Wireless Access

Reply
Occasional Contributor II
Posts: 16
Registered: ‎09-05-2012

RAP2 cant connect to old DEMO a200 controller

[ Edited ]

Aruba RAP detected
IKE Fragmentation
message_recv enabling early NATT since peer initiates on 4500
ike_phase_1.c:ike_phase_1_responder_recv_SA:905 Recvd VPN IKE Phase 1 SA transform negotiation (1st packet) from IP 10.10.20.33.
ike_phase_1.c:ike_phase_1_responder_recv_SA:934 Found our AP vendor ID from external IP 10.10.20.33
ike_phase_1.c:attribute_unacceptable:2929 Proposal match failed in key length, configured=32, peer using=16
ike_phase_1.c:attribute_unacceptable:2900 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG
ike_phase_1.c:attribute_unacceptable:2889 Proposal match failed in hash algo, configured=SHA, peer using=MD5
ike_phase_1.c:attribute_unacceptable:2929 Proposal match failed in key length, configured=32, peer using=24
ike_phase_1.c:attribute_unacceptable:2900 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG
ike_phase_1.c:attribute_unacceptable:2889 Proposal match failed in hash algo, configured=SHA, peer using=MD5
ike_phase_1.c:ike_phase_1_responder_recv_SA:1049 Ike Phase 1 received SA
ike_phase_1_responder_send_SA_NAT_T Accepted 1 of the Proposals, sending Response for exchange:10.10.20.33
nat_t_exchange_check_nat_d_has_us src-port:500 dst-port:49159
nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 10.10.20.4 Port 500
nat_traversal.c:nat_t_exchange_check_nat_d_has_us:561 Did not find our matching NAT-D payload for Port:500 in their packet
nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 10.10.20.4 Port 4500
nat_traversal.c:nat_t_exchange_check_nat_d_has_us:571 Found our matching NAT-D payload for Port:4500 in their packet
ike_phase_1_send_KE_NONCE : this is Certs
exchange_find_serverCert: found Device Server-Cert for RAP
exchange_find_serverCert(cert): Server Cert is invalid for client/cap/rap
nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 10.10.20.33 Port 49159
nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 10.10.20.4 Port 4500
nat_traversal.c:nat_t_exchange_add_nat_d:377 NAT-T added hashes for src=10.10.20.4:4500, dst=10.10.20.33:4500
ike_phase_1_send_KE_NONCE 10.10.20.33
ike_phase_1_post_exchange_KE_NONCE done 10.10.20.33
message_fragment_reassemble insert fragment ID:1 Num:1 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:2 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:3 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:4 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:5 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:6 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:7 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:8 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:9 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:10 DataLen:226 fragSize:530
exchange_free_reassemblyList: reset exchange reassembly state
message_recv: Reassembly complete
ike_phase_1_recv_ID_AUTH for peer:10.10.20.33
ike_phase_1.c:ike_phase_1_recv_ID:2300 received IKE ID Type 9 exchange:10.10.20.33
exchange_find_serverCert: found Device Server-Cert for RAP
exchange_find_serverCert(cert): Server Cert is invalid for client/cap/rap
ike_recv_id: recvd ID : asn1_dn//CN=AH0016410::00:24:6c:c2:14:ce
rsa_sig_validate_cert_id: cert-ID matches with phase-1 ID len 49
rsa_sig_validate_cert_id: cert-ID length 103 mismatched with phase-1 ID length 49
rsa_sig_validate_cert_id: cert-ID length 149 mismatched with phase-1 ID length 49
rsa_sig_decode_hash: numcerts:3 stackedcerts:2
rsa_sig_validate_cert: validating CERT againstCa /tmp/tempCertKey/ArubaTrustedCerts.pem
x509_stack_validate_with_ca: succeeded validation with CA-cert /tmp/tempCertKey/ArubaTrustedCerts.pem
rsa_sig_validate_cert: Factory Cert
rsa_sig_decode_hash: get username from Certificate
x509_cert_get_username: subjAltname type: 4
x509_cert_get_username after GENERAL_NAMES_free
x509_cert_get_username: AP MAC CN 00:24:6c:c2:14:ce
rsa_sig_decode_hash: succeeded
IKE Main Mode Phase 1 succeeded for peer 10.10.20.33
ipsec_handle_leftover_payload: received INITIAL-CONTACT
ike_phase_1_send_ID(cert): find Server Cert
exchange_find_serverCert: found Device Server-Cert for RAP
exchange_find_serverCert(cert): Server Cert is invalid for client/cap/rap
ike_phase_1_send_ID(cert): Server Cert is invalid
ike_main_mode.c:responder_send_ID_AUTH:203 Phase 1 failed in sending ID.
exchange_run: doi->responder (0x102effac) failed retval:-1
message_fragment_reassemble insert fragment ID:1 Num:1 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:2 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:3 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:4 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:5 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:6 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:7 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:8 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:9 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:10 DataLen:226 fragSize:530
exchange_free_reassemblyList: reset exchange reassembly state
message_recv: Reassembly complete
message_fragment_reassemble insert fragment ID:1 Num:1 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:2 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:3 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:4 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:5 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:6 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:7 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:8 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:9 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:10 DataLen:226 fragSize:530
exchange_free_reassemblyList: reset exchange reassembly state
message_recv: Reassembly complete
message_fragment_reassemble insert fragment ID:1 Num:1 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:2 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:3 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:4 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:5 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:6 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:7 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:8 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:9 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:10 DataLen:226 fragSize:530
exchange_free_reassemblyList: reset exchange reassembly state
