Wireless Access

 View Only
last person joined: 12 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Disabled CPSEC, but APs didn't get the memo

This thread has been viewed 12 times
  • 1.  Disabled CPSEC, but APs didn't get the memo

    Posted Jun 21, 2019 09:45 AM

    I've tried enabling CPSEC on our 7220, but due to network issues on a couple of our MPLS locations I had to disable it again. While that's an acceptable workaround until our ISP fixes their issues, the APs still try to set up an IPSEC tunnel when they boot. After the tunnel attempt finally times out, it reboots and connects normally, but by then almost half an hour has gone by. Each AP logs one error message after connecting:

     

    An internal system error has occurred at file sapd_redun.c function redun_retry_tunnel line 4529 error redun_retry_tunnel: Switching to clear. Error:RC_ERROR_IKEV2_TIMEOUT. Ipsec not successful after reboot.

     

    When I reset an AP to factory default, or provision a new one, it connects in a couple of minutes. Physically resetting 900 APs at 100 locations is not an option, though...

     

    For the record; all APs, an unholy mix of 100, 200 and 300 series, behave exactly the same. I was running AOS 8.1 when I tried enabling CPSEC several months back, and was up to AOS 8.3 when our ISP finally told me to try again, and both versions gave the same result.

     

    Is there any way to make the APs "forget" CPSEC, other than physically resetting them?



  • 2.  RE: Disabled CPSEC, but APs didn't get the memo

    Posted 20 days ago
    Hi Novec, 

    I am experiencing a similar issue.

    sapd|  An internal system error has occurred at file sapd_redun.c function redun_retry_tunnel line 4529 error redun_retry_tunnel: Switching to clear. Error:RC_ERROR_IKE_XAUTH_AUTHORIZATION_FAILED. Ipsec not successful after reboot.

     
    +AOS 8.9
    +CPSEC enabled
       -AutoCert Provision disabled
       -Auto Cert Allow All enabled
    +AP is in Denied status despite being in the CPSEC allowlist.
    +Have tried rebooting the AP, removing/adding to the whitelist. 

    + AP is getting an IP@ fine. Other APs on the same switch, same vlan working ok. Would discard traffic being blocked between AP and MC.

    Did you get it resolved ?

    Thanks, 



  • 3.  RE: Disabled CPSEC, but APs didn't get the memo

    EMPLOYEE
    Posted 19 days ago
    How long did you let the access point sit there?  Did you try to factory reset the AP?  Was the AP new or was it on a different system?

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 4.  RE: Disabled CPSEC, but APs didn't get the memo

    Posted 9 days ago
    Hi Cjoseph, 

    AP was factory reset with no changes. 

    We were seen CPSEC related errors on one of the controllers in the cluster, it had * on the command prompt so it had suffered a crash. 

    We opened a TAC case and reboot seemed to fix the issue. Also planning an upgrade to 8.10 now. 

    Thanks for your interest and help, 

    DSP