Wireless Access

last person joined: an hour ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

RAP 8.5 over double nat'ted address

  • 1.  RAP 8.5 over double nat'ted address

    Posted Feb 14, 2020 11:34 AM

    Under ArubaOS 6.5 I can connect a RAP-109 from a double nat'ted private address. Under 8.5 this is failing. Using certificate config on RAP doesn't work at all. Using username/pw on RAP I get multiple short tunnels. What changed? Is there a workaround? Using VMM, hardware 7220, RAP-109. RAP coming from 208.69.x.x address. Log from controller:

    Feb 13 09:18:02 isakmpd[3846]: <103103> <3846> <WARN> |ike| IPSec SA Deletion: IPSEC_delSa SPI:eefd7b00 OppSPI:29c17e00 Dst: Src: flags:1001 dstPort:0 srcPort:0


    # show crypto ipsec sa UT Feb 14 07:18:08 UT Feb 14 08:12:44 UT Feb 14 08:06:42 UT Feb 14 07:58:40 UT Feb 14 07:08:05

    IPSEC SA (V2) Active Session Information
    Initiator IP Responder IP SPI(IN/OUT) Flags Start Time Inner IP
    ------------ ------------ ---------------- ----- --------------- -------- a2eba300/c763e700 UT2 Feb 14 09:02:37 -

    Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
    L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2
    l = uplink load-balance

    Total IPSEC SAs: 60


    Thank you!

  • 2.  RE: RAP 8.5 over double nat'ted address

    Posted Mar 30, 2020 10:51 AM

    Adding my own solution to this after opening a TAC case. It seems the APs were never connecting to the point of upgrading from 6.5 to 8.5 code, even though I could see isakmp associations and ipsec associations and even broadcast ssids from the RAPs for about 60 seconds. Turns out the problem was twofold:


    When clusters are in place, the RAPs use the RAP Pool from the MM -- Services -- Clusters -- Controller 

    Cluster RAP Pool. If there is no cluster, then the RAPs use the pool created under the controller vpn pool. Under the cluster setup Cluster -- Services -- Clusters -- Cluster Profile the Controller entry needs to have a RAP Public IP address set for each controller. Nat works fine now. If this was in the Aruba documentation I missed it completely. I hope this might help someone else getting this working. -- Jim