message_recv: Reassembly complete
exchange_setup_p1: ID is IPv4
exchange_setup_p1: USING exchange type ID_PROT
Aruba RAP detected
IKE Fragmentation
message_recv enabling early NATT since peer initiates on 4500
ike_phase_1.c:ike_phase_1_responder_recv_SA:905 Recvd VPN IKE Phase 1 SA transform negotiation (1st packet) from IP 10.10.20.33.
ike_phase_1.c:ike_phase_1_responder_recv_SA:934 Found our AP vendor ID from external IP 10.10.20.33
ike_phase_1.c:attribute_unacceptable:2929 Proposal match failed in key length, configured=32, peer using=16
ike_phase_1.c:attribute_unacceptable:2900 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG
ike_phase_1.c:attribute_unacceptable:2889 Proposal match failed in hash algo, configured=SHA, peer using=MD5
ike_phase_1.c:attribute_unacceptable:2929 Proposal match failed in key length, configured=32, peer using=24
ike_phase_1.c:attribute_unacceptable:2900 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG
ike_phase_1.c:attribute_unacceptable:2889 Proposal match failed in hash algo, configured=SHA, peer using=MD5
ike_phase_1.c:ike_phase_1_responder_recv_SA:1049 Ike Phase 1 received SA
ike_phase_1_responder_send_SA_NAT_T Accepted 1 of the Proposals, sending Response for exchange:10.10.20.33
nat_t_exchange_check_nat_d_has_us src-port:500 dst-port:49153
nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 10.10.20.4 Port 500
nat_traversal.c:nat_t_exchange_check_nat_d_has_us:561 Did not find our matching NAT-D payload for Port:500 in their packet
nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 10.10.20.4 Port 4500
nat_traversal.c:nat_t_exchange_check_nat_d_has_us:571 Found our matching NAT-D payload for Port:4500 in their packet
ike_phase_1_send_KE_NONCE : this is Certs
exchange_find_serverCert: found Device Server-Cert for RAP
exchange_find_serverCert(cert): Server Cert is invalid for client/cap/rap
nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 10.10.20.33 Port 49153
nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 10.10.20.4 Port 4500
nat_traversal.c:nat_t_exchange_add_nat_d:377 NAT-T added hashes for src=10.10.20.4:4500, dst=10.10.20.33:4500
ike_phase_1_send_KE_NONCE 10.10.20.33
ike_phase_1_post_exchange_KE_NONCE done 10.10.20.33
message_fragment_reassemble insert fragment ID:1 Num:1 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:2 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:3 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:4 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:5 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:6 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:7 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:8 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:9 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:10 DataLen:226 fragSize:530
exchange_free_reassemblyList: reset exchange reassembly state
message_recv: Reassembly complete
ike_phase_1_recv_ID_AUTH for peer:10.10.20.33
ike_phase_1.c:ike_phase_1_recv_ID:2300 received IKE ID Type 9 exchange:10.10.20.33
exchange_find_serverCert: found Device Server-Cert for RAP
exchange_find_serverCert(cert): Server Cert is invalid for client/cap/rap
ike_recv_id: recvd ID : asn1_dn//CN=AH0016410::00:24:6c:c2:14:ce
rsa_sig_validate_cert_id: cert-ID matches with phase-1 ID len 49
rsa_sig_validate_cert_id: cert-ID length 103 mismatched with phase-1 ID length 49
rsa_sig_validate_cert_id: cert-ID length 149 mismatched with phase-1 ID length 49
rsa_sig_decode_hash: numcerts:3 stackedcerts:2
rsa_sig_validate_cert: validating CERT againstCa /tmp/tempCertKey/ArubaTrustedCerts.pem
x509_stack_validate_with_ca: succeeded validation with CA-cert /tmp/tempCertKey/ArubaTrustedCerts.pem
rsa_sig_validate_cert: Factory Cert
rsa_sig_decode_hash: get username from Certificate
x509_cert_get_username: subjAltname type: 4
x509_cert_get_username after GENERAL_NAMES_free
x509_cert_get_username: AP MAC CN 00:24:6c:c2:14:ce
rsa_sig_decode_hash: succeeded
IKE Main Mode Phase 1 succeeded for peer 10.10.20.33
ipsec_handle_leftover_payload: received INITIAL-CONTACT
ike_phase_1_send_ID(cert): find Server Cert
exchange_find_serverCert: found Device Server-Cert for RAP
exchange_find_serverCert(cert): Server Cert is invalid for client/cap/rap
ike_phase_1_send_ID(cert): Server Cert is invalid
ike_main_mode.c:responder_send_ID_AUTH:203 Phase 1 failed in sending ID.
exchange_run: doi->responder (0x102effac) failed retval:-1
message_fragment_reassemble insert fragment ID:1 Num:1 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:2 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:3 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:4 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:5 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:6 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:7 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:8 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:9 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:10 DataLen:226 fragSize:530
exchange_free_reassemblyList: reset exchange reassembly state
message_recv: Reassembly complete
message_fragment_reassemble insert fragment ID:1 Num:1 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:2 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:3 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:4 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:5 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:6 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:7 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:8 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:9 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:10 DataLen:226 fragSize:530
exchange_free_reassemblyList: reset exchange reassembly state
message_recv: Reassembly complete
message_fragment_reassemble insert fragment ID:1 Num:1 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:2 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:3 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:4 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:5 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:6 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:7 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:8 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:9 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:10 DataLen:226 fragSize:530
exchange_free_reassemblyList: reset exchange reassembly state
message_recv: Reassembly complete

 

Keep getting rc_error_ikep1_PKT5.

 

Controller has an interface in the same lan. The RAP is not whitelisted. The MAC is in the InternalDB and VPN service is active with a DHCP pool configured. There is also configured a ike shared secret for subnet 0.0.0.0

 

VLAN is routable and interface trusted.

 

 

I know the A200 dont got a TPM.

Software version: 5.0.4.7

 

 

 

 

Guru Elite
Posts: 21,280
Registered: ‎03-29-2007

Re: RAP2 cant connect to old DEMO a200 controller

To make this work, you would have to:

 

- Configure an IKE preshared key on the A200

- Configure a username and password in the internal database on the A200

- Provision the RAP with the shared key, username and password and point it to the A200.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Retired Employee
Posts: 234
Registered: ‎04-19-2011

Re: RAP2 cant connect to old DEMO a200 controller

In addition to the steps mentioned by Colin, connect the RAP on a separate VLAN from the controller.
--
HT
Occasional Contributor II
Posts: 16
Registered: ‎09-05-2012

Re: RAP2 cant connect to old DEMO a200 controller

This is done, but still did not work so i did the only "logical" solution, downgrade. :smileyfrustrated:

 

The rap came back up. So this is an AOS bug.

 

Watch out. A200_5.0.4.7_34135 No rap-2 support

 

 

 

Guru Elite
Posts: 21,280
Registered: ‎03-29-2007

Re: RAP2 cant connect to old DEMO a200 controller

Downgraded to what version of code?

 

Like hthakker said, RAPs are not supposed to be able to connect to a controller when they are on the same subnet.  It is an ipsec limitation.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 16
Registered: ‎09-05-2012

Re: RAP2 cant connect to old DEMO a200 controller

[ Edited ]

Downgraded to 5.0.4.3

 

Think some one has messed up something.

 

Yepp i changed subnet. Tried everything.

 

Going to upgrade controller again to replicate the error.

Also the RAP was version 3.3 something. Wrote new firmware to backup on one of the RAP to see if that works when i boot the controller on the new firmware.

 

Also i got a second rap on the same firmware rev. that was messed.

 

il post back in 10.

Occasional Contributor II
Posts: 16
Registered: ‎09-05-2012

Re: RAP2 cant connect to old DEMO a200 controller

OHH SNAP! Bug is back :smileylol:

 

RAP with 5.0.4.3 Did not upgrade, but still the same error.

Did not bother trying the 3.3.x.x rap.

 

Downgrading to firmware 5.0.4.6 to see if thats not broken too.

 

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: