Wireless Access

last person joined: 17 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

RAPs stuck in logon role

This thread has been viewed 6 times

  • 1.  RAPs stuck in logon role

    Posted Aug 08, 2013 02:27 PM

    Hi All,

     

    I've got a few RAPs that I can see in the logon role but not in the ap database. This is happenning with all RAPs.

     

    (A3200) #show user


    Users
    -----
    IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type
    ---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ----
    186.188.56.242 00:00:00:00:00:00 logon 00:00:05 VPN N/A default tunnel
    186.169.76.203 00:00:00:00:00:00 logon 00:00:05 VPN N/A default tunnel
    181.133.34.140 00:00:00:00:00:00 logon 00:00:05 VPN N/A default tunnel

    User Entries: 3/3

     

    I can see they've got an IPSec security association but none of them have a private IP assigned.

     

    (A3200) #show crypto isakmp sa

    ISAKMP SA Active Session Information
    ------------------------------------
    Initiator IP Responder IP Flags Start Time Private IP
    ------------ ------------ ----- --------------- ----------
    10.69.19.80 10.164.90.251 i-a-p Aug 8 14:37:19 - (this is the local - master sa)
    186.188.56.242 10.169.119.80 r-v2-c-R Aug 8 14:36:13 -
    186.169.76.203 10.169.119.80 r-v2-c-R Aug 8 14:36:13 -
    181.133.34.140 10.169.119.80 r-v2-c-R Aug 8 14:36:13 -

     

    I've setup a RAP pool of IP addresses but they're not being used.

     

    (A3200) # show vpdn l2tp local pool

    IP addresses used in pool 3200RAP_Pool
    0 IPs used - 32 IPs free - 32 IPs configured
    IP pool allocations / de-allocations - L2TP: 0/0 IKE: 0/0

     

    The logon role has not been changed from defaults as far as I'm aware:

     

    (A3200) #show rights logon

    Derived Role = 'logon'
    Up BW:No Limit Down BW:No Limit
    L2TP Pool = default-l2tp-pool
    PPTP Pool = default-pptp-pool
    Periodic reauthentication: Disabled
    ACL Number = 1/0
    Max Sessions = 65535


    access-list List
    ----------------
    Position Name Location
    -------- ---- --------
    1 logon-control
    2 vpnlogon
    3 v6-logon-control
    4 captiveportal6

    logon-control
    -------------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
    1 user any udp 68 deny Low 4
    2 any any svc-icmp permit Low 4
    3 any any svc-dns permit Low 4
    4 any any svc-dhcp permit Low 4
    5 any any svc-natt permit Low 4
    vpnlogon
    --------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
    1 user any svc-ike permit Low 4
    2 user any svc-esp permit Low 4
    3 any any svc-l2tp permit Low 4
    4 any any svc-pptp permit Low 4
    5 any any svc-gre permit Low 4
    v6-logon-control
    ----------------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
    1 user any udp 68 deny Low 6
    2 any any svc-v6-icmp permit Low 6
    --More-- (q) quit (u) pageup (/) search (n) repeat 3 any any svc-v6-dhcp permit Low 6
    4 any any svc-dns permit Low 6
    captiveportal6
    --------------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
    1 user controller6 svc-https captive Low 6
    2 user any svc-http captive Low 6
    3 user any svc-https captive Low 6
    4 user any svc-http-proxy1 captive Low 6
    5 user any svc-http-proxy2 captive Low 6
    6 user any svc-http-proxy3 captive Low 6

    Expired Policies (due to time constraints) = 0

     

    The MAC addresses are in the RAP whitelist.

     

    Can anyone shed some light on this please?

     

    I'm sure I've probably overlooked something simple.

    Thanks

    James



  • 2.  RE: RAPs stuck in logon role

    Posted Aug 08, 2013 02:33 PM

     

    Is that the only devices attach to that controller ?

     

    Is your port and VLAN trusted on the uplink interface?



  • 3.  RE: RAPs stuck in logon role

    Posted Aug 08, 2013 02:36 PM

    Hi Victor,

     

    All ports are configured in a port-channel and all VLANs run over it and are trusted.

     

    @victorfabian wrote:

     

    Is that the only devices attach to that controller ?

     

    Can you clarify this bit?


    Thanks 

    James



  • 4.  RE: RAPs stuck in logon role

    Posted Aug 08, 2013 02:37 PM

     

    If those RAPs are the only ones you have connected to your controller .



  • 5.  RE: RAPs stuck in logon role

    Posted Aug 08, 2013 02:39 PM

    Gotcha.

     

    Yes, this controller is being used solely to terminate RAPs. 

     

    Currently there are only 3 which we are attempting to connect and we're seeing the same issue with all of them.

     

    Cheers



  • 6.  RE: RAPs stuck in logon role

    Posted Aug 08, 2013 02:40 PM

     

    And also make sure the UDP/4500 is allowed if you have any ip access-group on your port-channels.

     

    Do a show datapath session | include 4500

     

    logging level debugging security 

     

    show log security all | include <rapmac>



  • 7.  RE: RAPs stuck in logon role

    Posted Aug 08, 2013 02:56 PM

     

    This doc should help you out too:

     

    https://arubanetworkskb.secure.force.com/pkb/articles/Troubleshooting/R-131



  • 8.  RE: RAPs stuck in logon role

    Posted Aug 08, 2013 02:57 PM
    @jrwhitehead wrote:

     

    I've setup a RAP pool of IP addresses but they're not being used.

     

    (A3200) # show vpdn l2tp local pool

    IP addresses used in pool 3200RAP_Pool
    0 IPs used - 32 IPs free - 32 IPs configured
    IP pool allocations / de-allocations - L2TP: 0/0 IKE: 0/0

    I'm not onsite now but grabbed this earlier:

     

    (A3200) #show datapath session table | include 4500
    10.169.119.80 186.169.76.203 17 4500 4500 0/0 0 0 0 pc3 69 F
    181.133.34.140 10.169.119.80 17 4500 4500 0/0 0 0 0 pc3 6c FC
    10.169.119.80 10.164.90.251 17 4500 4500 0/0 0 0 61 local 1d45 FC
    10.169.119.80 186.188.56.242 17 4500 4500 0/0 0 0 0 pc3 6a F
    186.188.56.242 10.169.119.80 17 4500 4500 0/0 0 0 0 pc3 6a FC
    10.169.119.80 181.133.34.140 17 4500 4500 0/0 0 0 0 pc3 6c F
    10.164.90.251 10.169.119.80 17 4500 4500 0/0 0 0 0 local 1d45 F
    186.169.76.203 10.169.119.80 17 4500 4500 0/0 0 0 0 pc3 69 FC

     

    ----------------

     

    (A3200) #show log security 10

    Aug 8 15:43:01 :199802: <ERRS> |authmgr| station.c, sta_del_l3:401: Cannot delete L3 entry for station (0x0, mac=00:00:00:00:00:00)
    Aug 8 15:53:01 :199802: <ERRS> |authmgr| station.c, sta_del_l3:401: Cannot delete L3 entry for station (0x0, mac=00:00:00:00:00:00)
    Aug 8 16:03:02 :199802: <ERRS> |authmgr| station.c, sta_del_l3:411: Cannot delete L3 entry for station (0x109958ac, mac=00:00:00:00:00:00)
    Aug 8 16:13:04 :199802: <ERRS> |authmgr| station.c, sta_del_l3:401: Cannot delete L3 entry for station (0x0, mac=00:00:00:00:00:00)
    Aug 8 16:23:16 :199802: <ERRS> |authmgr| station.c, sta_del_l3:411: Cannot delete L3 entry for station (0x109958ac, mac=00:00:00:00:00:00)
    Aug 8 16:33:16 :199802: <ERRS> |authmgr| station.c, sta_del_l3:411: Cannot delete L3 entry for station (0x109958ac, mac=00:00:00:00:00:00)
    Aug 8 16:41:38 :199802: <ERRS> |authmgr| station.c, sta_del_l3:411: Cannot delete L3 entry for station (0x109958ac, mac=00:00:00:00:00:00)
    Aug 8 16:43:17 :199802: <ERRS> |authmgr| station.c, sta_del_l3:411: Cannot delete L3 entry for station (0x109958ac, mac=00:00:00:00:00:00)

     

    I'll setup debugging on the security log tomorrow and see what it says..

     

    Thanks



  • 9.  RE: RAPs stuck in logon role
    Best Answer

    Posted Aug 09, 2013 04:47 AM

    'show crypto ipsec sa' showed that phase 2 was failing.

     

    I debugged the crypto security process 'logging level debugging security process crypto' and looked at the security log and found the following:

     

    Aug 9 09:29:30 :103063: <DBUG> |ike| ipc_ikev2_auth_recv_pap_packet cookie:3287001688 innerip 0
    Aug 9 09:29:30 :103063: <DBUG> |ike| *** ipc_auth_recv_packet user=d8:c7:c8:c1:ed:9b, pass=******, result=1 ctx:101e2274, ctx-innerip:0.0.0.0 l2tp_pool:
    Aug 9 09:29:30 :103083: <INFO> |ike| IKEv2 Client-Authentication failed for user: d8:c7:c8:c1:ed:9b
    Aug 9 09:29:30 :103063: <DBUG> |ike| Proposal #1: ESP(3) spi=16b62900 ENCR_AES 256-BITS AUTH_HMAC_SHA1_96 ESN_0 <-- R
    Aug 9 09:29:30 :103063: <DBUG> |ike| OutCp entered
    Aug 9 09:29:30 :103063: <DBUG> |ike| Notify: AUTHENTICATION_FAILED (ESP spi=16b62900)#SEND 80 bytes to 81.133.134.140(4500) (67997.

     

    I double checked the rap whitelist and that MAC address was in it. 

    That's when it hit me.

     

    DOH DOH DOH DOH DOH!

     

    This is a local controller and the RAP whitelist that is being used is on the master.


    Added the MACs to the masters RAP whitelist and the RAPs passed IPSec phase 2 and popped up in the ap database.

     

    Thanks for pointing me at the RAP troubleshooting KB Victor.


    Cheers
    James