bottom of it.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 23
Registered: ‎02-15-2012

Re: IPSEC tunnel flapping

Hi Colin,

 

Finally the VRD was right. There was a problem in the wan line of the branch office. It had wrong synchronization parameters.

 

Once the line problem was solved, AP's came up.

 

Jose

 

 

Guru Elite
Posts: 21,001
Registered: ‎03-29-2007

Re: IPSEC tunnel flapping

Glad to hear you fixed it!



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: