Wireless Access

Hello,

 

We recently got some RAP3s to test out. Out of the box they are IAPs and I managed to convert them to remote AP using the IP address of the controller, but it's not showing up in the AP list and the power LED on the RAP is blinking green.

 

Did I miss something?

 

Logs show no errors. Controller is an M3 running 6.3.1.3

 

Thanks

Have you added the RAPs to the whitelist?

Do you see any traffic on the controller?

Show datapath session table | include 4500

Also, check the system logs for any errors

Show log system 50

- Make sure you have create RAP IP Pool so the RAP is able to get inner IP address 

- Also add the mac address in the RAP whitelist 

MAC addresses are in the whitelist and there is a RAP IP pool configured.

 

I'm not sure how to interpret the information from show datapath session table. 

 

This is the output :

 

rapIP controllerIP 17 49266 4500 0/0 0 0 0 0/1 0 1 418 FC
controllerIP rapIP 17 4500 49266 0/0 0 0 0 0/1 1 2 533 F

Have you looked at the logs on the controller for any info regarding why the RAP is not connecting? Based on your datapath output, it seems to be making the controller. Have you logged into the RAP itself (connect to the wired port and type "rapconsole.arubanetworks.com") to gather diagnostic info? Should have some logs you can gather that should point you in the right direction.

As I connect to the RAPs E1 I'm not getting any IP address and rapconsole.arubanetworks.com isn't responding.

 

Here is another fun bit of info

 

#show crypto isakmp sa

ISAKMP SA Active Session Information
------------------------------------
Initiator IP     Responder IP   Flags       Start Time            Private IP
------------     ------------              -----     ---------------              ----------
M3-2IP             M3-1-IP           r-a-p     Aug  8 05:50:46          -
RAPlanIP        VRRP         r-v2-c-R  Aug  8 10:03:52     IPfromRAPpool

 

According to this not only does it appear to be connecting but it is completing the tunnel correctly, so why can i not see it on the controller?

 

Does the private IP need to be routable on our network?

type "show datapath session table <ip address from rap pool>" a few times and see if the AP is communicating with the controller

No there doesn't appear to be any communications to or from <RAP Private IP> in the session table.

Type "show log system 50" and see if there is anything that the AP might have sent to the controller via syslog.

 

Also, reboot the AP and try the "show datapath session table" after it connects and see if there anything is there.

Thanks for helping,

 

I've tried

 

#show log all | include <name of rap>

#show log all | include <private ip of rap>

#show log all | include <local ip of rap>

 

All returned no results.

 

I've also tried rebooting the rap several times with same results.

 

#show datapath session table | include 4500
<rap lan ip>  <controller IP> 17   49154 4500   0/0     0 0   1   0/1         18   0         0          FC
 <controller IP> <rap lan ip>   17   4500  49154  0/0     0 0   1   0/1         19   0         0          FY

 

The Y flag is troubling to me as the definition states that it mean "no syn"

 

I'm not familiar with the connection process of a RAP so I couldn't begin to guess where the breakdown occurs. 

The RAP Lan IP is that routeable on your network? Can the controller get back to that IP if you do a traceroute?

mnarine,

 

Yes it is an IP provided by the local DHCP server and is on the same subnet as the controller.

 

The controller is able to ping the address.

Can you send the output of the following?

 

show rights default-vpn-role

#show rights default-vpn-role
Unknown role default-vpn-role

Yann,

 

UDP traffic does not have a "SYN" so it will always say "no syn".  Don't worry about it.

 

1. You should do "show datapath session table <outer ip address of ap>" - done

2.  You should do "show crypto ipsec sa" - done

3.  You should do "show datapath session table <inner ip address of rap>" <------This is what I am interested in.

4.  Turn on security debugging:

 

config t

"show datapath session table <inner ip address of rap>" Returns nothing.

 

"show log security 50" Returns nothing specific to the RAP

Please open a case.  I am out of guesses if those commands do not return any information.

To anyone interested:

 

I opened a case with support and what we discovered is that my default ap-role was blocking port 8209. Once this port was opened the RAPs came up in the AP list.

 

Cheers.