Wireless Access

Reply
Contributor I

RAP not connecting to controller

Hi All,

 

Trying my luck here. I recently moved our controller within our infrastructure and it resulted in, among other things, that the RAP will communicate with the controller using a new public IP (announced through DNS). I have verified that UDP4500 is passed to the controller. I have also checked the security log on the controller and it seems the RAP traffic reach the controller. 

 

However, I also noticed an error message (in the log) that I haven't been able to decipher nor find any posts on. Perhaps you could give me a hint on what is causing this error or how to continue my quest to get the RAP to connect?

 

Note: Please note that I have masked the external IP address (1.2.256.256)

Note: Please note that I have masked the internal (controller) IP address (192.168.1.10). There is a static NAT in the firewall to the internal IP of the controller. 

 

May 16 13:37:27 :103063: <DBUG> |ike| 1.2.256.256:55067-> #RECV 423 bytes from 1.2.256.256(55067) at 192.168.1.10 (3561611.448)
May 16 13:37:27 :103063: <DBUG> |ike| 1.2.256.256:55067-> spi={3d00656522f9c1dc 0000000000000000} np=SA
May 16 13:37:27 :103063: <DBUG> |ike| 1.2.256.256:55067-> exchange=IKE_SA_INIT msgid=0 len=419
May 16 13:37:27 :103063: <DBUG> |ike| 1.2.256.256:55067-> check_aruba_ap_vid: aruba ap eth0 mac address 000b8682ea64 vidLen = 26
May 16 13:37:27 :103063: <DBUG> |ike| 1.2.256.256:55067-> IKE2_checkCookie notify-cookie ip:1.2.256.256
May 16 13:37:27 :103063: <DBUG> |ike| 1.2.256.256:55067-> IPSEC_findSaByIP addr:1.2.256.256
May 16 13:37:27 :103063: <DBUG> |ike| 1.2.256.256:55067-> IPSEC_findSaByIP pxSa:(nil) status:0
May 16 13:37:27 :103063: <DBUG> |ike| 1.2.256.256:55067-> IPSEC_findSaByIP finished with pxSa:(nil) status:0
May 16 13:37:27 :103063: <DBUG> |ike| 1.2.256.256:55067-> IKE2_checkCookie finished with ipsecSa:(nil) status:0
May 16 13:37:27 :103063: <DBUG> |ike| 1.2.256.256:55067-> delete_cp_route entered with ip:1.2.256.256
May 16 13:37:27 :103063: <DBUG> |ike| 1.2.256.256:55067-> controlplaneRouteModify entered with ip:4e4622dc/ffffffff
May 16 13:37:27 :103063: <DBUG> |ike| 1.2.256.256:55067-> controlplaneRouteModify after socket:35 with ip:1.2.256.256
May 16 13:37:27 :103063: <DBUG> |ike| 1.2.256.256:55067-> controlplaneRouteModify socket:35 request:35084 dev:tsgw rtflags:0 with ip:1.2.256.256
May 16 13:37:27 :103060: <DBUG> |ike| 1.2.256.256:55067-> ipc.c:controlplaneRouteModify:5187 Failed to Delete Route in Kernel: error:No such process
May 16 13:37:27 :103063: <DBUG> |ike| 1.2.256.256:55067-> controlplaneRouteModify after ioctl sock:35 with ip:1.2.256.256
May 16 13:37:27 :103063: <DBUG> |ike| 1.2.256.256:55067-> controlplaneRouteModify after close sock:35 with ip:1.2.256.256
May 16 13:37:27 :103063: <DBUG> |ike| 1.2.256.256:55067-> delete_cp_route finished with ip:1.2.256.256
May 16 13:37:27 :103063: <DBUG> |ike| 1.2.256.256:55067-> OutInfo notify-cookie
May 16 13:37:27 :103063: <DBUG> |ike| 1.2.256.256:55067-> OutCp entered
May 16 13:37:27 :103063: <DBUG> |ike| 1.2.256.256:55067-> <-- R Notify: COOKIE#SEND 60 bytes to 1.2.256.256(55067) (3561611.455)
May 16 13:37:27 :103063: <DBUG> |ike| 1.2.256.256:55067-> cleanup_and_free_context delete ctx memory
May 16 13:37:27 :103063: <DBUG> |ike| 1.2.256.256:55067-> udp_encap_handle_message IKEv2 pkt status:0

 

Best regards,

Fredrik 

 

Guru Elite

Re: RAP not connecting to controller

That message is not conclusive.

 

Do you have a static nat between your firewall and your controller?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I

Re: RAP not connecting to controller

Thanks Collin! My mistake not to point that out in the post. I have made an edit, yes there is a static nat between firewall and your controller.

 

Fredrik

Guru Elite

Re: RAP not connecting to controller

Check to make sure that in the AP-Group of the RAPs in the AP System Profile, there is NO lms-ip...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: RAP not connecting to controller

Did the controller perhaps move to a new subnet with a new default gateway? And did you in that case update the default gateway of the controller?

 

Could you double check this command for a know public IP of one of your RAPs trying to connect:

show datapath session table <public IP of RAP>

 

Cheers,

Christoffer Jacobsson | Aranya AB
Aruba: ACMX #537 ACCP | CWNP: CWNA CWDP CWSP CWAP
Aruba Employee

Re: RAP not connecting to controller

Hi Fredrik,

 

As Colin mentioned, please make sure we are not pointing the RAP to an LMS which is not reachable.

 

Also, get the below outputs;

 

show datapath session table <RAP's public IP>

show user-table verbose | include <RAP's MAC address>

show crypto isakmp sa peer <RAP's public IP>

show crypto ipsec sa peer <RAP's public IP>

 

Article below provides basic information on RAP troubleshooting;

 

http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-troubleshoot-RAP-in-ArubaOS/ta-p/178634

 

Regards,

 

Karthikeyan

Contributor I

Re: RAP not connecting to controller

Hi! Thanks for your response! I believe I was able to verify that no LMS IP was present. See attachment.

 

Best regards,

Fredrik

Contributor I

Re: RAP not connecting to controller

Hi Christoffer. No, could have been the gateway. Verififed again to make sure and its configured with the correct GW. Also, see below for output from command you suggested.

 

Many thanks,

Fredrik

 

Source IP       Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
10.46.10.204    1.2.256.256    17   4500  18316  0/0     0    0   1   1/0         26   0          0          F
10.46.10.204    1.2.256.256    17   4500  18321  0/0     0    0   0   1/0         11   3          264        F
1.2.256.256    10.46.10.204    17   18316 4500   0/0     0    0   1   1/0         26   0          0          FC
1.2.256.256    10.46.10.204    17   18321 4500   0/0     0    0   0   1/0         11   3          1353       FC

Contributor I

Re: RAP not connecting to controller

Hi Karthikeyan!

 

Output from ISAKMP and IPSEC SA commands is:

 

% No active ISAKMP SA for 1.2.256.256

% No active IPSEC SA for 1.2.256.256

 

show user-table verbose | include <public-ip> results in no output. Is it because I don't have the correct logging levels? I have since previously changed into debug logging as per the artice you mentioned, but only for ISAKMP and IPSEC.

 

Thanks for your efforts to help! Please le me know if you come up with something else for me to try!

 

Best regards,

Fredrik

Aruba Employee

Re: RAP not connecting to controller

Hi Fredrik,

 

Logging is not needed for the AP to show in user-table verbose.

 

Was there any recent change apart from the one mentioned by you in this thread?

What setup is this?

What is the role of this controller?

How the RAP is authenticated? cert or PSK?

Is there any RAP up on this controller?

Do you have a TAC case open?

 

Provide below outputs;

 

show user-table verbose | include <RAP's MAC>

show aaa authentication vpn default-rap

show log security 100 | include <RAP's public IP>

show tpm errorlog

 

I believe no configuration change was done on controller during the course of the event.

 

Thanks.

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: