Wireless Access

 View Only

  • 1.  ArubaOS 8.5 Wlc CPSec issue

    Posted Feb 17, 2022 12:48 PM

    Hi

    I've issue regarding CPSec. We are moving and migrating old 6.5 WLCs to new 8.6 and need to change SSID on Bridge mode. Now, Bridge mode requires CPSec and if enabled AP is going to Down mode.

    Campus AP is joining fine if CPSec is Disabled

    Right away when I enable CPSec AP is Down.

    Firewall is between but has permit IP any any between AP networks and WLC's.

    Environment
    2  Standalone controllers (7210's) with L2 redundancy (VRRP)
    OS 8.6.0.15

    #show tpm errorlog
    Could not find any Error Logs for TPM and Certificates.

    #show ap database
    Name     Group                AP Type IP Address Status   Flags    Switch IP          Standby IP
    test-ap1 gropup              205         10.36.30.9 Down                172.29.105.3   0.0.0.0

    AP is joining to VRRP IP .2, active host WLC is .3

    Pls advice next troubleshooting steps or solution if You have already solved it.

    Br
    Juha-Pekka



    ------------------------------
    Juha-Pekka Lepp�nen
    ------------------------------


  • 2.  RE: ArubaOS 8.5 Wlc CPSec issue

    Posted Feb 18, 2022 04:25 AM
    do you have trust the AP ?

    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCL: Powershell Module to use Aruba Central

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------

    Original Message


  • 3.  RE: ArubaOS 8.5 Wlc CPSec issue

    Posted Feb 18, 2022 04:27 AM
    Yes if You mean Campus AP whitelisting, its there

    ------------------------------
    Juha-Pekka Lepp�nen
    ------------------------------

    Original Message


  • 4.  RE: ArubaOS 8.5 Wlc CPSec issue

    Posted Feb 18, 2022 04:48 AM
    What do you have on the log ?

    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCL: Powershell Module to use Aruba Central

