Wireless Access

Reply
Occasional Contributor II
Posts: 12
Registered: ‎12-23-2013

Problems getting RAP to connect to controller when RAP is on a separate NAT'd network

Hello,

 

I have an IAP3WN/P that I am attempting to convert into a RAP for use at home offices. I have a local and master controller at my head office running ArubaOS 6.2.1.4.

 

When I convert the IAP into a RAP when connected to our internal network (where the controllers reside, so no NAT or firewalls inbetween the RAP and the master controller), the RAP fires up without any problem, picks up the role specified in our RAP whitelist and all looks good. During the RAP conversion I used the master controllers internal IP address (where we have the RAP configured and whitelsited) .

 

From all of this, I can begin to assume that (at least some) of my configation is correct, as when no firewalls or NAT is in place all, seems to work perfectly.

 

 

Now, here's my problem - When I connect the RAP to an external network and try to convert from IAP to RAP using a publically routable address which is NAT'ed and firewalled to allow access to my internal network's master controller, after the converstion, the RAP will not come online. I have allowed UDP 4500 from this address to the controller. During the conversion, it looks as if the IAP successfully communicates with the controller, but atfer the conversion, the AP will not come online.

 

To me, this seems like I have some sort of configuration problem with my Firewall or NAT, or even my RAP config. To troubleshoot this a little more, I began a packet capture of what the RAP was trying to do as it fails to come online. 

 

The packet capture shows ISAKMP/ESP communcation between the RAP and the controller's public address,  but then the  destination addresses change from the public address of my controllers to the internal addresses of the controller, which seems odd to me. The RAP then tries to communcate with the internal IP address of the master, and then tries the IP of the local controller after it cannot communicate to the master. 

 

 

I have followed the guidelines of ArubaOS 6.2 for setting up my RAP - is there something I've missed? The firewalls are Cisco ASA, if that helps.

Guru Elite
Posts: 20,759
Registered: ‎03-29-2007

Re: Problems getting RAP to connect to controller when RAP is on a separate NAT'd network


nMethod wrote:

Hello,

 

I have an IAP3WN/P that I am attempting to convert into a RAP for use at home offices. I have a local and master controller at my head office running ArubaOS 6.2.1.4.

 

When I convert the IAP into a RAP when connected to our internal network (where the controllers reside, so no NAT or firewalls inbetween the RAP and the master controller), the RAP fires up without any problem, picks up the role specified in our RAP whitelist and all looks good. During the RAP conversion I used the master controllers internal IP address (where we have the RAP configured and whitelsited) .

 

From all of this, I can begin to assume that (at least some) of my configation is correct, as when no firewalls or NAT is in place all, seems to work perfectly.

 

 

Now, here's my problem - When I connect the RAP to an external network and try to convert from IAP to RAP using a publically routable address which is NAT'ed and firewalled to allow access to my internal network's master controller, after the converstion, the RAP will not come online. I have allowed UDP 4500 from this address to the controller. During the conversion, it looks as if the IAP successfully communicates with the controller, but atfer the conversion, the AP will not come online.

 

To me, this seems like I have some sort of configuration problem with my Firewall or NAT, or even my RAP config. To troubleshoot this a little more, I began a packet capture of what the RAP was trying to do as it fails to come online. 

 

The packet capture shows ISAKMP/ESP communcation between the RAP and the controller's public address,  but then the  destination addresses change from the public address of my controllers to the internal addresses of the controller, which seems odd to me. The RAP then tries to communcate with the internal IP address of the master, and then tries the IP of the local controller after it cannot communicate to the master. 

 

 

I have followed the guidelines of ArubaOS 6.2 for setting up my RAP - is there something I've missed? The firewalls are Cisco ASA, if that helps.


Make sure that in the AP-Group of your RAPs, in the AP System Profile of that ap-group, there is NO LMS-IP.  If there is a private address there, it will break your connectivity when you attempt to connect a RAP from outside.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 12
Registered: ‎12-23-2013

Re: Problems getting RAP to connect to controller when RAP is on a separate NAT'd network

That was the problem! 

 

Thank's for your help CJoseph, much appreciated.

Search Airheads
Showing results for 
Search instead for 
Did you mean: