Wireless Access

Reply
Frequent Contributor II
Posts: 110
Registered: ‎07-24-2014

Trouble converting RAP tp CAP

I have a RAP-155.

I have a 7210 controller with an internal ip address (in this case, 10.1.1.38)

I have a fortigate firewall that has a VIP forward of an external IP (say, w.x.y.z) to 10.1.1.38

If I web browse to w.x.y.z, I can login to the contoller.

Now, I just got my first RAP. I fire it up, connect to instant, go through the conversion process. If I just say the contoller is w.x.y.z then it says VPN failed and it says to save the log in the popup. There is no log in a popup.

I then tried https://w.x.y.z:4343 and it comes back "status unavailable"

Do I need to give an interface on the 7210 the public IP and not forward from my firewall?

 

Thanks!

Guru Elite
Posts: 8,751
Registered: ‎09-08-2010

Re: Trouble converting RAP tp CAP

Are you allowing UDP 4500 through your firewall?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 110
Registered: ‎07-24-2014

Re: Trouble converting RAP tp CAP

No, I hadn't been - just All TCP. I just set it to allow ALL UDP as well.

Conversion... same error "VPN setup failed, please save the log in the popup window" and I don't see a popup or log anywhere

Guru Elite
Posts: 8,751
Registered: ‎09-08-2010

Re: Trouble converting RAP tp CAP

[ Edited ]

I misread. You're trying to convert an IAP/RAP to a Campus AP? You should point it to the inside address then. CAPs don't use an IPSec tunnel.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 110
Registered: ‎07-24-2014

Re: Trouble converting RAP tp CAP

Thanks. But then, when I take it home or some other offiste location, it won't be able to find 10.1.1.38, so I'm confused how that would work

 

Oh - I guess I mispoke, I want to convert the RAP from Instant to "Remote AP managed by Mobility controller"

 

Sorry for the confusion 

Guru Elite
Posts: 8,751
Registered: ‎09-08-2010

Re: Trouble converting RAP tp CAP

Oh ok.

 

Take a look at the RAP VRD which will show you how to configure the controller side.

http://community.arubanetworks.com/t5/Validated-Reference-Design/Remote-AP-Networks/ta-p/155140


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 110
Registered: ‎07-24-2014

Re: Trouble converting RAP tp CAP

Thanks Tim.

 

Sigh - 213 pages. I should have figured it wouldn't be easy!

Guru Elite
Posts: 21,487
Registered: ‎03-29-2007

Re: Trouble converting RAP tp CAP

Kevets,

 

You would only have to setup your controller to accept remote AP traffic and put the mac address of the IAP into the RAP whitelist on the controller and assign it to an ap-group:

 

setup the RAP pool:

 

 

config t
ip local pool "rap-pool" 172.16.1.150 172.16.1.200

 

  • Add the RAP to the controller’s whitelist since it is using certificates for authentication:

Configuration-> WIRELESS->AP Installation->RAP Whitelist.  Add the wired mac address of your AP, name it and assign it an ap-group.

 

On the IAP, go to Maintenence and Convert.  Put in the public or private address of your controller to convert:

convert.png

While you are doing the convert, on the controller, type "show datapath session table <source ip address of your RAP" to see if traffic is flowing.  If you don't see any sessions, you need to check to make sure your firewall is (1) Doing a static 1:1 nat from your outside public address to the internal private address of your controller and (2) Allowing UDP 4500 inbounds to that device.

 

If you do see the traffic flowing, type "show crypto ipsec sa peer <public ip address of your rap>" to see if it does have an SA, or security association.  If it does, it should upgrade the code on your IAP and you can take it from there.

 

 

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 110
Registered: ‎07-24-2014

Re: Trouble converting RAP tp CAP

Ah, thanks Colin! I'll give that a go later today.

Frequent Contributor II
Posts: 110
Registered: ‎07-24-2014

Re: Trouble converting RAP tp CAP

So, I tried this:

the ip local pool rap-pool in the controller with a write mem

adding the MAC of my test RAP into the whitelist.

 

Same results, whether I use the public (NATted) or the internal IP of the controller.

I am confused about the recommended monitoring command - I don't know what the RAP's IP address is.

 

I am wondering if I need to do something further for VPN configuration on the 7210?

Search Airheads
Showing results for 
Search instead for 
Did you mean: