Wireless Access

Hello community,

we have an Aruba 651 controller (6.2.1.3) with some APs in our company.

Now we want to use some RAPs.

At the moment we´ve 3 RAPs 2wg and 1 RAP 3WN.

We have a company internet connection and an extra internet connection for the RAPs (controller makes pppoe).(bouth static ip adress)

In the LAN the RAP can connect to the conroller, from outside it does not work.

I think the RAP connect to the controller over the company internet connection to the controllers internet connection.

Why does it noch work from outside?

I configured it like the example IAW RAP 6.1 configuration guide...

I put the conroller config in the attachment.

Maybe anyboy can help me...

Thanks a lot.

Attachment(s)

config.txt   28 KB 1 version

Hey Leon,

Is there a firewall between the controller and the internet connection used for the RAPs?

If so you'll need to NAT UDP port 4500 from the firewall to the controller.

Also when you're testing the RAP you could try the following commands in addition to the datapath session one you used:

#show crypto isakmp sa

This will show you any IKE security associations. This is IKE Phase 1 or you might have heard this as just Phase 1 of the VPN connection.

#show crypto ipsec sa

This will show you any IPSEC security associations. This is the VPN tunnel that's created by IKE Phase1. Once this is established you're usually good to go.

Also it's worth checking the security log as many IKE errors will pop up there. 

Another thing to do is ennable debugging then try to connect the RA|P and see what turns up.

#conf t

#logging level debugging ap-debug <macaddress of AP>

#show log ap-debug 30

or you could debug IKE, but usually I find this isn't necessary

#logging level debugging security subcat ike

#show log security 30

I hope this has given you something to go on.

Post back with any finding. :smileyhappy:

Cheers

James

Hello jrwhitehead,

there is no firewall between the controller and the inernet.

There is a extra internet connection for the RAPs wehre the contriller makes pppoe.

In the local Lan the RAP works and send its ssids ...

At the moment the RAP is on the local LAN:

#show crypto isakmp sa

#show crypto ipsec sa

Ok I set up logging and later i test it outside the LAN.

Thanks

Hello,

when I put the RAP outside the LAN, there is nothing in the log.

Shows like there is no connection to the controller.

And in the log is nothing too.

The controllers interface with the pppoe connection is up, the ip address the this interface get is the right public ip.

I don´t know whats wrong, maybe a policy?

But this I must see in the log right?

Hi Leon,

I would have a look at the datapath session table for the external IP of where the RAP is coming from to see if any traffic is getting to the controller from the RAP.

Can you confirm that UDP port 4500 is allowed outbound from where the RAP is?

Cheers

James

Ok,

here is the

show datapath session table | include 4500:

Can you confirm that UDP port 4500 is allowed outbound from where the RAP is? yes!

---

@Leon123 wrote:

Ok,

 

here is the

show datapath session table | include 4500:

 

Can you confirm that UDP port 4500 is allowed outbound from where the RAP is? yes!

 

 

---

Is there anything in the security log?

there is nothing in the log

You could try the following:

#conf t

#logging level debugging ap-debug <macaddress of AP>

#show log ap-debug 30

or you could debug IKE

#logging level debugging security subcat ike

#show log security 30

Ok,  there is nothing in:

#show log ap-debug 30

#show log security 30

I would expect to see something in those logs so clearly something is wrong.

I'd give TAC a call if I were you.

Post back to let us know the result...

Now I´ve something in the log:

But it still not work ...

and here are the other logs:

I hope someone can help.

The power led on the rap3 flashes

You may just have a routing problem.  You mention two "Internet Connections".    If I understood your post correctly, you want the RAPs to connect over the PPOE connection.   If  this is true and the controller's default gateway is out another Interface you'll likely see asymmetric routing; which would prevent the connection from establishing.

If you want to use the PPOE as your default route, you can try the following command after removing your existing ip default-gateway entries.   You may need to add additional static routes for your internal networks.

ip default-gateway import

Ok, you´re right.

But when I remove the default gateway I don´t come on the conroller,

and the wifi clients can´t go to the internet.

how can I add an additional route?

or what can I do to let the default but use the ppoe for RAP?

here is the show ip route:

The output still shows "Gateway of last resort is 10.10.1.x" and 192.168.x.x listed.

Can you share the routing section of your config file:

show run | begin "ip default-gateway"

Also, for your clients, what is their default gateway, the controller?  If so, they'd route out the default route of the controller (PPOE in this case).  If you don't want that, then I suggest you use something on your LAN to be the default route for the clients; which will then pass them through your Corporate Internet connection based on the routing policies of that device.

OK, thanks I think you are right.

The 10.10.1xx I don´t know, I think this gateway is a old one and not running...

The 192.168.x.x is the default gateway for the LAN. it´s not the conrtoller the clients default gateway is the Core-Switch.

The conrollers ip-adress is in the lan and the conrollers default gateway is the core switch too.

Tomorrow I´ll send you the show run ...

But the running config is in the attachment .

Thanks a lot...

Attachment(s)

config.txt   28 KB 1 version

• If the default gateway of clients is the core, then the default gateway of the controller, should not affect their ability to access the Internet (assuming you are not NAT'ing that VLAN).
• If you have a controller that has a direct connection to the Internet and another to the LAN and you need RAPs to connect to it, you need the default-gateway of the the controller to be that network interface
• You then need to add static routes to any internal networks that the controller needs to route to; wired VLANs, AP VLANs, etc.

Remove old gateways:

no ip default-gateway 10.10.10.254
no ip default-gateway 192.168.25.254

Add PPOE as gateway:

ip default-gateway import

Add static routes to internal networks:

ip route <IP network> <mask> <next hop>

Ok, it works!!!!

Thanks a lot!!! :smileyvery-happy: