Wireless Access

Reply
Occasional Contributor II
Posts: 18
Registered: ‎01-24-2012

Remote AP 124's not working after upgrade

I have a 650 controller, 1 RAP5WN, 1 RAP2 (mine for testing), 3 Remote AP's AP124's, 3 Local AP's AP124's.

Both the RAP5 and RAP2 come up no problems, the AP124's though do not. I see the IKE phase one and two complete and when I do a sh user-table verbose (ip address) I see the AP's in the ap-role, same as the working RAP's. If I take the AP's back to the office and purge/save/boot, they show up on the controller as "unprovisioned" as intended.

 

I did a recent OS upgrade and I am worried that something happened that affects only the AP124's in my "remote" ap-group.

 

The controller was on 5.0.2.X I upgraded to 5.0.4.5 then upgraded to 6.1.3.1

 

Any suggestions?

Guru Elite
Posts: 20,960
Registered: ‎03-29-2007

Re: Remote AP 124's not working after upgrade

Is it username/password authentication for the AP124 or cert-based authentication for RAP?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 18
Registered: ‎01-24-2012

Re: Remote AP 124's not working after upgrade

Found something else interesting i am seeing two roles when the remote AP hits the controller

 

(TBC Dell PC W-650) #show user-table verbose | include 108.
192.168.222.16   00:00:00:00:00:00  00:24:6c:c5:ba:8c  ap-role   00:00:02    VPN   108.15.30.217   N/A                                                                     default                   tunnel               Internal  1
108.15.30.217    00:00:00:00:00:00                     logon     00:01:58    VPN                   N/A                                                                     default                   tunnel                         1

 

Same ap I am assuming but the 192.168.222.16 has the "ap-role" and the 108.15.30.217 is the public IP address of that AP's gateway but it says logon with no MAC listed? Have i hit some but here?

 

 

ipsec sa
(TBC Dell PC W-650) #show crypto ipsec sa

IPSEC SA Active Session Information
-----------------------------------
Initiator IP     Responder IP     InitiatorID         ResponderID         Flags    Start Time      Inner IP
------------     ------------     -----------         -----------         -----  ---------------   --------
76.182.232.32    192.168.0.40     192.168.222.7/32    0.0.0.0/0           UT     May 29 20:02:58   192.168.222.7

IPSEC SA (V2) Active Session Information
-----------------------------------
Initiator IP     Responder IP     SPI(IN/OUT)        Flags Start Time        Inner IP
------------     ------------     ----------------   ----- ---------------   --------
108.15.30.217    192.168.0.40     1029a500/5150f000  UT2   May 29 20:36:30   192.168.222.17
173.10.144.118   192.168.0.40     a6e03200/45d72700  UT2   May 29 20:15:06   192.168.222.12

 

isakmp sa


(TBC Dell PC W-650) #show crypto isakmp sa

ISAKMP SA Active Session Information
------------------------------------
Initiator IP     Responder IP   Flags       Start Time      Private IP
------------     ------------   -----     ---------------   ----------
76.182.232.32    192.168.0.40   r-m-p-x-R May 29 20:02:58   192.168.222.7
108.15.30.217    192.168.0.40   r-v2-c-R  May 29 20:36:30   192.168.222.17
173.10.144.118   192.168.0.40   r-v2-c-R  May 29 20:15:07   192.168.222.12

Flags: i = Initiator; r = Responder
       m = Main Mode; a = Agressive Mode v2 = IKEv2
       p = Pre-shared key; c = Certificate/RSA Signature; e =  ECDSA Signature
       x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled
       3 = 3rd party AP; C = Campus AP; R = RAP
       V = VIA; S = VIA over TCP

Total ISAKMP SAs: 3

 

sh datapath session table | include 4500

 

(TBC Dell PC W-650) #show datapath session table | include 4500
192.168.0.40    173.10.144.118  17   4500  4500   0/0     0 0   13  1/5         2129 F
192.168.0.40    108.15.30.217   17   4500  1024   0/0     0 0   0   1/5         2    F
76.182.232.32   192.168.0.40    17   4500  4500   0/0     0 0   0   1/5         481c FC
173.10.144.118  192.168.0.40    17   4500  4500   0/0     0 0   0   1/5         2129 FC
192.168.0.40    76.182.232.32   17   4500  4500   0/0     0 0   134 1/5         481d F
108.15.30.217   192.168.0.40    17   1024  4500   0/0     0 0   0   1/5         3    FC


 

 

 

Occasional Contributor II
Posts: 18
Registered: ‎01-24-2012

Re: Remote AP 124's not working after upgrade

Tried both username and certificate. It is certifcate at the moment.

Guru Elite
Posts: 20,960
Registered: ‎03-29-2007

Re: Remote AP 124's not working after upgrade

let's see the output of "show datapath session table 192.168.222.16" if 192.168.222.16 is the inner ip of the AP, when it comes up to see if anything is being blocked..




Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 18
Registered: ‎01-24-2012

Re: Remote AP 124's not working after upgrade

It keeps changing ip addresses, i am guessing after it reboots, it gets another ip?

 

(TBC Dell PC W-650) #show datapath session table | include 192.168.222.19
192.168.0.40    192.168.222.19  1    316   2048   0/0     0 0   0   local       3    FCI
192.168.222.19  192.168.0.40    1    316   0      0/0     0 0   0   local       3    FYI


Occasional Contributor II
Posts: 18
Registered: ‎01-24-2012

Re: Remote AP 124's not working after upgrade

It actually incrementing by one IP address each time? up to .21 now.

Guru Elite
Posts: 20,960
Registered: ‎03-29-2007

Re: Remote AP 124's not working after upgrade

That is because it is probably rebootstrappping.

 

type "show log system 50" to see why the AP is rebootstrapping.  While it is connected, try to do "show datapath session table <ip address of ap>" to see if any  traffic is being blocked.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 18
Registered: ‎01-24-2012

Re: Remote AP 124's not working after upgrade

(TBC Dell PC W-650) #show datapath session table | include 192.168.222.29
192.168.0.40    192.168.222.29  1    377   2048   0/0     0 0   0   local       9    FCI
192.168.0.40    192.168.222.29  1    376   2048   0/0     0 0   1   local       e    FCI
192.168.0.40    192.168.222.29  1    378   2048   0/0     0 0   0   local       4    FCI
192.168.222.29  192.168.0.40    1    378   0      0/0     0 0   1   local       4    FYI
192.168.222.29  192.168.0.40    1    377   0      0/0     0 0   1   local       9    FYI
192.168.222.29  192.168.0.40    1    376   0      0/0     0 0   1   local       e    FYI

 

 

I can only catch it for a matter of seconds and i don't see anything related to it in the system logs.

Guru Elite
Posts: 20,960
Registered: ‎03-29-2007

Re: Remote AP 124's not working after upgrade

Let's see the output of "show rights ap-role"

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: