11-18-2015 06:51 AM
I have a RAP-155.
I have a 7210 controller with an internal ip address (in this case, 10.1.1.38)
I have a fortigate firewall that has a VIP forward of an external IP (say, w.x.y.z) to 10.1.1.38
If I web browse to w.x.y.z, I can login to the contoller.
Now, I just got my first RAP. I fire it up, connect to instant, go through the conversion process. If I just say the contoller is w.x.y.z then it says VPN failed and it says to save the log in the popup. There is no log in a popup.
I then tried https://w.x.y.z:4343 and it comes back "status unavailable"
Do I need to give an interface on the 7210 the public IP and not forward from my firewall?
11-18-2015 07:00 AM
No, I hadn't been - just All TCP. I just set it to allow ALL UDP as well.
Conversion... same error "VPN setup failed, please save the log in the popup window" and I don't see a popup or log anywhere
11-18-2015 07:10 AM - edited 11-18-2015 07:10 AM
11-18-2015 07:13 AM
Thanks. But then, when I take it home or some other offiste location, it won't be able to find 10.1.1.38, so I'm confused how that would work
Oh - I guess I mispoke, I want to convert the RAP from Instant to "Remote AP managed by Mobility controller"
Sorry for the confusion
11-18-2015 07:15 AM
Take a look at the RAP VRD which will show you how to configure the controller side.
11-18-2015 08:06 AM
You would only have to setup your controller to accept remote AP traffic and put the mac address of the IAP into the RAP whitelist on the controller and assign it to an ap-group:
setup the RAP pool:
config t ip local pool "rap-pool" 172.16.1.150 172.16.1.200
- Add the RAP to the controller’s whitelist since it is using certificates for authentication:
Configuration-> WIRELESS->AP Installation->RAP Whitelist. Add the wired mac address of your AP, name it and assign it an ap-group.
On the IAP, go to Maintenence and Convert. Put in the public or private address of your controller to convert:
While you are doing the convert, on the controller, type "show datapath session table <source ip address of your RAP" to see if traffic is flowing. If you don't see any sessions, you need to check to make sure your firewall is (1) Doing a static 1:1 nat from your outside public address to the internal private address of your controller and (2) Allowing UDP 4500 inbounds to that device.
If you do see the traffic flowing, type "show crypto ipsec sa peer <public ip address of your rap>" to see if it does have an SA, or security association. If it does, it should upgrade the code on your IAP and you can take it from there.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
11-18-2015 12:12 PM
So, I tried this:
the ip local pool rap-pool in the controller with a write mem
adding the MAC of my test RAP into the whitelist.
Same results, whether I use the public (NATted) or the internal IP of the controller.
I am confused about the recommended monitoring command - I don't know what the RAP's IP address is.
I am wondering if I need to do something further for VPN configuration on the 7210?