Wireless Access

Reply
Occasional Contributor II
Posts: 27
Registered: ‎01-28-2015

VPN issue

hi,

when i am in hotels my aurba RAP connection via vpn gets blocked ,this is because  the hotels block the ports that are required to establish VPN connection.

 

so i need to know how i know that the required ports(e.g UDP 4500) are blocked by the hotels.

1.is there any tool / website to check whether the port is blocking.

2,any workaround to this before raising request to hotel IT team.

how this can be avoided any methos to avoid this? please assit me.Thanks

Guru Elite
Posts: 21,491
Registered: ‎03-29-2007

Re: VPN issue

The best way is to check on  the controller to see if they can see any of your traffic from the Hotel.  There is very little if any diagnostic information on the RAP itself, because it is made for end users...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 27
Registered: ‎01-28-2015

Re: VPN issue

thanks for your reply ,but as i do not have much expereince in this can you tell me in detail to clear me.Thanks

Guru Elite
Posts: 21,491
Registered: ‎03-29-2007

Re: VPN issue

KarthickKumar,

 

Do you know who setup the controller?  They might be able to give you an idea of how to troubleshoot their specific setup...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Moderator
Posts: 321
Registered: ‎08-28-2009

Re: VPN issue

The tool "ike-scan" can be used as a standalone RAP test tool. Get it from www.nta-monitor.com/tools/ike-scan

 

Example when host does not respond - here we see Google DNS 8.8.8.8 is up but doesn't talk IPSEC

C:\aruba\tools\ike-scan-win32-1.9>ike-scan.exe --nat-t --ikev2 --sport=4501 --dport=4500 --verbose 8.8.8.8
DEBUG: pkt len=296 bytes, bandwidth=56000 bps, int=46285 us
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
---     Pass 1 of 3 completed
---     Pass 2 of 3 completed
---     Pass 3 of 3 completed

Ending ike-scan 1.9: 1 hosts scanned in 2.437 seconds (0.41 hosts/sec).  0 returned handshake; 0 returned notify

C:\aruba\tools\ike-scan-win32-1.9>

 

Example of DNS resolution error

C:\aruba\tools\ike-scan-win32-1.9>ike-scan.exe --nat-t --ikev2 --sport=4501 --dport=4500 --verbose via3.somewhere.com
WARNING: gethostbyname failed for "via3.somewhere.com" - target ignored: Operation not permitted
ERROR: No hosts to process.

 

Example when host does respond (in this case i have hidden the IP, but via.somewhere.com needs to be either a controller on the internet, or, a firewall doing 4500/udp port NAT.

C:\aruba\tools\ike-scan-win32-1.9>ike-scan.exe --nat-t --ikev2 --sport=4501 --dport=4500 --verbose via.somewhere.com
DEBUG: pkt len=296 bytes, bandwidth=56000 bps, int=46285 us
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
104.YY.XXX.ZZ   Notify message 16390 (COOKIE) HDR=(CKY-R=0000000000000000, IKEv2)

Ending ike-scan 1.9: 1 hosts scanned in 0.346 seconds (2.89 hosts/sec).  0 returned handshake; 1 returned notify

C:\aruba\tools\ike-scan-win32-1.9>

 If you see the last example above, where it says it got a NOTIFY, then you can assume there is a working IPSEC path on port 4500 from your machine to the controller.

 

Note the src port is specified to be 4501 to avoid any conflict with VPN software that may be on your PC, the RAP can also use 4501 as a source IP too. You can try with --sport=4500 as a test too, but it's very rare to see someone enforcing srcip in a firewall rule for UDP.

 

regards

jeff

MVP
Posts: 1,011
Registered: ‎04-13-2009

Re: VPN issue

Hi,

 

If your RAP traffic is getting blocked and you need access back to your office and you have a controller why not setup Via?

 

The Via client will utilise SSL which is much more likely to be allowed than UDP 4500 traffic. :)

 

The controller will need the PEFV license and a little configuration but I'd recommend this solution over a RAP if you spend a lot of time in hotels...

 

Via Configuration Doc : http://community.arubanetworks.com/aruba/attachments/aruba/108/947/1/VIA-configuration-detail.pdf

 

Cheers

James

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: VPN issue


jgoff wrote:

The tool "ike-scan" can be used as a standalone RAP test tool. Get it from www.nta-monitor.com/tools/ike-scan

 


that is a useful tool, going into my toolbox. thanks jgoff.

Search Airheads
Showing results for 
Search instead for 
Did you mean: