Ever since I upgraded our controller master standby pair to 6.3.1.16 none of our RAPs have worked. Some details:
--RAPs definitely talking to controller I see 4500 traffic. The RAPs show up on 'show crypto ipsec sa' and isakmp sa
--I can see their L2TP internal IP slowly increasing every few minutes (flapping?)
--In the security ike logs i see them establish the tunnel then immediately tear it down
May 26 08:25:45 isakmpd[1657]: <103076> <INFO> |ike| IKEv2 IPSEC Tunnel created for peer <external IP>:54267
May 26 08:25:45 isakmpd[1657]: <103077> <INFO> |ike| IKEv2 IKE_SA succeeded for peer <external IP>:54267
May 26 08:25:45 isakmpd[1657]: <103078> <INFO> |ike| IKEv2 CHILD_SA successful for peer <external IP>:54267
May 26 08:25:45 isakmpd[1657]: <103082> <INFO> |ike| IKEv2 Client-Authentication succeeded for 10.50.43.179 (External 73.196.151.108) for default-vpn-role
May 26 08:25:45 isakmpd[1657]: <103101> <INFO> |ike| IPSEC SA deleted for peer <external IP>
May 26 08:25:45 isakmpd[1657]: <103102> <INFO> |ike| IKE SA deleted for peer <external IP>
- They don't make it as far as getting to the AP table
- Show datapath session table on the IP of the RAP shows some traffic flagged as FY or FYDC but not apparent why.
- This is happening on RAP2 and RAP5 devices -- none are working. Aruba OS 5.0. I tried factory reset and I tried provisioning the RAP within our network to eliminate firewall issues.
- I diff'd the configs before and after the upgrade and I see no big differences.
I have a case open but support has been slow and unhelpful so far. It took them an hour of CLI to even see the RAP traffic and then they wanted me to downgrade the controller or check the port channel to the controller (no reason whatsoever to suspect this). I would be grateful if you could let me know anything else I can try or look into.