Wireless Access

Reply
Occasional Contributor II
Posts: 16
Registered: ‎04-13-2016

RAP-155 unable to download image Error: fail to retrieve image

I am running a 3400 controller with 6.4.3.6-FIPS software.

I am attempting to connect a remote office to my campus.

Nat-t is working through the firewall to the controller

 

I can see ipsec and l2tp tunnels establish successfully, but the image then fails to download and forces the AP to re cycle repeatedly with the same error.

 

Any suggestions?

 

Regards

mark

Guru Elite
Posts: 21,490
Registered: ‎03-29-2007

Re: RAP-155 unable to download image Error: fail to retrieve image

What error? How are you provisionibg that Rap?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 16
Registered: ‎04-13-2016

Re: RAP-155 unable to download image Error: fail to retrieve image

Zero touch provisioning

From the controller I can see the below isakmp sa info and ipsec sa info:

 

 

(NINBURWIRCN01) # show crypto isakmp sa

ISAKMP SA Active Session Information
------------------------------------
Initiator IP     Responder IP   Flags       Start Time      Private IP
------------     ------------   -----     ---------------   ----------
125.236.200.158  172.18.145.3   r-v2-c-I  Apr 15 15:12:00   8.8.8.6

Flags: i = Initiator; r = Responder
       m = Main Mode; a = Agressive Mode v2 = IKEv2
       p = Pre-shared key; c = Certificate/RSA Signature; e =  ECDSA Signature
       x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled
       3 = 3rd party AP; C = Campus AP; R = RAP;  Ru = Custom Certificate RAP; I = IAP
       V = VIA; S = VIA over TCP

Total ISAKMP SAs: 1

(NINBURWIRCN01) # show crypto ipsec sa


IPSEC SA (V2) Active Session Information
-----------------------------------
Initiator IP     Responder IP     SPI(IN/OUT)        Flags Start Time        Inner IP
------------     ------------     ----------------   ----- ---------------   --------
125.236.200.158  172.18.145.3     87144400/c1da2d00  UT2   Apr 15 15:12:43   8.8.8.8

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
       L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2

Total IPSEC SAs: 1

 

 

After that it fails to retrieve the image

 

Not sure what to look for now can cut debug log if you are able to assist?

Mark

 

 

Guru Elite
Posts: 21,490
Registered: ‎03-29-2007

Re: RAP-155 unable to download image Error: fail to retrieve image

You should type "show log system 50" to see if there is anything happen.  Is there a specific reason that you are using FIPS software?  That could be part of your issue.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 16
Registered: ‎04-13-2016

Re: RAP-155 unable to download image Error: fail to retrieve image

Thanks again

Have run: show log system 50

The only entry in the log not related to existing campas AP's is below:

 

 <ERRS> |fpapps| |configuration| Configuration error: Unable to find the ipsec map for tunnel down event. ip 134744070 in procIkeIpsecMsg, arubaIpsecRouteUtils.c:241.

 

Have also disabled FIPS mode but still has the same entry repeating

Guru Elite
Posts: 21,490
Registered: ‎03-29-2007

Re: RAP-155 unable to download image Error: fail to retrieve image

Did the rap-155 start off as an IAP? What regulatory domain did you set?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 16
Registered: ‎04-13-2016

Re: RAP-155 unable to download image Error: fail to retrieve image

Yes started of as an IAP, Country code NZ

Selected maintenence>convert>remote APs managed by a mobility controller

Pointed at the controllers external IP address and clicked convert now

 

IAP log shows :

Executing '/aruba/bin/download_image_swarm ac-ftp://172.18.145.3/armv5te.ari'

fetching ('/usr/sbin/wget -T 120 -t 3 ftp://sap:x@172.18.145.3/armv5te.ari')

Error: failed to retrieve image

cleaning up

done

 

Controller at my end sees it as below:

 

