Wireless Access

Hey Airheads,

I have a strange situation.

I have anew controller, that I have configured to white list a group of RAPs. All of the APs are in the same profiles and everything seems to be correct, but only ONE RAP will come up on the controller.

The I thought it might be something with the network I was testing from, so I took one to another ISP termination. Nothing changed.

In the controller GUI I rebooted the one connected RAP-5 and one of the other RAP-5's connected. That now is the only RAP-5 onthe controller. I can do this all day.. as long as a reboot the active RAP-5 one of the others will connect within a minute or two.

What am i missing?

I'm using Sw version 6.1.3.4 (I had upgraded from 6.1.3.1 which was shouwing the same issue)

Regards

how big is your VPN pool for your RAPs?

At this time I have licenses installed for 9 RAPs. I am only testing with 3 out of the box.

There is a single controller that is configured with an AP pool internal address range of 200 IP's . RAP1 gets 10.1.1.11, RAP2 gets 10.1.1.12 and so on for the internal tunnel.

User traffic is being put on VLAN 100 which has a local DHCP Server range of a /24. Only on host PC is attached to each RAP during this test, so no adddress exhaustion should be happening.

I don't immagine that I would need to configure a VLAN Pool since there is no expectation that this will exceed the /24 in the near future.

G.

Okay,

You need to type "show datapath session table | include 4500" on the controller commandline to see if any traffic is indeed coming into the controller on port 4500.

If traffic is coming in, you need to type "show crypto ipsec sa" to see if the second AP is even trying to come up.

It appears that the two AP's that I have powered on at this time are both building a tunnel. bidirectional 4500 sessions and an ipsec sa for each (note inner IP 10.1.1.12 and 10.1.1.13.

This is very good information to identify in the controller to verify the RAPs can reach the controller and helps confirm my suspicion that the APs were getting thier configs, but not clear on what would be causing the first RAP to be the only one that provides access.

The working RAP has a solid power LED while the one that doesn't fully come up has a slow blinking green LED.

I've included a copy of the command output and replaced some digits with XX and YY used to protect the "innocent". :-)

 #show datapath session table | include 4500

XX.82.2.180    YY.1.8.71     17   49419 4500   0/0     0 0   1   1/2         4a   5      5      FC
XX.82.2.180    YY.1.8.71     17   49180 4500   0/0     0 0   0   1/2         761b 0      0      FC
YY.1.8.71     XX.82.2.180    17   4500  49419  0/0     0 0   4   1/2         4a   2      2      F
YY.1.8.71     XX.82.2.180    17   4500  49180  0/0     0 0   6   1/2         761b 2      2      F

 #show crypto ipsec sa


IPSEC SA (V2) Active Session Information
-----------------------------------
Initiator IP     Responder IP     SPI(IN/OUT)        Flags Start Time        Inner IP
------------     ------------     ----------------   ----- ---------------   --------

XX.82.2.180     YY.1.8.71      1d22c300/f7514200  UT2   Oct  3 20:48:48   10.1.1.12
XX.82.2.180     YY.1.8.71      46a9b400/4a57600   UT2   Oct  3 20:56:53   10.1.1.13

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
       L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2

Total IPSEC SAs: 2

An interesting note for the second and third RAP-5 trying to connect. The IPSEC SA shows a Y at the end indicating a "no Syn", but it's not all of the time.

Greg

Wait...  Are both APs at the same site?  It is possible that the router at that site cannot pass more than one ipsec tunnel.  Did you try at different sites?

Good evening/morning CJoseph,

I was thinking that there could be an issue with the route/firewall at home where I was testing from so I set up a pair at the office and pointed those to the private side of the controller.  I would love to use the loopback, but corporate security limits whoe can access the digital doors  to the roach-motel.

Anyways, the ones at the office had the same issue.

As of an hour ago the problem has been CORRECTED!

A little history here:

I upgraded from 6.1.3.1 on Friday to 6.1.3.4 which took care of several little bugs I was concerned about and it also helped me get my first AP online. Aomewhere along the line the licenses that I had added in 6.1.3.1 went away. and I was left with on y 1 AP license which explains EXACTLY why I was seeing only one AP Come up.

I would be kicking myself in the backside right now, but I KNOW the licenses were in there before the upgrade.

• Yesterday, I even tried reading the licenses, but this time I used the License Wizard. All seemed good and no errors were reported when I was adding the licenses in the Wizard.
• Checked the "AP Count" and it said I had 9 AP licenses and 9 RAP Licenses in the pool - sounds good right?
• I went back in today to bring up the list of licenses and again, only one AP license. The pool still showed 9, but the License Tab in the Config -> Controller window only showed 1 licenses. Where are the other 8 licenses that the license pool is reporting???
• I experimented with adding the licenses with CLI and the License Tab in the GUI under Config > controller > License  (not the wizard)
• I was able to add and visibly verify the key was being displayed properly this time.

I now have my 4 test RAP5's working!!!!

Note that my AP and RAP pool shows 15, but I don't actually have that many legit licenses in my possession. This is a concern, but atleast I can feel confident in my configuration at this time.

Note to self... USE THE CLI !!!   although 6.1.3.4 fixed a lot of the bugs, there is something not right with the licenses wizard.

Thank you for your help CJoseph. Your recommendations helped me ensure the RAP5's were actually talking to the controller, since we did see the IPSec Tunnels up. They just weren't "allowed" due to a strange license issue. I have two other controllers in different parts of the world and I'm going to see if I can replicate the problem on them as well. Is there a good way to get my results to support?

Greg

There is a bug where if you paste in a license certificate that is not valid, it would not alert you.  I will see how we can get this addressed..