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------

    Original Message


  • 5.  RE: ArubaOS 8.5 Wlc CPSec issue

    Posted Feb 18, 2022 05:40 AM

    here is part of security log output

    Feb 18 12:34:41 :124004: <3647> <DBUG> |authmgr| Auth GSM: Num dev_id_cache entries aged = 0
    Feb 18 12:34:41 :124220: <3647> <DBUG> |authmgr| stm_message_handler : msg_type 3099
    Feb 18 12:34:41 :124004: <3647> <DBUG> |authmgr| Got STM_AP_GLOBAL_STATE_TYPE_DELETE for ip:10.36.30.9
    Feb 18 12:34:41 :124004: <3647> <DBUG> |authmgr| Not Sending IP down to ike ip:10.36.30.9 ipuser:(nil) vpn:No tvpn:No
    Feb 18 12:34:41 :124004: <3647> <DBUG> |authmgr| ap_global_state is null for AP IP 10.36.30.9
    Feb 18 12:34:41 :103063: <3589> <DBUG> |ike| ipc_rcvcb : Recvd msg 1 from CPSECd
    Feb 18 12:34:41 :103063: <3589> <DBUG> |ike| ipc_rcvcb : CPSEC enabled
    Feb 18 12:34:47 :103063: <3589> <DBUG> |ike| fieldCertInit: Role:2 Purpose:15
    Feb 18 12:34:47 :103063: <3589> <DBUG> |ike| fieldCertInit: Field Cert /tmp/fieldCertTmp/15/KeyandChain
    Feb 18 12:34:47 :103063: <3589> <DBUG> |ike| x509_ike_print_subj_issuer Cert Subject: /CN=CV0007462::00:1A:1E:02:EE:D0
    Feb 18 12:34:47 :103063: <3589> <DBUG> |ike| x509_ike_print_subj_issuer Cert Issuer: /CN=CV0007462::00:1A:1E:02:EE:D0
    Feb 18 12:34:47 :103063: <3589> <DBUG> |ike| ike_get_cert_pkey mocana status:0 file:/tmp/ike_tmp_pkey cert:Aruba-Field-Server-Cert-Chain privkeylen:2017
    Feb 18 12:34:47 :103063: <3589> <DBUG> |ike| ike_get_cert_pkey RSA key:0xfab0d4 len:256 cert:Aruba-Field-Server-Cert-Chain
    Feb 18 12:34:47 :103063: <3589> <DBUG> |ike| xlr_get_const done for cert-name Aruba-Field-Server-Cert-Chain
    Feb 18 12:34:47 :103063: <3589> <DBUG> |ike| ike_get_cert_pkey priv-key len:2048
    Feb 18 12:34:47 :103063: <3589> <DBUG> |ike| fieldCertInit: Field CA Cert /tmp/fieldCertTmp/15/TrustAnchor
    Feb 18 12:34:47 :103063: <3589> <DBUG> |ike| fieldCertInit: configure Field CA Cert path:/tmp/fieldCertTmp/15/TrustAnchor
    Feb 18 12:34:47 :103063: <3589> <DBUG> |ike| x509_ike_print_subj_issuer Cert Subject: /CN=CV0007462::00:1A:1E:02:EE:D0
    Feb 18 12:34:47 :103063: <3589> <DBUG> |ike| x509_ike_print_subj_issuer Cert Issuer: /CN=CV0007462::00:1A:1E:02:EE:D0
    Feb 18 12:34:47 :103063: <3589> <DBUG> |ike| ipc_fpapps_lbgroup_cfg_req Requesting lbgroup config
    Feb 18 12:34:47 :103063: <3589> <DBUG> |ike| Sent lbgroup config req msg
    Feb 18 12:34:47 :103063: <3589> <DBUG> |ike| ipc_fpapps_lbgroup_cfg_req Started timer for lbgroup config req msg
    Feb 18 12:34:53 :103063: <3589> <DBUG> |ike| exchange_start_ikev2 pre-connect check duplicate mapname:default-psk-redundant-master-ipsecmap
    Feb 18 12:34:57 :103063: <3589> <DBUG> |ike| ipc_fpapps_lbgroup_cfg_req Requesting lbgroup config
    Feb 18 12:34:57 :103063: <3589> <DBUG> |ike| Sent lbgroup config req msg
    Feb 18 12:34:57 :103063: <3589> <DBUG> |ike| ipc_fpapps_lbgroup_cfg_req Started timer for lbgroup config req msg
    Feb 18 12:35:06 :124220: <3647> <DBUG> |authmgr| stm_message_handler : msg_type 3099
    Feb 18 12:35:06 :124004: <3647> <DBUG> |authmgr| Got STM_AP_GLOBAL_STATE_TYPE_DELETE for ip:10.36.30.9
    Feb 18 12:35:06 :124004: <3647> <DBUG> |authmgr| Not Sending IP down to ike ip:10.36.30.9 ipuser:(nil) vpn:No tvpn:No
    Feb 18 12:35:06 :124004: <3647> <DBUG> |authmgr| ap_global_state is null for AP IP 10.36.30.9
    Feb 18 12:35:07 :103063: <3589> <DBUG> |ike| ipc_fpapps_lbgroup_cfg_req Requesting lbgroup config
    Feb 18 12:35:07 :103063: <3589> <DBUG> |ike| Sent lbgroup config req msg
    Feb 18 12:35:07 :103063: <3589> <DBUG> |ike| ipc_fpapps_lbgroup_cfg_req Started timer for lbgroup config req msg
    Feb 18 12:35:14 :103063: <3589> <DBUG> |ike| exchange_start_ikev2 pre-connect check duplicate mapname:default-psk-redundant-master-ipsecmap
    Feb 18 12:35:17 :103063: <3589> <DBUG> |ike| ipc_fpapps_lbgroup_cfg_req Requesting lbgroup config
    Feb 18 12:35:17 :103063: <3589> <DBUG> |ike| Sent lbgroup config req msg
    Feb 18 12:35:17 :103063: <3589> <DBUG> |ike| ipc_fpapps_lbgroup_cfg_req Started timer for lbgroup config req msg
    Feb 18 12:35:20 :103060: <3589> <DBUG> |ike| ipc.c:ike_license_limit:6721 CENT_LIC: IKE recvd license bits VIA on
    Feb 18 12:35:20 :103060: <3589> <DBUG> |ike| ipc.c:ike_license_limit:6725 CENT_LIC: IKE new license limits - Num VIAs 0 Num ACRs 0
    Feb 18 12:35:20 :103060: <3589> <DBUG> |ike| ipc.c:ipc_rcvcb:3699 pubsub msg
    Feb 18 12:35:27 :103063: <3589> <DBUG> |ike| ipc_fpapps_lbgroup_cfg_req Requesting lbgroup config
    Feb 18 12:35:27 :103063: <3589> <DBUG> |ike| Sent lbgroup config req msg
    Feb 18 12:35:27 :103063: <3589> <DBUG> |ike| ipc_fpapps_lbgroup_cfg_req Started timer for lbgroup config req msg
    Feb 18 12:35:35 :103063: <3589> <DBUG> |ike| exchange_start_ikev2 pre-connect check duplicate mapname:default-psk-redundant-master-ipsecmap
    Feb 18 12:35:37 :103063: <3589> <DBUG> |ike| ipc_fpapps_lbgroup_cfg_req Requesting lbgroup config
    Feb 18 12:35:37 :103063: <3589> <DBUG> |ike| Sent lbgroup config req msg
    Feb 18 12:35:37 :103063: <3589> <DBUG> |ike| ipc_fpapps_lbgroup_cfg_req Started timer for lbgroup config req msg
    Feb 18 12:35:41 :124004: <3647> <DBUG> |authmgr| Auth GSM: Num dev_id_cache entries aged = 0
    Feb 18 12:35:47 :103063: <3589> <DBUG> |ike| ipc_fpapps_lbgroup_cfg_req Requesting lbgroup config
    Feb 18 12:35:47 :103063: <3589> <DBUG> |ike| Sent lbgroup config req msg
    Feb 18 12:35:47 :103063: <3589> <DBUG> |ike| ipc_fpapps_lbgroup_cfg_req Started timer for lbgroup config req msg
    Feb 18 12:35:56 :103063: <3589> <DBUG> |ike| exchange_start_ikev2 pre-connect check duplicate mapname:default-psk-redundant-master-ipsecmap
    Feb 18 12:35:57 :103063: <3589> <DBUG> |ike| ipc_fpapps_lbgroup_cfg_req Requesting lbgroup config
    Feb 18 12:35:57 :103063: <3589> <DBUG> |ike| Sent lbgroup config req msg
    Feb 18 12:35:57 :103063: <3589> <DBUG> |ike| ipc_fpapps_lbgroup_cfg_req Started timer for lbgroup config req msg
    Feb 18 12:36:07 :103063: <3589> <DBUG> |ike| ipc_fpapps_lbgroup_cfg_req Requesting lbgroup config
    Feb 18 12:36:07 :103063: <3589> <DBUG> |ike| Sent lbgroup config req msg
    Feb 18 12:36:07 :103063: <3589> <DBUG> |ike| ipc_fpapps_lbgroup_cfg_req Started timer for lbgroup config req msg
    Feb 18 12:36:17 :103063: <3589> <DBUG> |ike| exchange_start_ikev2 pre-connect check duplicate mapname:default-psk-redundant-master-ipsecmap
    Feb 18 12:36:17 :103063: <3589> <DBUG> |ike| ipc_fpapps_lbgroup_cfg_req Requesting lbgroup config
    Feb 18 12:36:17 :103063: <3589> <DBUG> |ike| Sent lbgroup config req msg
    Feb 18 12:36:17 :103063: <3589> <DBUG> |ike| ipc_fpapps_lbgroup_cfg_req Started timer for lbgroup config req msg
    Feb 18 12:36:27 :103063: <3589> <DBUG> |ike| ipc_fpapps_lbgroup_cfg_req Requesting lbgroup config
    Feb 18 12:36:27 :103063: <3589> <DBUG> |ike| Sent lbgroup config req msg
    Feb 18 12:36:27 :103063: <3589> <DBUG> |ike| ipc_fpapps_lbgroup_cfg_req Started timer for lbgroup config req msg
    Feb 18 12:36:37 :103063: <3589> <DBUG> |ike| ipc_fpapps_lbgroup_cfg_req Requesting lbgroup config
    Feb 18 12:36:37 :103063: <3589> <DBUG> |ike| Sent lbgroup config req msg
    Feb 18 12:36:37 :103063: <3589> <DBUG> |ike| ipc_fpapps_lbgroup_cfg_req Started timer for lbgroup config req msg
    Feb 18 12:36:38 :103063: <3589> <DBUG> |ike| exchange_start_ikev2 pre-connect check duplicate mapname:default-psk-redundant-master-ipsecmap
    Feb 18 12:36:41 :124004: <3647> <DBUG> |authmgr| Auth GSM: Num dev_id_cache entries aged = 0
    Feb 18 12:36:47 :103063: <3589> <DBUG> |ike| ipc_fpapps_lbgroup_cfg_req Requesting lbgroup config
    Feb 18 12:36:47 :103063: <3589> <DBUG> |ike| Sent lbgroup config req msg
    Feb 18 12:36:47 :103063: <3589> <DBUG> |ike| ipc_fpapps_lbgroup_cfg_req Started timer for lbgroup config req msg
    Feb 18 12:36:57 :103063: <3589> <DBUG> |ike| ipc_fpapps_lbgroup_cfg_req Requesting lbgroup config
    Feb 18 12:36:57 :103063: <3589> <DBUG> |ike| Sent lbgroup config req msg
    Feb 18 12:36:57 :103063: <3589> <DBUG> |ike| ipc_fpapps_lbgroup_cfg_req Started timer for lbgroup config req msg
    Feb 18 12:36:59 :103063: <3589> <DBUG> |ike| exchange_start_ikev2 pre-connect check duplicate mapname:default-psk-redundant-master-ipsecmap



    ------------------------------
    Juha-Pekka Lepp�nen
    ------------------------------

    Original Message


  • 6.  RE: ArubaOS 8.5 Wlc CPSec issue

    Posted Feb 18, 2022 07:11 AM
    The access point could take a couple reboots for cpsec as well as a reboot to upgrade firmware, so it could take up to 13 minutes to fully provision the first time.  Keep running "show datapath session table <ip address of access point>" and "show ap database" to make sure that the ap is communicating with the controller.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message


  • 7.  RE: ArubaOS 8.5 Wlc CPSec issue

    Posted Feb 18, 2022 03:35 PM
    When I’ve enabled CPSec Ap(s) have had time to connect. No go.
    Today I find another possible reason causing this issue investigating all log outputs, but
    - cause I’m out of office now can’t explain the whole story in details.

    But I did a change on IKEv2 ” Dynamic mapping” setup -> Enable or something like that and AP is connected and wireless services are working

    I update this later but now all seem to work
    Br
    Juha-Pekk

    ---------------------------------
    Juha-Pekka Lepp�nen
    ---------------------------------



    Original Message


  • 8.  RE: ArubaOS 8.5 Wlc CPSec issue

    Posted Feb 24, 2022 12:30 PM

    Hi
    What I did, enabled Dynamic Maop on IKEv2 dynamic Map profiles, all of them


    I installed clear 8.6.0.15 WLCs. Now I'm thinking is this wrong way/path or is there something in the installation file..?

    I had another HW cluster online with 7010 HW's and I changed these to 7210 due to issues I had and I believed a short time it's hardware and changed to the 7210. ON 7210 I changed "dynamic Map" to Enable now test connecting right away compared to time before change (not connecting at all)



    ------------------------------
    Juha-Pekka Lepp�nen
    ------------------------------

    Original Message


  • 9.  RE: ArubaOS 8.5 Wlc CPSec issue

    Posted Feb 24, 2022 04:53 PM
    I don't know anyone who had to change that parameter to get things working.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message


Related Content