(NINBURWIRCN01) #show crypto ipsec sa


IPSEC SA (V2) Active Session Information
-----------------------------------
Initiator IP     Responder IP     SPI(IN/OUT)        Flags Start Time        Inner IP
------------     ------------     ----------------   ----- ---------------   --------
125.236.###.###  172.18.145.3     5f8f3800/caba5900  UT2   Apr 18 12:39:46   8.8.8.4

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
       L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2

Total IPSEC SAs: 1

(NINBURWIRCN01) #show crypto isakmp sa

ISAKMP SA Active Session Information
------------------------------------
Initiator IP     Responder IP   Flags       Start Time      Private IP
------------     ------------   -----     ---------------   ----------
125.236.###.###  172.18.145.3   r-v2-c-I  Apr 18 12:39:47   8.8.8.4

Flags: i = Initiator; r = Responder
       m = Main Mode; a = Agressive Mode v2 = IKEv2
       p = Pre-shared key; c = Certificate/RSA Signature; e =  ECDSA Signature
       x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled
       3 = 3rd party AP; C = Campus AP; R = RAP;  Ru = Custom Certificate RAP; I = IAP
       V = VIA; S = VIA over TCP

Total ISAKMP SAs: 1

(NINBURWIRCN01) #show datapath session | include 4500
125.236.###.### 172.18.145.3    17   58660 4500   1/0     0    0   0   1/1         6    0          0          FC
172.18.145.3    125.236.###.### 17   4500  58660  0/0     0    0   0   1/1         6    0          0          F

(NINBURWIRCN01) #

Guru Elite
Posts: 21,490
Registered: ‎03-29-2007

Re: RAP-155 unable to download image Error: fail to retrieve image

What is the output of "show rights sys-ap-role"?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 16
Registered: ‎04-13-2016

Re: RAP-155 unable to download image Error: fail to retrieve image

(NINBURWIRCN01) #show rights sys-ap-role

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'sys-ap-role'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Number of users referencing it = 0
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Youtube education: Disabled
 Web Content Classification: Enabled
 ACL Number = 10/0
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name         Type     Location
--------  ----         ----     --------
1         sys-control  session
2         sys-ap-acl   session

sys-control
-----------
Priority  Source  Destination  Service               Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------               -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any          sys-svc-icmp                       permit                           Low                                                           4
2         any     any          sys-svc-dns                        permit                           Low                                                           4
3         any     any          sys-svc-papi                       permit                           Low                                                           4
4         any     any          sys-svc-sec-papi                   permit                           Low                                                           4
5         any     any          sys-svc-cfgm-tcp                   permit                           Low                                                           4
6         any     any          sys-svc-adp                        permit                           Low                                                           4
7         any     any          sys-svc-tftp                       permit                           Low                                                           4
8         any     any          sys-svc-dhcp                       permit                           Low                                                           4
9         any     any          sys-svc-natt                       permit                           Low                                                           4
10        any     any          sys-svc-openflow-tcp               permit                           Low                                                           4
sys-ap-acl
----------
Priority  Source  Destination  Service               Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------               -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any          sys-svc-gre                        permit                           Low                                                           4
2         any     any          sys-svc-syslog                     permit                           Low                                                           4
3         any     any          sys-svc-snmp                       permit                           Low                                                           4
4         any     any          sys-svc-http                       permit                           Low                                                           4
5         user    any          sys-svc-kerberos-tcp               permit                           Low                                                           4
6         user    any          sys-svc-smb-tcp                    permit                           Low                                                           4
7         any     any          sys-svc-snmp-trap                  permit                           Low                                                           4
8         any     any          sys-svc-ntp                        permit                           Low                                                           4
9         user    any          sys-svc-ftp                        permit                           Low                                                           4
10        any     user         sys-svc-telnet                     deny                             Low                                                           4

Expired Policies (due to time constraints) = 0

Guru Elite
Posts: 21,490
Registered: ‎03-29-2007

Re: RAP-155 unable to download image Error: fail to retrieve image

Please execute "show firewall | include FTP"    

                                                         

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: