Wireless Access

I had a site with RAP's deployed and working.

I upgraded the site to 6.1.3.1 software and now all the RAP's are down. I defaulted one of them and went to set it back up from the remote site and it is showing giving error  RC_ERROR_IKE_SA_ERROR

Any ideas?

What did you upgrade from?

I'm kicking myself now for not looking...... I want to say it was on a 6.0.X.X but not sure exactly which now because i've tried loading other software in it's place and wrote over it.

Okay.

First, we need the exact error that you are seeing.

Type "show datapath session table | include 4500" to see if there is any inbounds traffic"

On the controller type "show crypto isakmp sa" to see if any APs have connected successfully.

If not, report back...

I took one of the RAP's and connected it locally to the controller and it came up. I reprovisioned it after it upgraded and it connected. I then took it to the remote site and connected it and this is what i"m getting.

(Aruba3200-US) #show datapath session | include 4500

50.77.192.165   50.77.251.66    17   4500  1024   0/0     0 0   1   1/0         cc   F

50.77.251.66    50.77.192.165   17   1024  4500   0/0     0 0   0   1/0         cc   FC

(Aruba3200-US) #show crypto ipsec sa

% No active IPSEC SA

(Aruba3200-US) #show  crypto isakmp sa

ISAKMP SA Active Session Information

------------------------------------

Initiator IP     Responder IP   Flags       Start Time      Private IP

------------     ------------   -----     ---------------   ----------

50.77.251.66     50.77.192.165  r-v2-R    May 29 09:58:41     -

Flags: i = Initiator; r = Responder        m = Main Mode; a = Agressive Mode v2 = IKEv2        p = Pre-shared key; c = Certificate/RSA Signature; e =  ECDSA Signature        x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled        3 = 3rd party AP; C = Campus AP; R = RAP        V = VIA; S = VIA over TCP

Total ISAKMP SAs: 1

When I connect it locally it shows it connecting via Certificate/RSA and makes a IPSEC connection

There is no firewall between them. Controller and RAP are both on cable modem connections.

(Aruba3200-US) #show  crypto isakmp sa

ISAKMP SA Active Session Information

 ------------------------------------

 Initiator IP     Responder IP   Flags       Start Time      Private IP

 ------------     ------------   -----     ---------------   ----------

10.0.251.253     50.77.192.165  r-v2-c-R  May 29 10:52:35   172.16.19.4

Flags: i = Initiator; r = Responder        m = Main Mode; a = Agressive Mode v2 = IKEv2        p = Pre-shared key; c = Certificate/RSA Signature; e =  ECDSA Signature        x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled        3 = 3rd party AP; C = Campus AP; R = RAP        V = VIA; S = VIA over TCP

Total ISAKMP SAs: 1

So the only thing that changed was the version of controller code?  Do the RAPs go through a firewall?

Sorry for the late response on this. Have been really busy lately.

Turns out that the cable modem that the rap was connected to needed to be reset. It was passing http traffic but nothing else which is why the RAP would never come up.

Not sure why doing a controller upgrade to the RAP through the modem would have done that but a reboot on the internet cable modem fixed it.

Thanks !!!