Wireless Access

Reply
Occasional Contributor II

Remote AP fails to connect to ArubaOS 8.2 Cluster

Hey Guys,

 

I'm having a problem to connect an AP203RP as a remote ap to my AOS 8.2 cluster. I provisioned it as a rap with the cluster-ip as master, also with the cluster-ip as the lms-ip in the ap-profile. When I provisioned the AP I choose "Deployment: Remote", "Authentication Methode: Certificate" and "Trust anchor: none".

 

On the rapconsole-webpage I can find the Error "RC_ERROR_IKEP2_PKT1", but the last days of searching didn't lead to an answear.

 

This is the Output from sapd_debug log (xxx.xx.xx.xx is the cluster IP). Right now the ap is connected to our local network, so I can be sure there are absolutly _no_ firewall-rules in place.

[1979]1969-12-31 16:05:38 State REDUN_STATE_TUNNEL_MASTER Event REDUN_EVENT_RETRY Next state REDUN_STATE_TUNNEL_MASTER
[1979]1969-12-31 16:05:38 redun_retry_tunnel: setting up tunnel to 0, retry=36 curr-dhcp-retry:0 total-dhcp-retry:0
[1979]1969-12-31 16:05:38 sapd_setup_uplink: ETHERNET Link state is 1
[1979]1969-12-31 16:05:38 sapd_setup_uplink: Using uplink ETHERNET
[1979]1969-12-31 16:05:38 sapd_check_eth_connectivity: syscmd is ping -c 2 172.21.200.1
[1979]1969-12-31 16:05:39 sapd_check_rap_dhcp_pool: Subnets of LMS:430d81 and RAP-DHCP-Server:ba8c0
[1979]1969-12-31 16:05:39 sapd_redun_config_dnsmasq: Rewrite dnsmasq config file
[1979]1969-12-31 16:05:39 setup_ipsec: sapd_num_lms=1 sapd_cur_lms=0 ip=xxx.xx.xx.xx, client=0
[1979]1969-12-31 16:05:39 setup_ipsec: sapd_local_ip 172.21.203.178 netmask 255.255.248.0 
[1979]1969-12-31 16:05:39 setup_ipsec: adding route ip xxx.xx.xx.xx mask 255.255.255.255 gw 172.21.200.1 interface br0
[1979]1969-12-31 16:05:39 setup_ipsec: deleting route to ip xxx.xx.xx.xx interface tun0
[1979]1969-12-31 16:05:39 setup_ipsec: deleting route to ip xxx.xx.xx.xx interface tun1
[1979]1969-12-31 16:05:39 setup_ipsec: deleting route to ip xxx.xx.xx.xx interface tun2
[1979]1969-12-31 16:05:42 R>> Received RC_OPCODE_ERROR lms xxx.xx.xx.xx tunnel 0.0.0.0 srcdev br0RC_ERROR_IKEP2_PKT1 debug-error:-8947
[1979]1969-12-31 16:05:42 State REDUN_STATE_TUNNEL_MASTER Event REDUN_EVENT_TUNNEL_DOWN Next state REDUN_STATE_TUNNEL_MASTER
[1979]1969-12-31 16:05:42 redun_tunnel_down: Call stop_child() for clients[0]
[1979]1969-12-31 16:05:42 redun_tunnel_down: killed the child
[1979]1969-12-31 16:05:42 Tunnel 0 down. data(0|lms)=xxx.xx.xx.xx
[1979]1969-12-31 16:05:42 State REDUN_STATE_TUNNEL_MASTER Event REDUN_EVENT_RETRY Next state REDUN_STATE_TUNNEL_MASTER
[1979]1969-12-31 16:05:42 redun_retry_tunnel: setting up tunnel to 0, retry=37 curr-dhcp-retry:0 total-dhcp-retry:0
[1979]1969-12-31 16:05:42 sapd_setup_uplink: ETHERNET Link state is 1
[1979]1969-12-31 16:05:42 sapd_setup_uplink: Using uplink ETHERNET
[1979]1969-12-31 16:05:42 sapd_check_eth_connectivity: syscmd is ping -c 2 172.21.200.1
[1979]1969-12-31 16:05:43 sapd_check_rap_dhcp_pool: Subnets of LMS:430d81 and RAP-DHCP-Server:ba8c0
[1979]1969-12-31 16:05:43 sapd_redun_config_dnsmasq: Rewrite dnsmasq config file
[1979]1969-12-31 16:05:43 setup_ipsec: sapd_num_lms=1 sapd_cur_lms=0 ip=xxx.xx.xx.xx, client=0
[1979]1969-12-31 16:05:43 setup_ipsec: sapd_local_ip 172.21.203.178 netmask 255.255.248.0 
[1979]1969-12-31 16:05:43 setup_ipsec: adding route ip xxx.xx.xx.xx mask 255.255.255.255 gw 172.21.200.1 interface br0
[1979]1969-12-31 16:05:43 setup_ipsec: deleting route to ip xxx.xx.xx.xx interface tun0
[1979]1969-12-31 16:05:43 setup_ipsec: deleting route to ip xxx.xx.xx.xx interface tun1
[1979]1969-12-31 16:05:43 setup_ipsec: deleting route to ip xxx.xx.xx.xx interface tun2
[1979]1969-12-31 16:05:47 R>> Received RC_OPCODE_ERROR lms xxx.xx.xx.xx tunnel 0.0.0.0 srcdev br0RC_ERROR_IKEP2_PKT1 debug-error:-8947
[1979]1969-12-31 16:05:47 State REDUN_STATE_TUNNEL_MASTER Event REDUN_EVENT_TUNNEL_DOWN Next state REDUN_STATE_TUNNEL_MASTER
[1979]1969-12-31 16:05:47 redun_tunnel_down: Call stop_child() for clients[0]
[1979]1969-12-31 16:05:47 redun_tunnel_down: killed the child
[1979]1969-12-31 16:05:47 Tunnel 0 down. data(0|lms)=xxx.xx.xx.xx  

this is some debug output from one of the controllers in the cluster:

(wlc-cs-1) [MDC] #show vpdn l2tp local pool
IP addresses used in pool rap-address-pool
	none
L2TP Pool statistics for all pools:

IPv4/IPv6 Pool  Configured  Used    Free  
--------------  ----------  ------  ------
IPv4            253         0       253   
IPv6            0           0       0     

IP pool allocation/de-allocation statistics:
IPv4/IPv6  L2TP          IKE         
---------  ------------  ------------
IPv4       0/0           0/0             
IPv6       N/A           0/0             

(wlc-cs-1) [MDC] #show vpdn l2tp configuration 
Enabled
Hello timeout: 60 seconds
DNS primary server: 0.0.0.0
DNS secondary server: 0.0.0.0
WINS primary server: 0.0.0.0
WINS secondary server: 0.0.0.0
PPP client authentication methods:
	 PAP
IP LOCAL POOLS:
	 rap-address-pool: 10.23.42.2 - 10.23.42.254
IPv6 LOCAL POOLS:

the command "show crypto ipsec sa" doesn't show any sign of an ipsec-session with the at any time on any node of the cluster. The only thing I found was:

(wlc-cs-2) [MDC] *#show datapath session table 172.21.203.178

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       u - Upstream Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       r - Route Nexthop, h - High Value
       A - Application Firewall Inspect
       B - Permanent, O - Openflow
       L - Log

Source IP       Destination IP  Prot SPort DPort Cntr     Prio ToS Age Destination TAge Packets    Bytes      Flags           
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- --------------- 
172.21.203.178  xxx.xx.xx.xy    17   58668 4500   0/0     0    0   0   pc0         3e   91         44108      FC              
                                                   
xxx.xx.xx.xy    172.21.203.178  17   4500  58668  0/0     0    0   0   pc0         3e   39         9737       F

Where xxx.xx.xx.xy is the IP-Adress of the controller I ran this command on.

 

Does anyone have a clue for further debugging and maybe a solution to my problem?

 

Greetings,

Hendrik

Aruba Employee

Re: Remote AP fails to connect to ArubaOS 8.2 Cluster

RAPs and clusters with private IPs do not work. You would need to have public IP addresses on the controllers rather than utilize NAT. It appears that your controllers are currently using 172.21.x.x addresses, correct?


Charlie Clemmer
Aruba Customer Engineering
Occasional Contributor II

Re: Remote AP fails to connect to ArubaOS 8.2 Cluster

No, the Controller-IPs and their VRRP-IP is defintly a public IP-Adress. The only thing not involved is a NAT, as the 172.21.x.x are routed internaly. The AP has an IP from within 172.21.x.x.

 

[[I will try to hook it up to one of our VPN-test networks, which involve a home-router with NAT.]]

***UPDATE***

I just tested it behind a Fritzbox NAT, I still get the same errors. The IP is definetly NATed and even in another ISPs Network. Any suggestions on further debugging?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: