Wireless Access

 View Only
Expand all | Collapse all

RAP issues

This thread has been viewed 51 times
  • 1.  RAP issues

    Posted 30 days ago

    I feel kind of stupid but despite re-reading the documentation several times and keep watching the videos I just can't the remote AP to work in my setup.

    All devices run: Version 8.10.0.14 LSR

    Setup consists of 2x Virtual Mobility Conductors with AP capacity, MM, MC-VA-US, PEF, and 1xVMC license

    The VMC has a VLAN 201 interface that is used for Campus AP termination and MM communication

    I created an additional VLAN 202 for the RAP termination. The IP address is mapped to a WAN interface

    There is a default route to the next hop in vlan 202 (the RAP vlan) and a route to 10.0.0.0/8 in vlan 201.

    The VMC is behind a Firewall, I created port forwarding for UDP 4500

    I created a RAP-POOL

    Choose the option certificate based authentication

    The AP is in the allowlist

    When I check with show datapath session I see the traffic coming in

    I did a packet capture and saw ISAKMP traffic (IKE SA init)

    It doesn't go past the first two packets it seems.

    I am kind of at a loss. 

    (VMC01) #show datapath session | include 4500
    75.207.183.xxx    10.20.202.253   17   60487 4500   0/0     0    0   0   0/0/0       111  50         28686      FC              2
    10.20.202.253     75.207.183.xxx  17   4500  60487  0/0     0    0   0   0/0/0       111  50         4400       F               2

    show crypto ipsec sa does not show anything except for the Mobility Conductor.

    What am I missing? Anyone have an idea what I can try next.

    Thank you



    ------------------------------
    Martijn van Overbeek
    Architect, Netcraftsmen a BlueAlly Company
    ------------------------------


  • 2.  RE: RAP issues

    Posted 30 days ago

    You could try turning on debugging level security logs if you haven't already done so to get some more information about why it isn't establishing a connection.  For the VMC in question use the command "logging security level debugging", write memory, then re-attempt and check the show log all, you can filter for unique MAC or IP as well if needed.   




  • 3.  RE: RAP issues

    Posted 30 days ago

    The RAPs must terminate at the ControllerIP. You can use an additional transit interface in the controller and route the RAP traffic via this interface to the ControllerIP.

    You have Mobility Conductor deployment, I assume that the controllers are running in the cluster. If you make the ControllerIP available on a public IP via an upstream firewall and port forwarding, you must enter the public in the cluster profile.



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 4.  RE: RAP issues

    Posted 30 days ago

    If the AP is able to connect enough to show in the datapath and fails after that, then there should be something in the logs on why there is a failure.

    https://www.arubanetworks.com/assets/so/SG_Remote-Access-Point.pdf

    As far as the solution goes, I'd highly recommend implementing either IAP-VPN (managed through Central or AirWave) or an AOS 10 Microbranch solution over RAP.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 5.  RE: RAP issues

    Posted 30 days ago
    Edited by mvanoverbeek 30 days ago

    Thanks for all the help. 

    To reply to "Lord", I actually stripped everything down to just a simple setup without even a cluster. Thought for simplicity's sake to start with just a controller managed by a Conductor pair.

    I took Ccowen's advise and started logging to my syslog server. Hopefully this provides some information

    An interesting message is: "IPSEC_findSaByIP addr:75.207.183.137"

    That is the IP address of my FWA router and I know I have not entered it anywhere.

    Hopefully someone had an idea what I missed 

    Additional screenshots of the setup

    LMSIP

    When I connect the AP to the local network it does register as a Remote AP, it seems to be related to the internet side. Below a screenshot of the AP working when connected over the LAN


    ------------------------------
    Martijn van Overbeek
    Architect, Netcraftsmen a BlueAlly Company
    ------------------------------



  • 6.  RE: RAP issues

    Posted 30 days ago

    Update:

    I actually have it working now finally

    Initially I did not have the Public IP address configured in the RAPGROUP under LMS

    I also did not use the command allowlist-db rap add mac-address  90:4c:81:c0:f6:e2 ap-group RAPGROUP
    Initially these commands did not do anything. Eventually I rebooted my Verizon 5G router and that did the trick. Maybe the NAT table was saturated, unclear but at least it works.
    Question though, it is really necessary to configure the LMS in the RAP group? Curious how that works if you have multiple Public IP addresses. Because this only seems to store two at most. 


    ------------------------------
    Martijn van Overbeek
    Architect, Netcraftsmen a BlueAlly Company
    ------------------------------



  • 7.  RE: RAP issues

    Posted 30 days ago

    LMS/B-LMS configuration allows the administrator to move the device to other VPNCs as needed.

    LMS for RAP is usually best pointed at a DNS A record configured for round robin, using all of the public IP addresses for the one cluster or all of the VPNC at a single datacenter.  Utilize B-LMS if necessary to fail over to a secondary VPNC or datacenter.  Use a cluster or VRRP to provide redundancy within a single datacenter.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 8.  RE: RAP issues

    Posted 28 days ago
      |   view attached

    I followed the guidelines and setup two controllers in a cluster with two separate IP addresses

    I set the MTU on the VLAN to 1300

    I used a DNS record to point to two separate Public IP addresses

    When the IPSEC tunnel gets established VMC1 (Spectrum Cable Internet) seems to be fine

    VMC2 (Google Fiber) however keeps flapping

    I reviewed the configurations and could find a whole lot of differences

    Left side is the snippet from VMC1 that is working while right side is from VMC2 that is not working. 

    When issueing show ap database the tunnel keeps flapping

    Below a screenshot of some of the logs that might give in indication where this is coming from. Hope anyone has an idea.

     

    Below the raw logs, appreciate some feedback

    Thank you



    ------------------------------
    Martijn van Overbeek
    Architect, Netcraftsmen a BlueAlly Company
    ------------------------------

    Attachment(s)

    txt
    VMC22-logs.txt   1.45 MB 1 version


  • 9.  RE: RAP issues

    Posted 28 days ago

    Why did you change the MTU?



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 10.  RE: RAP issues