Wireless Access

Reply
Contributor II
Posts: 54
Registered: ‎09-27-2012

RAP config

Attempting to provision a rap remote.  Currently on the network, all internal APs are configured as RAPs.  This is the first RAP that will be pointing to the public IP.  when trying to provision from one machine, it gets stuck at "Please wait", on the other, it moves to setting up VPN, then pops up with below:

 

Target : 00:0b:86:9f:8e:d3


show vpn status


profile name:default
--------------------------------------------------
current using tunnel :unselected tunnel
ipsec is preempt status :disable
ipsec is fast failover status :disable
ipsec hold on period :600
ipsec tunnel monitor frequency (seconds/packet) :10
ipsec tunnel monitor timeout by lost packet cnt :2

ipsec primary tunnel crypto type :Cert
ipsec primary tunnel peer address :x.x.x.x
ipsec primary tunnel peer tunnel ip :0.0.0.0
ipsec primary tunnel ap tunnel ip :0.0.0.0
ipsec primary tunnel current sm status :Retrying
ipsec primary tunnel tunnel status :Down
ipsec primary tunnel tunnel retry times :34
ipsec primary tunnel tunnel uptime :0

ipsec backup tunnel crypto type :Cert
ipsec backup tunnel peer address :N/A
ipsec backup tunnel peer tunnel ip :N/A
ipsec backup tunnel ap tunnel ip :N/A
ipsec backup tunnel current sm status :Init
ipsec backup tunnel tunnel status :Down
ipsec backup tunnel tunnel retry times :0
ipsec backup tunnel tunnel uptime :0
end of show vpn status
========================================================

show upgrade info

Image Upgrade Progress
----------------------
Mac IP Adress AP Class Status Image Info Error Detail
--- --------- -------- ------ ---------- ------------
00:0b:86:9f:8e:d3 192.168.155.204 Orion image-ok image file none
end of show upgrade info
========================================================

show log upgrade
----------Download log start----------
download log not available
----------Download log end------------
Download status: incomplete
----------Upgrade log start----------
upgrade log not available
----------Upgrade log end------------
Upgrade status: upgrade status not available
end of show log upgrade
========================================================

show log rapper
Mar 25, 20:35:31: get_ike_version: Use IKE Version 2

Mar 25, 20:35:31: papi_init papifd:9 ack:10

IKE_EXAMPLE: Starting up IKE server
setup_tunnel
Mar 25, 20:35:31: IKE_init: ethmacstr = 00:0B:86:9F:8E:D3

Initialized Timers
IKE_init: completed after (0.0)(pid:31020) time:2014-03-25 20:35:31
seconds.
Mar 25, 20:35:31: RAP using default certificates

Mar 25, 20:35:31: Before getting Certs
Mar 25, 20:35:31: TPM enabled
Mar 25, 20:35:31: CA_MGMT_EXAMPLE_computeHostKeys init cert-len 0
Mar 25, 20:35:31: Factory Device Cert is /tmp/deviceCerts/certifiedKeyCert.der
Mar 25, 20:35:31: Reading DER Device Cert file /tmp/deviceCerts/certifiedKeyCert.der
Mar 25, 20:35:31: DER Device Cert file len:1767
Mar 25, 20:35:31: Intermediate Cert index:0 is /tmp/deviceCerts/certifiedKeyCaCert.der
Mar 25, 20:35:31: Reading DER Intermediate Cert file
Mar 25, 20:35:31: DER Intermediate Cert file len:1457
Mar 25, 20:35:31: Intermediate Cert index:1 is /tmp/deviceCerts/caChainCert1.der
Mar 25, 20:35:31: Reading DER Intermediate Cert file
Mar 25, 20:35:31: DER Intermediate Cert file len:1580
Mar 25, 20:35:31: Decode PEM Key length :0
Mar 25, 20:35:31: testHostKeys : status 0

Mar 25, 20:35:31: testHostKeys : free temp Certificate status 0

Mar 25, 20:35:31: CA_MGMT_EXAMPLE_computeHostKeys after testHostKeys cert-len 1767
Mar 25, 20:35:31: CA Cert index:0 is /tmp/deviceCerts/OpensslOldCA_RootCert.der
Mar 25, 20:35:31: Reading DER CA Cert file
Mar 25, 20:35:31: DER CA Cert file len:1416
Mar 25, 20:35:31: CA Cert index:1 is /tmp/deviceCerts/MSCAV1_RootCert.der
Mar 25, 20:35:31: Reading DER CA Cert file
Mar 25, 20:35:31: DER CA Cert file len:1009
Mar 25, 20:35:31: Got 2 Trusted Certs
Mar 25, 20:35:31: After getFieldTrustedCerts ret:-1
Mar 25, 20:35:31: Got 0 Field Trusted Certs
Mar 25, 20:35:31: CSS CA Cert is /tmp/deviceCerts/CSS_CA_RootCert.der
Mar 25, 20:35:31: Reading DER CA Cert file
Mar 25, 20:35:31: Error in reading DER CA Cert:/tmp/deviceCerts/CSS_CA_RootCert.der, Ignore It
Mar 25, 20:35:31: CA Cert status : 0

