Wireless Access

Hi All,

We have an Aruba 620 running 6.3.1.6 which we are trying to add a RAP onto. At present we have 8 Campus APs, so can't add a Campus AP. The RAP is going to connect over a VPN from our remote office to our Head Office where the controller is located.

The issue we are having is that, the AP105 comes up initially as a default AP, but when we try to provision as a RAP it doesn't come back up and stays down.

We have done some testing with another controller on a flat network and this setup works fine. It just appears to be when it goes over our VPN.

What I think the issue is, is that IPSEC isn't passing Phase 2, as when I do #show crypto isakmp sa, the output doesn't show a Private IP address. And yes, the Address Pool section of the VPN Services is filled in. When I do #show datapath session table | include 4500 I can see that a session has been setup.

I'm sure it's not code, as the controller we've tested this on in our lab is on the same version works.

Any suggestions or advise would be extremely helpful!!

Hi.

CPSEC is on. I've tried whitelisting the AP but believe the result was the same.

Edit: Just checked the Whitelist and it is in there. Still get the same issue with CPSEC off.

The status of CPSEC is outside of RAP, so it should not be a factor.

Did you type "show log system 50" to see if there is any clues about what is going on?

Did you already create a VPN pool?

Yes, we already have a VPN pool. I've tried setting up a new one.

I've just done #show log system 50 and can see this message appearing every minute:

May 16 14:07:59 :399801:  <ERRS> |ike|  An internal system error has occurred at file ipc.c function ipc_auth_recv_packet line 3510

Has been since we upgraded to the 6.3.1.6. I'll look at upgrading and re-assess after that.

6.3.1.6 is the latest for now.

Try to turn on verbose debugging:

config t
logging level debugging security subcat ike
logging level debugging security process aaa
logging level debugging security process authmgr
logging level debugging security subcat l2tp
logging level debugging security subcat vpn

 Try to get the RAP to come up and type "show log security 50" and see if you see anything interesting.

Thanks! I've enabled all the logged as suggested. All looks ok, apart from the line about XAuth failed?

May 16 14:26:35 :124003:  <INFO> |authmgr|  Authentication result=AAA server timeout(2), method=VPN, server=Guest_Auth, user=172.25.254.106
May 16 14:26:35 :124004:  <DBUG> |authmgr|  Auth server 'Guest_Auth' response=2
May 16 14:26:35 :124014:  <NOTI> |authmgr|  Taking Server Guest_Auth out of service for 10 mins
May 16 14:26:35 :124004:  <DBUG> |authmgr|  Select server for method=VPN, user=FarehamRAP1, essid=<>, server-group=default, last_srv Guest_Auth
May 16 14:26:35 :124038:  <INFO> |authmgr|  Selected server <> for method=VPN; user=FarehamRAP1,  essid=<>, domain=<>, server-group=default
May 16 14:26:35 :124544:  <DBUG> |authmgr|  Timed Out to N/A.
May 16 14:26:35 :124541:  <DBUG> |authmgr|  Bring all servers in server group default back in service.
May 16 14:26:35 :124015:  <NOTI> |authmgr|  Bringing Server Guest_Auth back in service.
May 16 14:26:35 :124097:  <DBUG> |authmgr|  Setting authserver 'Guest_Auth' for user 172.25.254.106, client VPN.
May 16 14:26:35 :124004:  <DBUG> |authmgr|  ncfg_get_max_auth_failures vpnflags:0 VPN profile maxfailures:0
May 16 14:26:35 :124447:  <DBUG> |authmgr|  auth_vpn_resp_raw: user name FarehamRAP1, check_vpn_cp_single_session ret -1
May 16 14:26:35 :124441:  <DBUG> |authmgr|  auth_vpn_resp_raw: vpnflags:1
May 16 14:26:35 :103048:  <ERRS> |ike|  IKE XAuth failed for FarehamRAP1
May 16 14:26:37 :124004:  <DBUG> |authmgr|  RX (sock) message of type 98, len 1016
May 16 14:26:37 :124441:  <DBUG> |authmgr|  auth_vpn_raw: vpnflags:1
May 16 14:26:37 :124100:  <DBUG> |authmgr|  Setting auth subtype 'PAP' for user 172.25.254.106, client VPN.
May 16 14:26:37 :124099:  <DBUG> |authmgr|  Setting auth type 'VPN' for user 172.25.254.106, client VPN.
May 16 14:26:37 :124098:  <DBUG> |authmgr|  Setting authstate 'started' for user 172.25.254.106, client VPN.
May 16 14:26:37 :124546:  <DBUG> |authmgr|  aal_authenticate user:FarehamRAP1 vpnflags:1.
May 16 14:26:37 :124004:  <DBUG> |authmgr|  ncfg_auth_server_group_authtype ip=172.25.254.106, method=VPN vpnflags:1
May 16 14:26:37 :124004:  <DBUG> |authmgr|  ncfg_auth_server_group_authtype vpnflags:1 vpn-profile:default-rap
May 16 14:26:37 :124004:  <DBUG> |authmgr|  ip=172.25.254.106, sg=default
May 16 14:26:37 :124547:  <DBUG> |authmgr|  aal_authenticate server_group:default.
May 16 14:26:37 :124004:  <DBUG> |authmgr|  ncfg_auth_server_group_authtype ip=172.25.254.106, method=VPN vpnflags:1
May 16 14:26:37 :124004:  <DBUG> |authmgr|  ncfg_auth_server_group_authtype vpnflags:1 vpn-profile:default-rap
May 16 14:26:37 :124004:  <DBUG> |authmgr|  ip=172.25.254.106, sg=default
May 16 14:26:37 :124004:  <DBUG> |authmgr|  Select server for method=VPN, user=FarehamRAP1, essid=<>, server-group=default, last_srv <>
May 16 14:26:37 :124004:  <DBUG> |authmgr|   server=Guest_Auth, ena=1, ins=1 (1)
May 16 14:26:37 :124038:  <INFO> |authmgr|  Selected server Guest_Auth for method=VPN; user=FarehamRAP1,  essid=<>, domain=<>, server-group=default

Can you please do a show ap license-usage ?

I think you don't have anymore license space to add more APs since you are using AOS 6.3

Hi, below shows are ok:

AP Licenses
-----------
Type                      Number
----                      ------
AP Licenses               16
RF Protect Licenses       16
PEF Licenses              16
Overall AP License Limit  16

AP Usage
--------
Type             Count
----             -----
Active CAPs      7
Standby CAPs     0
RAPs             0
Remote-node APs  0
Tunneled nodes   0
Total APs        7

Remaining AP Capacity
---------------------
Type  Number
----  ------
CAPs  1
RAPs  4

I've checked in Wireless> AP Installation > Whitelist - the AP is showing as Factory Cert - Approved Ready for Cert.

EDIT:

You need to look in the RAP (Remote AP) whitelist and make sure the mac address entry is correct there. What you are showing is the Campus (cpsec) whitelist, which is not what we need here:

Thanks CJoseph, I'll double check now - just to clarify, do I need anything in the IP address in the last column? Static Inner IP Address? Is that the address it'll get from the address pool tunnel?

You need nothing but the mac address, ap name and ap-group.  The rest does not apply here.

Thanks, I have added to the RAP Whitelist and still getting the same XAuth message when I do a show security log.

Everything in the VPN services setup is as per the training documentation.

Xauth means that the preshared key or the RAP mac is not in the whitelist.  Check one more thing in this screenshot and make sure everything is identical to the highlights.

Our server is a RADIUS server?

That is your problem.  It needs to point to the internal database, which has the RAP whitelist.  If it is pointing to a radius server, that is why it is failing, because the MAC of your AP is not there.  Aruba supports authenticating the mac address of RAPs to an external radius server, but of course it must be configured.

You can either (1) Change the server in the default server group to intenal or (2)  create another server group that points to the internal database and then make sure the default-rap method points to that server group.

As soon as i saw your screenshot i knew that would sort it!

Thank you so much for your help. First time posting to the community and couldn't be more impressed with the responses.

Thank you.

jontyc,

We are happy that we can help you this time.  Enjoy your weekend.