Wireless Access

Reply
MVP
Posts: 978
Registered: ‎04-13-2009

RAPs stuck in logon role

Hi All,

 

I've got a few RAPs that I can see in the logon role but not in the ap database. This is happenning with all RAPs.

 

(A3200) #show user


Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ----
186.188.56.242 00:00:00:00:00:00 logon 00:00:05 VPN N/A default tunnel
186.169.76.203 00:00:00:00:00:00 logon 00:00:05 VPN N/A default tunnel
181.133.34.140 00:00:00:00:00:00 logon 00:00:05 VPN N/A default tunnel

User Entries: 3/3

 

I can see they've got an IPSec security association but none of them have a private IP assigned.

 

(A3200) #show crypto isakmp sa

ISAKMP SA Active Session Information
------------------------------------
Initiator IP Responder IP Flags Start Time Private IP
------------ ------------ ----- --------------- ----------
10.69.19.80 10.164.90.251 i-a-p Aug 8 14:37:19 - (this is the local - master sa)
186.188.56.242 10.169.119.80 r-v2-c-R Aug 8 14:36:13 -
186.169.76.203 10.169.119.80 r-v2-c-R Aug 8 14:36:13 -
181.133.34.140 10.169.119.80 r-v2-c-R Aug 8 14:36:13 -

 

I've setup a RAP pool of IP addresses but they're not being used.

 

(A3200) # show vpdn l2tp local pool

IP addresses used in pool 3200RAP_Pool
0 IPs used - 32 IPs free - 32 IPs configured
IP pool allocations / de-allocations - L2TP: 0/0 IKE: 0/0

 

The logon role has not been changed from defaults as far as I'm aware:

 

(A3200) #show rights logon

Derived Role = 'logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 1/0
Max Sessions = 65535


access-list List
----------------
Position Name Location
-------- ---- --------
1 logon-control
2 vpnlogon
3 v6-logon-control
4 captiveportal6

logon-control
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any udp 68 deny Low 4
2 any any svc-icmp permit Low 4
3 any any svc-dns permit Low 4
4 any any svc-dhcp permit Low 4
5 any any svc-natt permit Low 4
vpnlogon
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any svc-ike permit Low 4
2 user any svc-esp permit Low 4
3 any any svc-l2tp permit Low 4
4 any any svc-pptp permit Low 4
5 any any svc-gre permit Low 4
v6-logon-control
----------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any udp 68 deny Low 6
2 any any svc-v6-icmp permit Low 6
--More-- (q) quit (u) pageup (/) search (n) repeat 3 any any svc-v6-dhcp permit Low 6
4 any any svc-dns permit Low 6
captiveportal6
--------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user controller6 svc-https captive Low 6
2 user any svc-http captive Low 6
3 user any svc-https captive Low 6
4 user any svc-http-proxy1 captive Low 6
5 user any svc-http-proxy2 captive Low 6
6 user any svc-http-proxy3 captive Low 6

Expired Policies (due to time constraints) = 0

 

The MAC addresses are in the RAP whitelist.

 

Can anyone shed some light on this please?

 

I'm sure I've probably overlooked something simple.

Thanks

James

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
MVP
Posts: 4,271
Registered: ‎07-20-2011

Re: RAPs stuck in logon role

 

Is that the only devices attach to that controller ?

 

Is your port and VLAN trusted on the uplink interface?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 978
Registered: ‎04-13-2009

Re: RAPs stuck in logon role

Hi Victor,

 

All ports are configured in a port-channel and all VLANs run over it and are trusted.

 


victorfabian wrote:

 

Is that the only devices attach to that controller ?

 


Can you clarify this bit?


Thanks 

James

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
MVP
Posts: 4,271
Registered: ‎07-20-2011

Re: RAPs stuck in logon role

 

If those RAPs are the only ones you have connected to your controller .

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 978
Registered: ‎04-13-2009

Re: RAPs stuck in logon role

Gotcha.

 

Yes, this controller is being used solely to terminate RAPs. 

 

Currently there are only 3 which we are attempting to connect and we're seeing the same issue with all of them.

 

Cheers

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
MVP
Posts: 4,271
Registered: ‎07-20-2011

Re: RAPs stuck in logon role

[ Edited ]

 

And also make sure the UDP/4500 is allowed if you have any ip access-group on your port-channels.

 

Do a show datapath session | include 4500

 

logging level debugging security 

 

show log security all | include <rapmac>

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 4,271
Registered: ‎07-20-2011

Re: RAPs stuck in logon role

 

This doc should help you out too:

 

https://arubanetworkskb.secure.force.com/pkb/articles/Troubleshooting/R-131

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 978
Registered: ‎04-13-2009

Re: RAPs stuck in logon role


jrwhitehead wrote:

 

I've setup a RAP pool of IP addresses but they're not being used.

 

(A3200) # show vpdn l2tp local pool

IP addresses used in pool 3200RAP_Pool
0 IPs used - 32 IPs free - 32 IPs configured
IP pool allocations / de-allocations - L2TP: 0/0 IKE: 0/0


I'm not onsite now but grabbed this earlier:

 

(A3200) #show datapath session table | include 4500
10.169.119.80 186.169.76.203 17 4500 4500 0/0 0 0 0 pc3 69 F
181.133.34.140 10.169.119.80 17 4500 4500 0/0 0 0 0 pc3 6c FC
10.169.119.80 10.164.90.251 17 4500 4500 0/0 0 0 61 local 1d45 FC
10.169.119.80 186.188.56.242 17 4500 4500 0/0 0 0 0 pc3 6a F
186.188.56.242 10.169.119.80 17 4500 4500 0/0 0 0 0 pc3 6a FC
10.169.119.80 181.133.34.140 17 4500 4500 0/0 0 0 0 pc3 6c F
10.164.90.251 10.169.119.80 17 4500 4500 0/0 0 0 0 local 1d45 F
186.169.76.203 10.169.119.80 17 4500 4500 0/0 0 0 0 pc3 69 FC

 

----------------

 

(A3200) #show log security 10

Aug 8 15:43:01 :199802: <ERRS> |authmgr| station.c, sta_del_l3:401: Cannot delete L3 entry for station (0x0, mac=00:00:00:00:00:00)
Aug 8 15:53:01 :199802: <ERRS> |authmgr| station.c, sta_del_l3:401: Cannot delete L3 entry for station (0x0, mac=00:00:00:00:00:00)
Aug 8 16:03:02 :199802: <ERRS> |authmgr| station.c, sta_del_l3:411: Cannot delete L3 entry for station (0x109958ac, mac=00:00:00:00:00:00)
Aug 8 16:13:04 :199802: <ERRS> |authmgr| station.c, sta_del_l3:401: Cannot delete L3 entry for station (0x0, mac=00:00:00:00:00:00)
Aug 8 16:23:16 :199802: <ERRS> |authmgr| station.c, sta_del_l3:411: Cannot delete L3 entry for station (0x109958ac, mac=00:00:00:00:00:00)
Aug 8 16:33:16 :199802: <ERRS> |authmgr| station.c, sta_del_l3:411: Cannot delete L3 entry for station (0x109958ac, mac=00:00:00:00:00:00)
Aug 8 16:41:38 :199802: <ERRS> |authmgr| station.c, sta_del_l3:411: Cannot delete L3 entry for station (0x109958ac, mac=00:00:00:00:00:00)
Aug 8 16:43:17 :199802: <ERRS> |authmgr| station.c, sta_del_l3:411: Cannot delete L3 entry for station (0x109958ac, mac=00:00:00:00:00:00)

 

I'll setup debugging on the security log tomorrow and see what it says..

 

Thanks

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
MVP
Posts: 978
Registered: ‎04-13-2009

Re: RAPs stuck in logon role

'show crypto ipsec sa' showed that phase 2 was failing.

 

I debugged the crypto security process 'logging level debugging security process crypto' and looked at the security log and found the following:

 

Aug 9 09:29:30 :103063: <DBUG> |ike| ipc_ikev2_auth_recv_pap_packet cookie:3287001688 innerip 0
Aug 9 09:29:30 :103063: <DBUG> |ike| *** ipc_auth_recv_packet user=d8:c7:c8:c1:ed:9b, pass=******, result=1 ctx:101e2274, ctx-innerip:0.0.0.0 l2tp_pool:
Aug 9 09:29:30 :103083: <INFO> |ike| IKEv2 Client-Authentication failed for user: d8:c7:c8:c1:ed:9b
Aug 9 09:29:30 :103063: <DBUG> |ike| Proposal #1: ESP(3) spi=16b62900 ENCR_AES 256-BITS AUTH_HMAC_SHA1_96 ESN_0 <-- R
Aug 9 09:29:30 :103063: <DBUG> |ike| OutCp entered
Aug 9 09:29:30 :103063: <DBUG> |ike| Notify: AUTHENTICATION_FAILED (ESP spi=16b62900)#SEND 80 bytes to 81.133.134.140(4500) (67997.

 

I double checked the rap whitelist and that MAC address was in it. 

That's when it hit me.

 

DOH DOH DOH DOH DOH!

 

This is a local controller and the RAP whitelist that is being used is on the master.


Added the MACs to the masters RAP whitelist and the RAPs passed IPSec phase 2 and popped up in the ap database.

 

Thanks for pointing me at the RAP troubleshooting KB Victor.


Cheers
James

 

 

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Search Airheads
Showing results for 
Search instead for 
Did you mean: