Wireless Access

Dear Friends,

I am trying to configure RAP-2WG with Aruba200 controller. When i connect RAP with controller its show up but when I provision the AP to any AP Group it does not come up and shows as down.

Details of configurations are in attached file. Please have a look into it and advice.

in your log ,i can see the following error:

 

No ISAKMP PSK found for peer 192.168.2.125

1.did u configured the right VPN settings? (that allowing u to use cert or user/password/shared)?

2.did u whitelisted this RAP?

3.seems like a cert\secret issue.

 

Another thing,that u might wanna check: (That might sending wrong internal controller address to the rap unit)

Do u have any LMS or BACKUPLMS configured in the AP-system-profile default? Or in the AP-system-profile that attached to any of those groups?

 

It's seems that after you provision the RAP,he getting some wrong configuration (might be the LMS and BACKUP LMS - check it)

 

update us if it solve your issue.

 

Me.

Thank You please see the response

1.did u configured the right VPN settings? (that allowing u to use cert or user/password/shared)?
I think there is some problem with VPN setting but i am not able to found where the problem exist. Please do let me know what setting preview required to resolve this issue.

2.did u whitelisted this RAP?
Yes
3.seems like a cert\secret issue.
Try both certificate and PSK. Tried with different username and password and different psk as well

What about the LMS / BACKLMS setting in the ap-system-profile? is there any configuration there that u did? did u checked it also?

What about the LMS / BACKLMS setting in the ap-system-profile? is there any configuration there that u did? did u checked it also?

I just added LMS IP in that.. below is output for your reference


(ICI) #show ap system-profile MyAPSysProfile

AP system profile "MyAPSysProfile"
----------------------------------
Parameter Value
--------- -----
LMS IP 192.168.2.222
Backup LMS IP N/A
LMS Preemption Disabled
LMS Hold-down Period 600 sec
Number of IPSEC retries 360
LED operating mode (AP-9x/AP-10x/AP-12x/RAP-5x only) normal
RF Band g
Double Encrypt Disabled
Native VLAN ID 1
SAP MTU N/A
Bootstrap threshold 8
Request Retry Interval 10 sec
Maximum Request Retries 10
Keepalive Interval 60 sec
Dump Server N/A
Telnet Disabled
SNMP sysContact N/A
AeroScout RTLS Server N/A
RTLS Server configuration N/A
Remote-AP DHCP Server VLAN N/A
Remote-AP DHCP Server Id 192.168.11.1
Remote-AP DHCP Default Router 192.168.11.1
Remote-AP DHCP DNS Server N/A
Remote-AP DHCP Pool Start 192.168.11.2
Remote-AP DHCP Pool End 192.168.11.254
Remote-AP DHCP Pool Netmask 255.255.255.0
Remote-AP DHCP Lease Time 0 days
Remote-AP Backup Ports Enabled
Remote-AP uplink total bandwidth 0 kbps
Remote-AP bw reservation 1 N/A
Remote-AP bw reservation 2 N/A
Remote-AP bw reservation 3 N/A
Heartbeat DSCP 0
Session ACL allowall
Corporate DNS Domain N/A
Maintenance Mode Disabled
WISPr Location-ID ISO Country Code N/A
WISPr Location-ID E.164 Country Code N/A
WISPr Location-ID E.164 Area Code N/A
WISPr Location-ID SSID/Zone N/A
WISPr Operator Name N/A
WISPr Location Name N/A
Remote-AP Local Network Access Disabled

Did you set the preshared key on the controller?  Did you set a username and password in the controller's local database for that AP?

 

You do not need to enter the AP into the whitelist, because that is for only certificate-based APs and of course, that will not work.

Hi Joseph



Did you set the preshared key on the controller?
YES with this command
crypto isakmp key aruba123 address 10.10.123.0 netmask 255.255.255.0

Did you set a username and password in the controller's local database for that AP?
Yes


You do not need to enter the AP into the whitelist, because that is for only certificate-based APs and of course, that will not work.
I tried both i mean once with PSK and again with adding it into white list.
Please confirm if the AP is in white list it will not get connected via PSK ?

Thank You Kdisc

Please see this

iTt's seems that after you provision the RAP,he getting some wrong configuration (might be the LMS and BACKUP LMS - check it)

LMS IP is correct but no LMS IP is available so not provided

ok.

---

@syedmuradali wrote:
Thank You Kdisc

Please see this

iTt's seems that after you provision the RAP,he getting some wrong configuration (might be the LMS and BACKUP LMS - check it)

LMS IP is correct but no LMS IP is available so not provided

---

The LMS IP, should be blank.  The problem is that the AP does not connect via IPSEC in the first place, which has to happen even before the LMS-IP is applied.  We need to troubleshoot that portion first.

 

But if the RAP unit if connecting to an AP-GROUP with LMS/BACKUP LMS with internal address , after the provisoning process,and the reboot the RAP will be down.

 

That's the reason i told hom to check it. (and yes..on RAP groups it's should be blank)

 

---

@kdisc98 wrote:

But if the RAP unit if connecting to an AP-GROUP with LMS/BACKUP LMS with internal address , after the provisoning process,and the reboot the RAP will be down.

 

That's the reason i told hom to check it. (and yes..on RAP groups it's should be blank)

 

---

That isa  fair assessment.

 

The AP must connect via IPSEC to get the LMS/Backup LMS instructions, so if the IPSEC connection is not happening, it cannot even get to that point.

 

APs that have the LMS set to another controller connect via IPSEC successfully and get redirected to that blackhole, creating the "AP Down" situation.  The AP must connect via IPSEC successfully to the first controller to even get into that condition...

 

Yep.That the reason that I thought about it(about the AP-system-profile LMS/BACKUPLMS) ...he wrote that the RAP is connecting the the Controller but going down after provising...

 

The LMS IP, should be blank. The problem is that the AP does not connect via IPSEC in the first place, which has to happen even before the LMS-IP is applied. We need to troubleshoot that portion first.

LMS IP has been removed but still facing the same problem

But in the begining you wrote:

an hour ago

Dear Friends,

I am trying to configure RAP-2WG with Aruba200 controller. When i connect RAP with controller its show up but when I provision the AP to any AP

Hi Kdisc,
I am sorry i dont understand what you mean to say..
let me explain again what the problem is...
I reset the RAP to factory default and connect it with controller its show up. but when i provision it. the rap shows down..
This was happening when LMS IP was blank, After this i added LMS IP but problem remain the same. So now i removed the LMS as per CJoseph instructions..

Okay.

 

Did you put an IPSEC preshared key on the controller?:

 

Did you enter a username and password into the local user database for that AP?:

 

 

And did you provision the IPSEC key from the first step and the username and password from the second step into that into the AP?:

 

Yes CJoseph i have performed all these steps, See the attached screeshot may be you can help me

 

 

delete the IKE shared secret for 10.10.123.0

and create a new one for 0.0.0.0 (just for the test)

 

tell us it's it works.

resolved... AP is showing up now....

Thank you so much Cjoseph and Kdisc
You are people are amazing...

dont forget to KUDOS me and press on SOLVED!

 

That the reason why we here. to give u some more Air into the Head :)

 

 

One more question please...
The SSID is working on "Standard" Remote AP operation.. After disconnecting from Controller how much time RAP will wait to turn the Backup SSID on ???
Back SSID Is not working now :-(

Is the SSID bridged or tunneled?  It must be bridged for backup to work.  It should come up within 30 seconds, and the AP needs to have a valid ip address (ethernet must be up, etc).

 

When i disconnect the RAP from controller, Backup SSID start broadcasting but clients doesn't get the IP address from internaly defined DHCP server

Is the SSID bridged or tunneled?
This is bridge

AP needs to have a valid ip address (ethernet must be up, etc).
What does it mean i dont understand

After you configure a Backup SSID on the controller, you need to reprovision the AP for it to get the Backup SSID settings.  Try reprovisioning the AP with the same credentials and see if that works.

1st i have create both ssid's than i provision the AP, Backup SSID is turn on when RAP get disconnected from controller, and backup SSID is also vanished when RAP reconnected with controller.
the problem is with dhcp server configured for back ssid.. well i will further test that on monday and will get back to you...

Hi Friends,

 

Related to previous problem,

Since RAP has established IPSec with Controller and working fine, when i disconnect the controller from the network, the RAP starts broadcasting the backup SSID, but when i try to connect that SSID it get connect but doesn't forward traffice.

Problem number 2: when I reconnect the controller with network. i was expecting that the backup ssid should be hidden and Previous SSID should start broadcasting automaticaly, but its not the case, when i reconnect the controller with network the rap doesn't create IPSec tunnel with controller and keep broadcasting backup SSID..

 

Please advice.

I hope it will give u some idea:

http://community.arubanetworks.com/t5/Remote-Networking/Bootstrap-Threshold-and-RAPS/td-p/13676

Awesome.  I think Kdisc is your hero!

If like you wrote -  the RAP unit is connecting to the controller and showing up in the beginning. (so the key/cert/secret/userpassword are fine)

And then u re-provision it and it "down" forever - so it's some common config that touching all the AP-groups u trying (most likely something in the AP-system-profile)

 

 

that's my advise as far as I was troubleshooting the problem.

 

Regards.

 

Me.

 

 

---

@kdisc98 wrote:

If like you wrote -  the RAP unit is connecting to the controller and showing up in the beginning. (so the key/cert/secret/userpassword are fine)

And then u re-provision it and it "down" forever - so it's some common config that touching all the AP-groups u trying (most likely something in the AP-system-profile)

 

 

that's my advise as far as I was troubleshooting the problem.

 

Regards.

 

Me.

 

 

---

Kdisc,

 

I think when Syed resets the RAP, it comes up as a campus AP, so that he can provision it, and then it disappears after he provisions it, so it never connects via IKE.  Syed, please correct me if that is wrong...

 

yea...that what i'am starting to figure out also.

 

so..i found some little advise , u gave to someone with a smilier problem:

On the controller's commandline, type "show datapath session table | include 4500" while the RAP2WN is trying to connect to see if any traffic is being sent to the controller's ip address..

 

 

On the controller's commandline, type "show datapath session table | include 4500" while the RAP2WN is trying to connect to see if any traffic is being sent to the controller's ip address..

The output of same command is already provided in earlier attached file. Please see below


(ICI) #show datapath session table | include 4500
192.168.2.222 192.168.2.125 17 4500 49235 0/0 0 0 0 1/1 1 F
192.168.2.222 192.168.2.125 17 4500 49233 0/0 0 0 1 1/1 1b F
192.168.2.125 192.168.2.222 17 49235 4500 0/0 0 0 0 1/1 1 FC
192.168.2.125 192.168.2.222 17 49233 4500 0/0 0 0 1 1/1 1b FC

I think when Syed resets the RAP, it comes up as a campus AP, so that he can provision it, and then it disappears after he provisions it, so it never connects via IKE. Syed, please correct me if that is wrong...

100% right

found your issue:

the error is:

Feb 8 17:31:55 :103004:  <INFO> |ike|  No ISAKMP PSK found for peer 192.168.2.125

and u did key for the internal vpn address 10.10.123.0

 

fix it and it will work

---

@kdisc98 wrote:

found your issue:

the error is:

Feb 8 17:31:55 :103004:  <INFO> |ike|  No ISAKMP PSK found for peer 192.168.2.125

and u did key for the internal vpn address 10.10.123.0

 

fix it and it will work

---

Kdisc is correct.  Try 0.0.0.0 instead of restricting it to an ip address.

 

If it working for u lets us know - just change the IKE Shared Secret to fit the extranlIP of the RAP unit. (and not the vpn tunnel address)

 

 

Cjoseph

How you see these two outputs
(ICI) (config) #show datapath session table 192.168.2.125 | include 4500
192.168.2.222 192.168.2.125 17 4500 49159 0/0 0 0 2 1/1 19 F
192.168.2.125 192.168.2.222 17 49159 4500 0/0 0 0 1 1/1 19 FC


(ICI) (config) # show crypto isakmp sa

% No active ISAKMP SA

Are you using certificate-based RAP provisioning?  This will not work on a 200-series controller.

 

Please try provisioning it using IKE preshared key and username and password provisioning...

 

http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/RAP-2wg-with-800-series-controller-problem/td-p/8737

HI CJoseph

I have tried both cert and psk but its not working

maybe i'm wrong but i see ipsec but no gre/papi tunnel,

 check the remote networking pdf, maybe you miss something

 

http://community.arubanetworks.com/aruba/attachments/aruba/branch-wlan-and-remote-access/458/1/Aruba%20Remote%20AP%20Setup%20Guide.pdf

 

read at page 13

 

"Step 3: Configure the Remote AP User Role
Once the remote AP is authenticated for the VPN and established a IPsec connection, it is assigned a role.
This role is a temporary role assigned to the AP until it completes the bootstrap process after which it
inherits the ap-role. The appropriate ACLs need to be enabled to permit traffic from the controller to the AP
and back to facilitate the bootstrap process."

p.s.

 

i see

No ISAKMP PSK found for peer 192.168.2.125

 

maybe you miss to fix the ipsec psk password, as in previous post rap2wg user certificate with 3xx model but not with a200 model,

here you've to use ipsec psk

Hi Andrea,
Thank you for your response,

Following policies has been added but no success

ip access-list session rap_policy
any any svc-papi permit
any any svc-l2tp permit
any any svc-gre permit
any any svc-esp permit
any any svc-tftp permit
any any svc-ftp permit

user-role rap_role
session-acl rap_policy

aaa authentication vpn default-rap
default-role rap_role

aaa server-group RAP-Serv-Group
auth-server internal