Wireless Access

Hello All,

I'm quite new to the Aruba Platform and as a result, I'm looking for some assistance as regards to an issue I'm experiencing with the Cert-based RAPs (i.e RAP2WG).

I have noticed that after I have the RAP connected to the Internet and have it assigned the Public IP Address of my 620 Controller (through the rapconsole webpage), I can see it connect and establish the IPSec Tunnel. I then notice it go through an upgrade process, after which it says "rebooting". Right after it reboots, the RAP no longer establishes an IPSec Tunnel back to the Controller.

I have also confirmed that we are allowing FTP and TFTP across this Tunnel. I mention this because, when I reset the RAP in order t start the process all over again. I notice that it's still on Version 5.X while the Controller is on 6.X. So, it obviously didn't perform an upgrade and that's most likely why the RAP won't work.

What can we be doing wrong here? What IP Address does the RAP use in establishing an FTP/TFTP connection? Is it the VPN IP Address assigned to it or the Outer IP Address from the Service Provider end? Currently we are allowing FTP/TFTP between the Controller's Inner IP Address and the RAP's assigned VPN IP Address. Is this right?

Are there any other Firewall ports that we should have open?

Any help will be highly appreciated.

You should be fine with just UDP 4500 from the outside.

What AP-Group is that AP assigned to in the whitelist?

Find that AP-Group's AP system profile (configuration> wireless> AP Configuration> Edit that AP group).  Expand AP, Expand System Profile.  See if that System Profile has a private ip address in the LMS-IP field. If it has an IP address you need to remove it.  That is what is redirecting the RAP to a private address that it cannot find).

Thanks for response cjoseph.

So are you saying that we do not need to allow FTP/TFTP across the IPSec Tunnel? So as long as UDP 4500 is passed, we should be good? So is that traffic already encapsulated in the IPSec Tunnel?

If the above is the case, do we then remove the Firewall rule on the IPSec Tunnel from our Enterprise Firewall?

And yes, I just noticed that I had the Internal IP Address if the Controller in the LMS IP Field under the AP System Profile.

I will remove that and then give it a shot again.

Correct.  You only need to allow UDP 4500 at your perimeter firewall.  The FTP/TFTP and all other managemet traffic is encapsulated in the tunnel.  

The "private ip address in the LMS-IP" is the most common reason why an AP comes up, upgrades and is never heard from again.

And correct me if I'm wrong. The System AP Profile can actually be set to default. Right?

Unless I have a Local Controller or another Controller I need the RAP to talk to. Right?

I'm changing the configuration right now. Will keep you updated?

---

@eosuorah wrote:

And correct me if I'm wrong. The System AP Profile can actually be set to default. Right?

 

Unless I have a Local Controller or another Controller I need the RAP to talk to. Right?

 

I'm changing the configuration right now. Will keep you updated?

---

Yes.  You can do that.  You do not need an LMS-IP unless you have a multi-controller environment.  You also do not need to reprovision the AP, just power cycle it and it should work.

Thank you so much! It works!

Thanks again for the insight.

Glad to hear it!