Wireless Access

Reply
Occasional Contributor II
Posts: 11
Registered: ‎12-16-2013

RAPs broken, tunnel flapping after 6.3.1.5 -> 6.3.1.16 upgrade

Ever since I upgraded our controller master standby pair to 6.3.1.16 none of our RAPs have worked.  Some details:


--RAPs definitely talking to controller I see 4500 traffic.  The RAPs show up on 'show crypto ipsec sa' and isakmp sa
--I can see their L2TP internal IP slowly increasing every few minutes (flapping?)
--In the security ike logs i see them establish the tunnel then immediately tear it down

May 26 08:25:45  isakmpd[1657]: <103076> <INFO> |ike|  IKEv2 IPSEC Tunnel created for peer <external IP>:54267
May 26 08:25:45  isakmpd[1657]: <103077> <INFO> |ike|  IKEv2 IKE_SA succeeded for peer <external IP>:54267
May 26 08:25:45  isakmpd[1657]: <103078> <INFO> |ike|  IKEv2 CHILD_SA successful for peer <external IP>:54267
May 26 08:25:45  isakmpd[1657]: <103082> <INFO> |ike|  IKEv2 Client-Authentication succeeded for 10.50.43.179 (External 73.196.151.108) for default-vpn-role
May 26 08:25:45  isakmpd[1657]: <103101> <INFO> |ike|  IPSEC SA deleted for peer <external IP>
May 26 08:25:45  isakmpd[1657]: <103102> <INFO> |ike|  IKE SA deleted for peer <external IP>
  •  They don't make it as far as getting to the AP table
  • Show datapath session table on the IP of the RAP shows some traffic flagged as FY or FYDC but not apparent why.
  • This is happening on RAP2 and RAP5 devices -- none are working.  Aruba OS 5.0.  I tried factory reset and I tried provisioning the RAP within our network to eliminate firewall issues.
  • I diff'd the configs before and after the upgrade and I see no big differences.

I have a case open but support has been slow and unhelpful so far.  It took them an hour of CLI to even see the RAP traffic and then they wanted me to downgrade the controller or check the port channel to the controller (no reason whatsoever to suspect this).  I would be grateful if you could let me know anything else I can try or look into. 

Guru Elite
Posts: 21,584
Registered: ‎03-29-2007

Re: RAPs broken, tunnel flapping after 6.3.1.5 -> 6.3.1.16 upgrade

- Why are you upgrading (so that we can understand if you were trying to avoid an issue or not)?

- Does the public ip address poing to the master or the standby?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 11
Registered: ‎12-16-2013

Re: RAPs broken, tunnel flapping after 6.3.1.5 -> 6.3.1.16 upgrade


cjoseph wrote:

- Why are you upgrading (so that we can understand if you were trying to avoid an issue or not)?

- Does the public ip address poing to the master or the standby?


-Upgrading because of some SSL bugs that were fixed after .5 -- our controller was showing up in some internal security audits.

-Master

 

Thanks

Guru Elite
Posts: 21,584
Registered: ‎03-29-2007

Re: RAPs broken, tunnel flapping after 6.3.1.5 -> 6.3.1.16 upgrade

Does your public ip address NAT to your Master controller or your standby?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 11
Registered: ‎12-16-2013

Re: RAPs broken, tunnel flapping after 6.3.1.5 -> 6.3.1.16 upgrade


cjoseph wrote:

Does your public ip address NAT to your Master controller or your standby?


Public IP NATs to the master controller.  However I also factory reset one of the RAPs and plugged it into the internal network and tried to provision to the internal Master IP (to eliminate firewall issues) and it behaved the same way.

Guru Elite
Posts: 21,584
Registered: ‎03-29-2007

Re: RAPs broken, tunnel flapping after 6.3.1.5 -> 6.3.1.16 upgrade

Are you using zero touch provisioning for your raps?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 11
Registered: ‎12-16-2013

Re: RAPs broken, tunnel flapping after 6.3.1.5 -> 6.3.1.16 upgrade


cjoseph wrote:
Are you using zero touch provisioning for your raps?

Not 100% sure what that entails.  For a new RAP I would add its MAC to the RAP whitelist on the controller.  Then it would need to be plugged into home internet router (or similar) in e0, with laptop in e1.  Then launch browser, rapconsole.arubanetworks.com, and type in the controller's external IP/DNS.  RAP would then provision.

Guru Elite
Posts: 21,584
Registered: ‎03-29-2007

Re: RAPs broken, tunnel flapping after 6.3.1.5 -> 6.3.1.16 upgrade

[ Edited ]

Yes, that is what zero touch provisioning means.

 

What is the output of "show rights default-vpn-role"?

 

Also, do you have an LMS-IP in the AP System Profile of the ap group that your RAPs are in?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 11
Registered: ‎12-16-2013

Re: RAPs broken, tunnel flapping after 6.3.1.5 -> 6.3.1.16 upgrade

#show rights default-vpn-role

Derived Role = 'default-vpn-role'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 69/0
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE

access-list List
----------------
Position  Name         Type     Location
--------  ----         ----     --------
1         ra-guard     session
2         allowall     session
3         v6-allowall  session

ra-guard
--------
Priority  Source  Destination  Service           Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------           ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    any          icmpv6 rtr-adv    deny                             Low                                                           6
allowall
--------
Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     any          any      permit                           Low                                                           4
v6-allowall
-----------
Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     any          any      permit                           Low                                                           6

Expired Policies (due to time constraints) = 0
Guru Elite
Posts: 21,584
Registered: ‎03-29-2007

Re: RAPs broken, tunnel flapping after 6.3.1.5 -> 6.3.1.16 upgrade

Also, do you have an LMS-IP in the AP System Profile of the ap group that your RAPs are in?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: