Controllerless Networks

 View Only
  • 1.  Convert IAP to RAP error (AOS8 + Mobility Master)

    Posted Feb 24, 2020 07:50 AM
      |   view attached

    I’ve an issue with RAP in a new deployment with two VMM and 1x 7210 Mobility Controller (for now, then I'll add two controllers).

     

    The problem is when I try to convert an IAP to RAP, the Mobility Controller (MD) is behind a NAT that is configured for the Mobility Controller DMZ IP Address <PUBLIC_IPADDR: 4500> -> <DMZ_IPADDR_MC: 4500>. Firewall can reach the Mobility Controller DMZ IP Address.

     

    I already configured VPN-POOL, enabled NAT-T, configured “Shared Secret”, RAP Whitelist and also created a local user with an AP-ROLE, but it still doesn't work.

     

    I see the 4500 UDP port on the Mobility Controller with the command “show datapath session | include 4500”

     

    datapath.png

    But when I run the command “show crypto ipsec sa” I see only Mobility Device session with Virtual Mobility Master.

     

    ipsec.png

    I think strange the output below when I ran the command “show log security all”.


    Feb 23 17:53:39 :103063: <3600> <DBUG> |ike| exchange_start_ikev2 pre-connect check duplicate mapname:default-local-master-ipsecmap

     

    I already have a tunnel established with Virtual Mobility Master, can this be a problem?

     

    Has anyone experienced this problem?


    I have some environments working with RAP, the only difference in this new scenario are the VMMs.

    Attachment(s)

    txt
    show-log-security.txt   25 KB 1 version


  • 2.  RE: Convert IAP to RAP error (AOS8 + Mobility Master)

    Posted Feb 24, 2020 09:26 AM

    Could you post the output of following commands:

     

    show vpdn l2tp local pool

    show crypto isakmp sa
    show log system 
    show user-table verbose



  • 3.  RE: Convert IAP to RAP error (AOS8 + Mobility Master)

    Posted Feb 24, 2020 10:39 AM

    Hi Ankyt, thanks for replying.

    In addition to the logs you requested I also posted,

     

    sh log security all

    IAP to RAP convert log error

     

    Thanks.

    Attachment(s)



  • 4.  RE: Convert IAP to RAP error (AOS8 + Mobility Master)

    Posted Feb 24, 2020 11:56 AM

    I went through the logs and found some error messages in system logs.

    It seems your controller is in disaster recovery mode and there is a config sync issue. Please find the logs for the same below:

     

    Feb 24 12:12:43 cfgm[3524]: <399814> <3524> <DBUG> |cfgm| handle_read: State(READY:CONFIG DISASTER RECOVERY:CFGID-88:PEND-88:INITCFGID:64) FD=33:Ignoring config sync as LC is in Disaster Recovery Mode, masterid=88 myid=88.

     

    Validate the config sync issue by running command #show switches.

     

    Please disable the disaster recovery mode if it is enabled. Once disabled again check the controller status by running command #show switches

     

    Could you please validate the license as well by running command #show ap license-usage

     

    Please let me know OS version of the controller and IAP.

     



  • 5.  RE: Convert IAP to RAP error (AOS8 + Mobility Master)

    Posted Feb 24, 2020 08:10 PM

    Hi,

    The Controller was in Disaster Recovery mode, but at the time of the logs it was already in Update Succesfull status.

     

    #show ap license-usage

    Annotation 2020-02-24 215853.png

     

    Mobility Controller Version: 8.6.0.2_73853

    IAP Version: 8.6.0.2 (build 73853)

     

    Thanks,



  • 6.  RE: Convert IAP to RAP error (AOS8 + Mobility Master)

    Posted Feb 24, 2020 01:42 PM

    Have you tried disabling the NAT-T setting and testing again. You shouldn't need to enable that if you're already allowing UDP 4500 and you have the translation setup on your upstream device.



  • 7.  RE: Convert IAP to RAP error (AOS8 + Mobility Master)

    Posted Feb 24, 2020 03:17 PM

    Hi 

     

    Please keep in mind that when you work with a cluster you need to have a different config for the RAPs then without a cluster. I am assuming you are creating a cluster out of the two 7210s.

     

    Where did you create the VPN pool? At what level?

     

     



  • 8.  RE: Convert IAP to RAP error (AOS8 + Mobility Master)

    Posted Feb 24, 2020 08:42 PM

    Hi mrtwentytwo,

     

    Yes I understand that in the cluster I need to create the vpn pool at the MM level,

     

    Annotation 2020-02-24 222716.png

    But at the moment I have only 1x 7210 and I haven't configured a cluster, I will configure the cluster only when the second controller arrives at the customer.

     

    As I don't have a cluster configured, I configured the rap vpn pool at the "Managed Device" level.

     

    Annotation 2020-02-24 223501.png

     

    Thanks,

     

     



  • 9.  RE: Convert IAP to RAP error (AOS8 + Mobility Master)

    Posted Feb 25, 2020 05:39 AM

    Nothing you have configured looks wrong, so far.

     

    Two suggestions:

    - Try to convert an IAP from "inside" your network first (yes it will work).

    - Open an Aruba Technical Support case in parallel to this post.  http://www.arubanetworks.com/support-services/support-program/contact-support



  • 10.  RE: Convert IAP to RAP error (AOS8 + Mobility Master)

    Posted Feb 24, 2020 08:22 PM

    Hi Dustin-Burns,

     

    I hadn't tried to disable NAT-T before.

     

    Next Thursday I will disable NAT-T on Controller and analyze the traffic on the custumer's firewall.

     

    I update you.