Wireless Access

Hey everyone!

I have a brand new rap-5wn sitting here and I just can't get it to see the controller. Let's see if I can list what I have done:

1. firewall configuration is set to allow port 4500 to the aruba 3400 controller - I see 3 hits on the rule, but it doesn't seem to be reaching the controller. (not sure....)

2. On the aruba 3400 in VPN\ipsec configured and address pool,

3. in security/authentication/servers/l3 authentication set to default

4. created a remote ap access policy (security/firewall/policies) permitting svc-papi, svc-gre, svc-l2tp (any/any), and svc-tftp, svc-ftp (any mswitch)

5. Now for configuring the l3 auth I'm having some issues - when I go to the default-rap, I dont see a roll that I can select and not sure what server group to pick(ldap, radius, default)

So when I plug in rap, go to config it from an outside source I get a rc_error_Ikep1 error on a DSL modem that has no firewall enabled....

So just what am I missing here?

Any help would be appreciated - they want to ship this unit out as soon as possible.

thank you!

lirria

Is the RAP-5WN in the  RAP Whitelist  as well ?

Also, in the output of  ' show datapath session table | inc 4500 '   do you see the RAP trying to connect ?   That output would tell you if the RAP is making it through to the controller (or not)

I did add the mac0 to the rap whitelist, I get an error when I try the |inc 4500 so not sure what's going on there

I do see one connection to port 4500

Source ip is the controller destination ip is the DSL router that the rap is hooked to

Lirria

ok - I did get the inc to work (have to type include apparently...)

And I do see 2 connections on from the controller to the rap and 1 from the rap to the controller.

It may have something to do with my firewall - It's a cisco asa 5510 if that helps.

Lirria

WOOHOO got it! I had to add udp/isakmp to my access rule on the firewall and then boom up it came!

Now to test the silly thing not in the office.....

:)

Thank you!

Lirria

Nice work!

You ever have one of those days where you see something and get all excited because you think it's working and then realize you plugged the device *inside* the firewall and that's why you could see it?

*sigh*

So Its down to the firewall config is the issue and I just haven't found the right thing to fix it

It's a cisco asa 5510 I have added nat-tranversal, nat-control, verified the port assign to the internal nat object and I'm out of ideas...

any thoughts? (and yes I don't expect cisco experts... just hope for some thoughts)

:)

Lirria

I have access lists that look like this:

access-list inbound-traffic-on-outside extended permit udp any host Aruba-external eq 4500
access-list inside_access_in extended permit udp host Aruba-internal any eq 4500

and I do feel like I'm missing something but I think I've been staring at it way to long.

Lirria

What version of firmware are you running on your ASA?

8.0(4)

OK -

I really did find the problem this time - Since my old controller was inside only - i never set up a default gateway for it so it had no idea where to send the traffic to the remote aps.

now just to get the new ap accepting clients and i can ship thing.

Thanks all!

Lirria