Wireless Access

 View Only
last person joined: 18 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Error:RC_ERROR_IKEV2_TIMEOUT. - AP Will Reboot

This thread has been viewed 5 times
  • 1.  Error:RC_ERROR_IKEV2_TIMEOUT. - AP Will Reboot

    Posted Feb 03, 2016 03:00 PM
      |   view attached

    I have a master/local setup.  Two 3600 controllers running 6.4.2.14 and housing only 105 and 205 APs.  All of the APs terminate on the local which is located at the data center.  The master is at our corporate office.

     

    Can someone explain what these errors mean?  (see attached)  They were pulled from my master controller for a specific AP however this is affecting all APs at a particular office (5 total).  We are having no other problems elsewhere.


    #AP205

    Attachment(s)

    txt
    MAContErrors.txt   33 KB 1 version


  • 2.  RE: Error:RC_ERROR_IKEV2_TIMEOUT. - AP Will Reboot

    Posted Feb 07, 2016 04:54 PM

    never seen it myself but i could imagine that you are blocking some traffic which the AP requires to build its tunnel (are you using control plane security)? so look at the firewall rules / networks in between.



  • 3.  RE: Error:RC_ERROR_IKEV2_TIMEOUT. - AP Will Reboot

    Posted Feb 08, 2016 11:43 AM

    I figured it out.  We use UTMs at small remote sites for our Firwalls and routing.  They build their own VPN tunnel back to our data center over a standard Cable or DSL ISP.  The APs have trouble holding the GRE tunnels over UTMs and the tunnels break. 

     

    In this particular instance, the local AP would reach back to the master controller via DNS under the default profile.  The master controller would give it it's AP Group and reboot the AP extablishing it's GRE tunnel and pointing it to a local LMS controller.   The AP was having trouble establishing a GRE tunnel through the UTM and would revert back to the master controller.

     

    Once I rebooted the UTM, all of the APs came back online.



  • 4.  RE: Error:RC_ERROR_IKEV2_TIMEOUT. - AP Will Reboot

    EMPLOYEE
    Posted Feb 08, 2016 11:45 AM
    If the traffic is traversing another IPSec tunnel, you should consider using decrypt tunnel forwarding at the site.


  • 5.  RE: Error:RC_ERROR_IKEV2_TIMEOUT. - AP Will Reboot

    Posted Feb 08, 2016 11:49 AM

    Is that done on the AP profile?



  • 6.  RE: Error:RC_ERROR_IKEV2_TIMEOUT. - AP Will Reboot



  • 7.  RE: Error:RC_ERROR_IKEV2_TIMEOUT. - AP Will Reboot

    Posted Feb 22, 2016 10:25 AM

    Aruba TAC is telling me that decrypt-tunnel mode will not help because all it does is decrease the packet size.  They are suggesting disabling Control Plane Security in order to disable to the IPSec tunnel that the AP pins up to the controller thus only having the GRE tunnels to traverse the IPSec tunnel coming from the local UTM.  The other option they gave me was to change the APs to a RAP.  Can someone help me understand these a little more?



  • 8.  RE: Error:RC_ERROR_IKEV2_TIMEOUT. - AP Will Reboot

    Posted Feb 22, 2016 12:52 PM

    isn't size exactly your issue? if you can get it to become lower your might be able to go through the other tunnel.

     

    also understand what exactly? RAPs you mean?

     

    first of all if TAC advises this then they should also be able to explain why and how.

     

    they might mean you don't use the UTM at all but use remote AP (RAP) which sets up a full IPsec tunnel to the controller. but it remains guessing as i can't exactly see what they said.



  • 9.  RE: Error:RC_ERROR_IKEV2_TIMEOUT. - AP Will Reboot

    Posted Feb 22, 2016 01:06 PM

    The main issue is the UTM, which is located at a remote site, is pinning up its own IPSec tunnel back to our data center. Through that tunnel, the Campus AP pins up its own IPSec tunnel to the controller which is also has GRE tunnels for the SSIDs.  The IPSec tunnel traversing another IPSec tunnel is creating instability at the remote site. 

     

    The only suggestion TAC had to disable the AP's IPSec tunnel was to disable Control Plane security which is a global setting.  We have other sites that go over an MPLS that work just fine.