Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Problems getting RAP to connect to controller when RAP is on a separate NAT'd network

This thread has been viewed 4 times

  • 1.  Problems getting RAP to connect to controller when RAP is on a separate NAT'd network

    Posted Jan 03, 2014 09:36 AM

    Hello,

     

    I have an IAP3WN/P that I am attempting to convert into a RAP for use at home offices. I have a local and master controller at my head office running ArubaOS 6.2.1.4.

     

    When I convert the IAP into a RAP when connected to our internal network (where the controllers reside, so no NAT or firewalls inbetween the RAP and the master controller), the RAP fires up without any problem, picks up the role specified in our RAP whitelist and all looks good. During the RAP conversion I used the master controllers internal IP address (where we have the RAP configured and whitelsited) .

     

    From all of this, I can begin to assume that (at least some) of my configation is correct, as when no firewalls or NAT is in place all, seems to work perfectly.

     

     

    Now, here's my problem - When I connect the RAP to an external network and try to convert from IAP to RAP using a publically routable address which is NAT'ed and firewalled to allow access to my internal network's master controller, after the converstion, the RAP will not come online. I have allowed UDP 4500 from this address to the controller. During the conversion, it looks as if the IAP successfully communicates with the controller, but atfer the conversion, the AP will not come online.

     

    To me, this seems like I have some sort of configuration problem with my Firewall or NAT, or even my RAP config. To troubleshoot this a little more, I began a packet capture of what the RAP was trying to do as it fails to come online. 

     

    The packet capture shows ISAKMP/ESP communcation between the RAP and the controller's public address,  but then the  destination addresses change from the public address of my controllers to the internal addresses of the controller, which seems odd to me. The RAP then tries to communcate with the internal IP address of the master, and then tries the IP of the local controller after it cannot communicate to the master. 

     

     

    I have followed the guidelines of ArubaOS 6.2 for setting up my RAP - is there something I've missed? The firewalls are Cisco ASA, if that helps.



  • 2.  RE: Problems getting RAP to connect to controller when RAP is on a separate NAT'd network
    Best Answer

    EMPLOYEE
    Posted Jan 03, 2014 10:05 AM
    @nMethod wrote:

    Hello,

     

    I have an IAP3WN/P that I am attempting to convert into a RAP for use at home offices. I have a local and master controller at my head office running ArubaOS 6.2.1.4.

     

    When I convert the IAP into a RAP when connected to our internal network (where the controllers reside, so no NAT or firewalls inbetween the RAP and the master controller), the RAP fires up without any problem, picks up the role specified in our RAP whitelist and all looks good. During the RAP conversion I used the master controllers internal IP address (where we have the RAP configured and whitelsited) .

     

    From all of this, I can begin to assume that (at least some) of my configation is correct, as when no firewalls or NAT is in place all, seems to work perfectly.

     

     

    Now, here's my problem - When I connect the RAP to an external network and try to convert from IAP to RAP using a publically routable address which is NAT'ed and firewalled to allow access to my internal network's master controller, after the converstion, the RAP will not come online. I have allowed UDP 4500 from this address to the controller. During the conversion, it looks as if the IAP successfully communicates with the controller, but atfer the conversion, the AP will not come online.

     

    To me, this seems like I have some sort of configuration problem with my Firewall or NAT, or even my RAP config. To troubleshoot this a little more, I began a packet capture of what the RAP was trying to do as it fails to come online. 

     

    The packet capture shows ISAKMP/ESP communcation between the RAP and the controller's public address,  but then the  destination addresses change from the public address of my controllers to the internal addresses of the controller, which seems odd to me. The RAP then tries to communcate with the internal IP address of the master, and then tries the IP of the local controller after it cannot communicate to the master. 

     

     

    I have followed the guidelines of ArubaOS 6.2 for setting up my RAP - is there something I've missed? The firewalls are Cisco ASA, if that helps.

    Make sure that in the AP-Group of your RAPs, in the AP System Profile of that ap-group, there is NO LMS-IP.  If there is a private address there, it will break your connectivity when you attempt to connect a RAP from outside.

     



  • 3.  RE: Problems getting RAP to connect to controller when RAP is on a separate NAT'd network

    Posted Jan 03, 2014 10:34 AM

    That was the problem! 

     

    Thank's for your help CJoseph, much appreciated.



  • 4.  RE: Problems getting RAP to connect to controller when RAP is on a separate NAT'd network

    Posted Aug 17, 2017 02:40 AM

    It works when remove LMS parameter in AP-Group.

    I am facing the issue about lost WAN connection.

    Will RAP re-establish connection to controller when WAN is up? 

    In my lab, it took over 5 minutes and RAP was not show in the controller.

    My workaround is restart RAP.

     

    Please advise.



  • 5.  RE: Problems getting RAP to connect to controller when RAP is on a separate NAT'd network

    EMPLOYEE
    Posted Aug 17, 2017 04:47 AM

    You should always remove the LMS-IP parameter, because the controller will redirect the RAP to that ip address.  If the LMS-IP is a private address and the RAP is on the public internet, it will fail.  If the LMS-ip  is a public address and the RAP is on the public internet, the RAP will immediately attempt to connect to the controller at that public address.  The LMS-IP when an AP is configured as a RAP is used to redirect RAPs to a controller at that public address.  If you have a single controller RAP setup, you should remove the LMS-IP parameter, because it will only cause trouble.