Before IKE_initServer
Mar 25, 20:35:31: IKE_initServer: Cert length 1767
IKE_initServer: Host Certificate is set (RSA-SIG)
{CN=BF0067549::00:0b:86:9f:8e:d3}
Mar 25, 20:35:31: IKE_EXAMPLE_addServer port:0 natt:0

Mar 25, 20:35:31: srcdev_name = br0 ip c0a89bcc
Mar 25, 20:35:31: IKE_EXAMPLE_addUdpSkt: Using SocketIndex:0
IKE_EXAMPLE: Socket created on 192.168.155.204[49220]
Mar 25, 20:35:31: IKE_EXAMPLE_addServer:1413 socket descriptor is 0 port number 49220 for server instance 0 at 0th index
Mar 25, 20:35:31: srcdev_name = br0 ip c0a89bcc
Mar 25, 20:35:31: IKE_EXAMPLE_addUdpSkt: Using SocketIndex:1
IKE_EXAMPLE: Socket created on 192.168.155.204[49221]
Mar 25, 20:35:31: IKE_EXAMPLE_addServer:1460 socket descriptor is 1 port number 49221 for server instance 0 at 1st index
Mar 25, 20:35:31: IKE_EXAMPLE_addDefaultServers status:0

(0.0)(pid:31020) time:2014-03-25 20:35:31
SA_INIT dest=x.x.x.x
Mar 25, 20:35:31: Initialize IKE SA
Mar 25, 20:35:31: IKE_CUSTOM_getVersion(peerAddr:d1b76270): ikeVersion:2
Timer ID: 1 Initialized
Mar 25, 20:35:31: IKE2_newSa(peerAddr:d1b76270): IKE_SA-lifetime:28000
I -->
Mar 25, 20:35:31: OutSa(v2-peerAddr:0 pxSa->dwPeerAddr:d1b76270): Entered
Mar 25, 20:35:31: OutTfm_I(v2-peerAddr:d1b76270): Entered
ENCR_AES 256-BITS
PRF_HMAC_SHA1
AUTH_HMAC_SHA1_96
DH_2
NAT_D (us): c5 81 0c 68 c9 34 1a ff 4c ac ad 80 08 bb 9f 8f
68 0d 00 d0
NAT_D (peer): cb 7a 6c b6 8b c8 e4 11 d5 73 ef fa 08 a6 50 d5
df bd e8 f6
spi={cf5bf96669e6711c 0000000000000000} np=SA
exchange=IKE_SA_INIT msgid=0 len=376
#SEND 380 bytes to x.x.x.x[4500] (0.0)(pid:31020) time:2014-03-25 20:35:31

Mar 25, 20:35:31: IKE_SAMPLE_ikeXchgSend Successfully setsockopt UDP_ENCAP port 49221

IKE_EXAMPLE: IKE_keyConnect() started, id = 0xMar 25, 20:35:31: IKE_EXAMPLE: IKE_keyConnect() started, id = 0x on device br0
dae19b1a...
Mar 25, 20:35:31: papi:15200
spi={cf5bf96669e6711c 0000000000000000} np=SA
exchange=IKE_SA_INIT msgid=0 len=376
#SEND 380 bytes to x.x.x.x[4500] (5.0)(pid:31020) time:2014-03-25 20:35:36

spi={cf5bf96669e6711c 0000000000000000} np=SA
exchange=IKE_SA_INIT msgid=0 len=376
#SEND 380 bytes to x.x.x.x[4500] (10.0)(pid:31020) time:2014-03-25 20:35:41

spi={cf5bf96669e6711c 0000000000000000} np=SA
exchange=IKE_SA_INIT msgid=0 len=376
#SEND 380 bytes to x.x.x.x[4500] (15.0)(pid:31020) time:2014-03-25 20:35:46

Mar 25, 20:35:51: IKE_checkExpSa rekey notfinished timeout 20000 sec
Mar 25, 20:35:51: IKE_SAMPLE_ikeStatHdlr(CHILD_SA): dwPeerAddr:d1b76270 index:0 mPeerType:0
Mar 25, 20:35:51: IKE SA failed reason = ERR_IKE_TIMEOUT, errorcode = -8949 ikeVer 2
Mar 25, 20:35:51: send_sapd_error: InnerIP:0 error:43 debug_error:-8949

Mar 25, 20:35:51: send_sapd_error: error:43 debug_error:-8949

Mar 25, 20:35:51: IKE_SAMPLE_ikeStatHdlr(SA): dwPeerAddr:d1b76270 index:0 mPeerType:0
Mar 25, 20:35:51: IKE_SA [v2 I] (id=0xdae19b1a) flags 0x41000005 failed reason = ERR_IKE_TIMEOUT, errorcode = -8949
Mar 25, 20:35:51: IKE_SAMPLE_ikeStatHdlr(IST_FAIL): g_ikeversion:2
Timer ID: 1 Deleted
rapperSendStatusCB

end of show log rapper
========================================================

Solutions Engineer
CWNA-CWDP-ACMP-ACCP
Contributor II
Posts: 54
Registered: ‎09-27-2012

Re: RAP config

Figured this one out.  Looks like security guys took a bit longer than they said opening up port 4500.

Solutions Engineer
CWNA-CWDP-ACMP-ACCP
Search Airheads
Showing results for 
Search instead for 
Did you mean: