Wireless Access

Reply
Occasional Contributor II
Posts: 16
Registered: ‎05-16-2014

RAP not coming up Aruba620

Hi All,

 

We have an Aruba 620 running 6.3.1.6 which we are trying to add a RAP onto. At present we have 8 Campus APs, so can't add a Campus AP. The RAP is going to connect over a VPN from our remote office to our Head Office where the controller is located.

 

The issue we are having is that, the AP105 comes up initially as a default AP, but when we try to provision as a RAP it doesn't come back up and stays down.

 

We have done some testing with another controller on a flat network and this setup works fine. It just appears to be when it goes over our VPN.

 

What I think the issue is, is that IPSEC isn't passing Phase 2, as when I do #show crypto isakmp sa, the output doesn't show a Private IP address. And yes, the Address Pool section of the VPN Services is filled in. When I do #show datapath session table | include 4500 I can see that a session has been setup.

 

I'm sure it's not code, as the controller we've tested this on in our lab is on the same version works.

 

Any suggestions or advise would be extremely helpful!!

MVP
Posts: 1,422
Registered: ‎10-25-2011

Re: RAP not coming up Aruba620

Have you whitelisted the AP?
is CPSEC on?
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Occasional Contributor II
Posts: 16
Registered: ‎05-16-2014

Re: RAP not coming up Aruba620

[ Edited ]

Hi.

 

CPSEC is on. I've tried whitelisting the AP but believe the result was the same.

 

Edit: Just checked the Whitelist and it is in there. Still get the same issue with CPSEC off.

Guru Elite
Posts: 21,037
Registered: ‎03-29-2007

Re: RAP not coming up Aruba620

The status of CPSEC is outside of RAP, so it should not be a factor.

 

Did you type "show log system 50" to see if there is any clues about what is going on?

 

Did you already create a VPN pool?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 16
Registered: ‎05-16-2014

Re: RAP not coming up Aruba620

Yes, we already have a VPN pool. I've tried setting up a new one.

 

I've just done #show log system 50 and can see this message appearing every minute:

 

May 16 14:07:59 :399801:  <ERRS> |ike|  An internal system error has occurred at file ipc.c function ipc_auth_recv_packet line 3510

 

Has been since we upgraded to the 6.3.1.6. I'll look at upgrading and re-assess after that.

Guru Elite
Posts: 21,037
Registered: ‎03-29-2007

Re: RAP not coming up Aruba620

6.3.1.6 is the latest for now.

 

Try to turn on verbose debugging:

config t
logging level debugging security subcat ike
logging level debugging security process aaa
logging level debugging security process authmgr
logging level debugging security subcat l2tp
logging level debugging security subcat vpn

 Try to get the RAP to come up and type "show log security 50" and see if you see anything interesting.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 16
Registered: ‎05-16-2014

Re: RAP not coming up Aruba620

Thanks! I've enabled all the logged as suggested. All looks ok, apart from the line about XAuth failed?

 

May 16 14:26:35 :124003:  <INFO> |authmgr|  Authentication result=AAA server timeout(2), method=VPN, server=Guest_Auth, user=172.25.254.106
May 16 14:26:35 :124004:  <DBUG> |authmgr|  Auth server 'Guest_Auth' response=2
May 16 14:26:35 :124014:  <NOTI> |authmgr|  Taking Server Guest_Auth out of service for 10 mins
May 16 14:26:35 :124004:  <DBUG> |authmgr|  Select server for method=VPN, user=FarehamRAP1, essid=<>, server-group=default, last_srv Guest_Auth
May 16 14:26:35 :124038:  <INFO> |authmgr|  Selected server <> for method=VPN; user=FarehamRAP1,  essid=<>, domain=<>, server-group=default
May 16 14:26:35 :124544:  <DBUG> |authmgr|  Timed Out to N/A.
May 16 14:26:35 :124541:  <DBUG> |authmgr|  Bring all servers in server group default back in service.
May 16 14:26:35 :124015:  <NOTI> |authmgr|  Bringing Server Guest_Auth back in service.
May 16 14:26:35 :124097:  <DBUG> |authmgr|  Setting authserver 'Guest_Auth' for user 172.25.254.106, client VPN.
May 16 14:26:35 :124004:  <DBUG> |authmgr|  ncfg_get_max_auth_failures vpnflags:0 VPN profile maxfailures:0
May 16 14:26:35 :124447:  <DBUG> |authmgr|  auth_vpn_resp_raw: user name FarehamRAP1, check_vpn_cp_single_session ret -1
May 16 14:26:35 :124441:  <DBUG> |authmgr|  auth_vpn_resp_raw: vpnflags:1
May 16 14:26:35 :103048:  <ERRS> |ike|  IKE XAuth failed for FarehamRAP1
May 16 14:26:37 :124004:  <DBUG> |authmgr|  RX (sock) message of type 98, len 1016
May 16 14:26:37 :124441:  <DBUG> |authmgr|  auth_vpn_raw: vpnflags:1
May 16 14:26:37 :124100:  <DBUG> |authmgr|  Setting auth subtype 'PAP' for user 172.25.254.106, client VPN.
May 16 14:26:37 :124099:  <DBUG> |authmgr|  Setting auth type 'VPN' for user 172.25.254.106, client VPN.
May 16 14:26:37 :124098:  <DBUG> |authmgr|  Setting authstate 'started' for user 172.25.254.106, client VPN.
May 16 14:26:37 :124546:  <DBUG> |authmgr|  aal_authenticate user:FarehamRAP1 vpnflags:1.
May 16 14:26:37 :124004:  <DBUG> |authmgr|  ncfg_auth_server_group_authtype ip=172.25.254.106, method=VPN vpnflags:1
May 16 14:26:37 :124004:  <DBUG> |authmgr|  ncfg_auth_server_group_authtype vpnflags:1 vpn-profile:default-rap
May 16 14:26:37 :124004:  <DBUG> |authmgr|  ip=172.25.254.106, sg=default
May 16 14:26:37 :124547:  <DBUG> |authmgr|  aal_authenticate server_group:default.
May 16 14:26:37 :124004:  <DBUG> |authmgr|  ncfg_auth_server_group_authtype ip=172.25.254.106, method=VPN vpnflags:1
May 16 14:26:37 :124004:  <DBUG> |authmgr|  ncfg_auth_server_group_authtype vpnflags:1 vpn-profile:default-rap
May 16 14:26:37 :124004:  <DBUG> |authmgr|  ip=172.25.254.106, sg=default
May 16 14:26:37 :124004:  <DBUG> |authmgr|  Select server for method=VPN, user=FarehamRAP1, essid=<>, server-group=default, last_srv <>
May 16 14:26:37 :124004:  <DBUG> |authmgr|   server=Guest_Auth, ena=1, ins=1 (1)
May 16 14:26:37 :124038:  <INFO> |authmgr|  Selected server Guest_Auth for method=VPN; user=FarehamRAP1,  essid=<>, domain=<>, server-group=default

MVP
Posts: 4,272
Registered: ‎07-20-2011

Re: RAP not coming up Aruba620

Can you please do a show ap license-usage ?

 

I think you don't have anymore license space to add more APs since you are using AOS 6.3

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 16
Registered: ‎05-16-2014

Re: RAP not coming up Aruba620

Hi, below shows are ok:

 

AP Licenses
-----------
Type                      Number
----                      ------
AP Licenses               16
RF Protect Licenses       16
PEF Licenses              16
Overall AP License Limit  16

AP Usage
--------
Type             Count
----             -----
Active CAPs      7
Standby CAPs     0
RAPs             0
Remote-node APs  0
Tunneled nodes   0
Total APs        7

Remaining AP Capacity
---------------------
Type  Number
----  ------
CAPs  1
RAPs  4

Guru Elite
Posts: 21,037
Registered: ‎03-29-2007

Re: RAP not coming up Aruba620

double check the access points mac Address in the whitelist


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: