Wireless Access

last person joined: 9 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

RAP 8.5 over double nat'ted address

This thread has been viewed 1 times

  • 1.  RAP 8.5 over double nat'ted address

    Posted Feb 14, 2020 11:34 AM

    Under ArubaOS 6.5 I can connect a RAP-109 from a double nat'ted private address. Under 8.5 this is failing. Using certificate config on RAP doesn't work at all. Using username/pw on RAP I get multiple short tunnels. What changed? Is there a workaround? Using VMM, hardware 7220, RAP-109. RAP coming from 208.69.x.x address. Log from controller:

    Feb 13 09:18:02 isakmpd[3846]: <103103> <3846> <WARN> |ike| IPSec SA Deletion: IPSEC_delSa SPI:eefd7b00 OppSPI:29c17e00 Dst:208.69.211.228 Src:129.82.168.24 flags:1001 dstPort:0 srcPort:0

     

    # show crypto ipsec sa

    208.69.211.228 129.82.168.24 192.168.193.33/32 0.0.0.0/0 UT Feb 14 07:18:08 192.168.193.33
    208.69.211.228 129.82.168.24 192.168.193.60/32 0.0.0.0/0 UT Feb 14 08:12:44 192.168.193.60
    208.69.211.228 129.82.168.24 192.168.193.57/32 0.0.0.0/0 UT Feb 14 08:06:42 192.168.193.57
    208.69.211.228 129.82.168.24 192.168.193.53/32 0.0.0.0/0 UT Feb 14 07:58:40 192.168.193.53
    208.69.211.228 129.82.168.24 192.168.193.28/32 0.0.0.0/0 UT Feb 14 07:08:05 192.168.193.28

    IPSEC SA (V2) Active Session Information
    -----------------------------------
    Initiator IP Responder IP SPI(IN/OUT) Flags Start Time Inner IP
    ------------ ------------ ---------------- ----- --------------- --------
    10.82.168.24 10.82.168.10 a2eba300/c763e700 UT2 Feb 14 09:02:37 -

    Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
    L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2
    l = uplink load-balance

    Total IPSEC SAs: 60

     

    Thank you!



  • 2.  RE: RAP 8.5 over double nat'ted address

    Posted Mar 30, 2020 10:51 AM

    Adding my own solution to this after opening a TAC case. It seems the APs were never connecting to the point of upgrading from 6.5 to 8.5 code, even though I could see isakmp associations and ipsec associations and even broadcast ssids from the RAPs for about 60 seconds. Turns out the problem was twofold:

     

    When clusters are in place, the RAPs use the RAP Pool from the MM -- Services -- Clusters -- Controller 

    Cluster RAP Pool. If there is no cluster, then the RAPs use the pool created under the controller vpn pool. Under the cluster setup Cluster -- Services -- Clusters -- Cluster Profile the Controller entry needs to have a RAP Public IP address set for each controller. Nat works fine now. If this was in the Aruba documentation I missed it completely. I hope this might help someone else getting this working. -- Jim