Wireless Access

We have installed a secondary controller to terminate RAPs and we are having some issues with them connecting with the controller.  The firewall settings have been made and the RAPs are reaching the controller, but we are still receiving this error.  

#show datapath session | include 4500
63.199.244.246 192.168.3.12 17 4500 4500 0/0 0 0 0 1/1 1e FC
192.168.3.12 63.199.244.246 17 4500 4500 0/0 0 0 0 1/1 1e F

Any idea on what could be the issue?  We have contacted TAC, but they weren't able to figure out the problem.  Thanks.

Are those RAPs whitelisted on that particular controller?

This usually signifies issue with connectivity to the controller from the RAP. Can you check if you have the L2TP pool configured for the RAP to get an IP address?? 

RAP sends packet 1 to the controller and the controller responds with packet 2. It could be either packet1 did not reach the controller or the response from the controller did not make it to the RAP. Hence the RAP  reports the error.

RAP is in the white list.  Pool is configured.

We enabled logging and we are seeing errors stating that the key length doesn't match and the algorith either.  Where can we go change this?

Can you paste the errors seen.. We need security debugging configured..

---

@salvi wrote:

RAP is in the white list.  Pool is configured.

 

We enabled logging and we are seeing errors stating that the key length doesn't match and the algorith either.  Where can we go change this?

---

---

@salvi wrote:

RAP is in the white list.  Pool is configured.

 

We enabled logging and we are seeing errors stating that the key length doesn't match and the algorith either.  Where can we go change this?

---

The last time I saw this happen, the default gateway on the controller was wrong.  The customer created a 1:1 nat on the wrong ip address of the controller and the routing was asymetric.

Below is part of the log.

Mar 15 10:24:40 :103060:  <DBUG> |ike|  ike_phase_1.c:ike_phase_1_responder_recv_SA:905 Recvd VPN IKE Phase 1 SA transform negotiation (1st packet) from IP 63.199.244.246.

Mar 15 10:24:40 :103060:  <DBUG> |ike|  ike_phase_1.c:ike_phase_1_responder_recv_SA:934 Found our AP vendor ID from external IP 63.199.244.246

Mar 15 10:24:40 :103060:  <DBUG> |ike|  ike_phase_1.c:attribute_unacceptable:2865 Proposal match failed in key length, configured=32, peer using=16

Mar 15 10:24:40 :103060:  <DBUG> |ike|  ike_phase_1.c:attribute_unacceptable:2836 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG

Mar 15 10:24:40 :103060:  <DBUG> |ike|  ike_phase_1.c:attribute_unacceptable:2825 Proposal match failed in hash algo, configured=SHA, peer using=MD5

Mar 15 10:24:40 :103060:  <DBUG> |ike|  ike_phase_1.c:attribute_unacceptable:2865 Proposal match failed in key length, configured=32, peer using=24

Mar 15 10:24:40 :103060:  <DBUG> |ike|  ike_phase_1.c:attribute_unacceptable:2836 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG

Mar 15 10:24:40 :103060:  <DBUG> |ike|  ike_phase_1.c:attribute_unacceptable:2825 Proposal match failed in hash algo, configured=SHA, peer using=MD5

Mar 15 10:24:40 :103060:  <DBUG> |ike|  ike_phase_1.c:ike_phase_1_responder_recv_SA:1049 Ike Phase 1 received SA

Mar 15 10:24:40 :103063:  <DBUG> |ike|  ike_phase_1_responder_send_SA_NAT_T Accepted 1 of the Proposals, sending Response for exchange:63.199.244.246

Mar 15 10:24:44 :103063:  <DBUG> |ike|  exchange_setup_p1: ID is IPv4

Mar 15 10:24:44 :103063:  <DBUG> |ike|  exchange_lookup_active : found phase:1  name:63.199.244.246

Mar 15 10:24:44 :103063:  <DBUG> |ike|  exchange_setup_p1: Active Exchange 63.199.244.246 exists, continuing with new exchange

Mar 15 10:24:44 :103063:  <DBUG> |ike|  exchange_setup_p1: USING exchange type ID_PROT

Mar 15 10:24:44 :103063:  <DBUG> |ike|  Aruba RAP detected

Mar 15 10:24:44 :103063:  <DBUG> |ike|  Detected peer using TPM

Mar 15 10:24:44 :103063:  <DBUG> |ike|  IKE Fragmentation

Mar 15 10:24:44 :103063:  <DBUG> |ike|  message_recv enabling early NATT since peer initiates on 4500

Mar 15 10:24:44 :103060:  <DBUG> |ike|  ike_phase_1.c:ike_phase_1_responder_recv_SA:905 Recvd VPN IKE Phase 1 SA transform negotiation (1st packet) from IP 63.199.244.246.

Mar 15 10:24:44 :103060:  <DBUG> |ike|  ike_phase_1.c:ike_phase_1_responder_recv_SA:934 Found our AP vendor ID from external IP 63.199.244.246

Mar 15 10:24:44 :103060:  <DBUG> |ike|  ike_phase_1.c:attribute_unacceptable:2865 Proposal match failed in key length, configured=32, peer using=16

Mar 15 10:24:44 :103060:  <DBUG> |ike|  ike_phase_1.c:attribute_unacceptable:2836 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG

Mar 15 10:24:44 :103060:  <DBUG> |ike|  ike_phase_1.c:attribute_unacceptable:2825 Proposal match failed in hash algo, configured=SHA, peer using=MD5

Mar 15 10:24:44 :103060:  <DBUG> |ike|  ike_phase_1.c:attribute_unacceptable:2865 Proposal match failed in key length, configured=32, peer using=24

Mar 15 10:24:44 :103060:  <DBUG> |ike|  ike_phase_1.c:attribute_unacceptable:2836 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG

Mar 15 10:24:44 :103060:  <DBUG> |ike|  ike_phase_1.c:attribute_unacceptable:2825 Proposal match failed in hash algo, configured=SHA, peer using=MD5

Mar 15 10:24:44 :103060:  <DBUG> |ike|  ike_phase_1.c:ike_phase_1_responder_recv_SA:1049 Ike Phase 1 received SA

Mar 15 10:24:44 :103063:  <DBUG> |ike|  ike_phase_1_responder_send_SA_NAT_T Accepted 1 of the Proposals, sending Response for exchange:63.199.244.246

Mar 15 10:25:08 :124004:  <DBUG> |authmgr|  Rx message 14001/5221, length 167 from 127.0.0.1:8235

RAP sending first packet and controller receiving it.

Mar 15 10:24:40 :103060:  <DBUG> |ike|  ike_phase_1.c:ike_phase_1_responder_recv_SA:905 Recvd VPN IKE Phase 1 SA transform negotiation (1st packet) from IP 63.199.244.246.

Controller sending response to packet 1:

Mar 15 10:24:40 :103063:  <DBUG> |ike|  ike_phase_1_responder_send_SA_NAT_T Accepted 1 of the Proposals, sending Response for exchange:63.199.244.246

This packet does not seem to be making it to the RAP and hence RAP sends packet 1 again. There seems to be an issue in the route to the RAP from the controller. Packet captures should tell if the packet is making it to the RAP or not.

The proposal amismatch and key length messages are fine as the controller receives multiple proposals of which it accepts one.

Hi all, I am working with Wil on this issue. Apparently, the switchport connecting to the loopback of the controller is seeing 2 MACs , where it should only see 1.

When I go to the aruba controller and show mac add table, that second MAC is not even there.

Also, on our other A3200 (the one that is working fine, and it is on the same switch, same VLAN ) it only sees 1 MAC on the loopback port, the way it should be...

So i think there might be a hardware problem with this controller.

\Thanks all for your help!