Wireless Access

I feel kind of stupid but despite re-reading the documentation several times and keep watching the videos I just can't the remote AP to work in my setup.

All devices run: Version 8.10.0.14 LSR

Setup consists of 2x Virtual Mobility Conductors with AP capacity, MM, MC-VA-US, PEF, and 1xVMC license

The VMC has a VLAN 201 interface that is used for Campus AP termination and MM communication

I created an additional VLAN 202 for the RAP termination. The IP address is mapped to a WAN interface

There is a default route to the next hop in vlan 202 (the RAP vlan) and a route to 10.0.0.0/8 in vlan 201.

The VMC is behind a Firewall, I created port forwarding for UDP 4500

I created a RAP-POOL

Choose the option certificate based authentication

The AP is in the allowlist

When I check with show datapath session I see the traffic coming in

I did a packet capture and saw ISAKMP traffic (IKE SA init)

It doesn't go past the first two packets it seems.

I am kind of at a loss. 

(VMC01) #show datapath session | include 4500
75.207.183.xxx    10.20.202.253   17   60487 4500   0/0     0    0   0   0/0/0       111  50         28686      FC              2
10.20.202.253     75.207.183.xxx  17   4500  60487  0/0     0    0   0   0/0/0       111  50         4400       F               2

show crypto ipsec sa does not show anything except for the Mobility Conductor.

What am I missing? Anyone have an idea what I can try next.

Thank you

I feel kind of stupid but despite re-reading the documentation several times and keep watching the videos I just can't the remote AP to work in my setup.

All devices run: Version 8.10.0.14 LSR

Setup consists of 2x Virtual Mobility Conductors with AP capacity, MM, MC-VA-US, PEF, and 1xVMC license

The VMC has a VLAN 201 interface that is used for Campus AP termination and MM communication

I created an additional VLAN 202 for the RAP termination. The IP address is mapped to a WAN interface

There is a default route to the next hop in vlan 202 (the RAP vlan) and a route to 10.0.0.0/8 in vlan 201.

The VMC is behind a Firewall, I created port forwarding for UDP 4500

I created a RAP-POOL

Choose the option certificate based authentication

The AP is in the allowlist

When I check with show datapath session I see the traffic coming in

I did a packet capture and saw ISAKMP traffic (IKE SA init)

It doesn't go past the first two packets it seems.

I am kind of at a loss. 

(VMC01) #show datapath session | include 4500
75.207.183.xxx    10.20.202.253   17   60487 4500   0/0     0    0   0   0/0/0       111  50         28686      FC              2
10.20.202.253     75.207.183.xxx  17   4500  60487  0/0     0    0   0   0/0/0       111  50         4400       F               2

show crypto ipsec sa does not show anything except for the Mobility Conductor.

What am I missing? Anyone have an idea what I can try next.

Thank you

I feel kind of stupid but despite re-reading the documentation several times and keep watching the videos I just can't the remote AP to work in my setup.

All devices run: Version 8.10.0.14 LSR

Setup consists of 2x Virtual Mobility Conductors with AP capacity, MM, MC-VA-US, PEF, and 1xVMC license

The VMC has a VLAN 201 interface that is used for Campus AP termination and MM communication

I created an additional VLAN 202 for the RAP termination. The IP address is mapped to a WAN interface

There is a default route to the next hop in vlan 202 (the RAP vlan) and a route to 10.0.0.0/8 in vlan 201.

The VMC is behind a Firewall, I created port forwarding for UDP 4500

I created a RAP-POOL

Choose the option certificate based authentication

The AP is in the allowlist

When I check with show datapath session I see the traffic coming in

I did a packet capture and saw ISAKMP traffic (IKE SA init)

It doesn't go past the first two packets it seems.

I am kind of at a loss. 

(VMC01) #show datapath session | include 4500
75.207.183.xxx    10.20.202.253   17   60487 4500   0/0     0    0   0   0/0/0       111  50         28686      FC              2
10.20.202.253     75.207.183.xxx  17   4500  60487  0/0     0    0   0   0/0/0       111  50         4400       F               2

show crypto ipsec sa does not show anything except for the Mobility Conductor.

What am I missing? Anyone have an idea what I can try next.

Thank you

If the AP is able to connect enough to show in the datapath and fails after that, then there should be something in the logs on why there is a failure.

https://www.arubanetworks.com/assets/so/SG_Remote-Access-Point.pdf

As far as the solution goes, I'd highly recommend implementing either IAP-VPN (managed through Central or AirWave) or an AOS 10 Microbranch solution over RAP.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Oct 07, 2024 10:04 PM
From: mvanoverbeek
Subject: RAP issues

I feel kind of stupid but despite re-reading the documentation several times and keep watching the videos I just can't the remote AP to work in my setup.

All devices run: Version 8.10.0.14 LSR

Setup consists of 2x Virtual Mobility Conductors with AP capacity, MM, MC-VA-US, PEF, and 1xVMC license

The VMC has a VLAN 201 interface that is used for Campus AP termination and MM communication

I created an additional VLAN 202 for the RAP termination. The IP address is mapped to a WAN interface

There is a default route to the next hop in vlan 202 (the RAP vlan) and a route to 10.0.0.0/8 in vlan 201.

The VMC is behind a Firewall, I created port forwarding for UDP 4500

I created a RAP-POOL

Choose the option certificate based authentication

The AP is in the allowlist

When I check with show datapath session I see the traffic coming in

I did a packet capture and saw ISAKMP traffic (IKE SA init)

It doesn't go past the first two packets it seems.

I am kind of at a loss. 

(VMC01) #show datapath session | include 4500
75.207.183.xxx    10.20.202.253   17   60487 4500   0/0     0    0   0   0/0/0       111  50         28686      FC              2
10.20.202.253     75.207.183.xxx  17   4500  60487  0/0     0    0   0   0/0/0       111  50         4400       F               2

show crypto ipsec sa does not show anything except for the Mobility Conductor.

What am I missing? Anyone have an idea what I can try next.

Thank you

------------------------------
Martijn van Overbeek
Architect, Netcraftsmen a BlueAlly Company
------------------------------

I feel kind of stupid but despite re-reading the documentation several times and keep watching the videos I just can't the remote AP to work in my setup.

All devices run: Version 8.10.0.14 LSR

Setup consists of 2x Virtual Mobility Conductors with AP capacity, MM, MC-VA-US, PEF, and 1xVMC license

The VMC has a VLAN 201 interface that is used for Campus AP termination and MM communication

I created an additional VLAN 202 for the RAP termination. The IP address is mapped to a WAN interface

There is a default route to the next hop in vlan 202 (the RAP vlan) and a route to 10.0.0.0/8 in vlan 201.

The VMC is behind a Firewall, I created port forwarding for UDP 4500

I created a RAP-POOL

Choose the option certificate based authentication

The AP is in the allowlist

When I check with show datapath session I see the traffic coming in

I did a packet capture and saw ISAKMP traffic (IKE SA init)

It doesn't go past the first two packets it seems.

I am kind of at a loss. 

(VMC01) #show datapath session | include 4500
75.207.183.xxx    10.20.202.253   17   60487 4500   0/0     0    0   0   0/0/0       111  50         28686      FC              2
10.20.202.253     75.207.183.xxx  17   4500  60487  0/0     0    0   0   0/0/0       111  50         4400       F               2

show crypto ipsec sa does not show anything except for the Mobility Conductor.

What am I missing? Anyone have an idea what I can try next.

Thank you

Update:

I actually have it working now finally

Initially I did not have the Public IP address configured in the RAPGROUP under LMS

I feel kind of stupid but despite re-reading the documentation several times and keep watching the videos I just can't the remote AP to work in my setup.

All devices run: Version 8.10.0.14 LSR

Setup consists of 2x Virtual Mobility Conductors with AP capacity, MM, MC-VA-US, PEF, and 1xVMC license

The VMC has a VLAN 201 interface that is used for Campus AP termination and MM communication

I created an additional VLAN 202 for the RAP termination. The IP address is mapped to a WAN interface

There is a default route to the next hop in vlan 202 (the RAP vlan) and a route to 10.0.0.0/8 in vlan 201.

The VMC is behind a Firewall, I created port forwarding for UDP 4500

I created a RAP-POOL

Choose the option certificate based authentication

The AP is in the allowlist

When I check with show datapath session I see the traffic coming in

I did a packet capture and saw ISAKMP traffic (IKE SA init)

It doesn't go past the first two packets it seems.

I am kind of at a loss. 

(VMC01) #show datapath session | include 4500
75.207.183.xxx    10.20.202.253   17   60487 4500   0/0     0    0   0   0/0/0       111  50         28686      FC              2
10.20.202.253     75.207.183.xxx  17   4500  60487  0/0     0    0   0   0/0/0       111  50         4400       F               2

show crypto ipsec sa does not show anything except for the Mobility Conductor.

What am I missing? Anyone have an idea what I can try next.

Thank you

LMS/B-LMS configuration allows the administrator to move the device to other VPNCs as needed.

LMS for RAP is usually best pointed at a DNS A record configured for round robin, using all of the public IP addresses for the one cluster or all of the VPNC at a single datacenter.  Utilize B-LMS if necessary to fail over to a secondary VPNC or datacenter.  Use a cluster or VRRP to provide redundancy within a single datacenter.

Update:

I actually have it working now finally

Initially I did not have the Public IP address configured in the RAPGROUP under LMS

I feel kind of stupid but despite re-reading the documentation several times and keep watching the videos I just can't the remote AP to work in my setup.

All devices run: Version 8.10.0.14 LSR

Setup consists of 2x Virtual Mobility Conductors with AP capacity, MM, MC-VA-US, PEF, and 1xVMC license

The VMC has a VLAN 201 interface that is used for Campus AP termination and MM communication

I created an additional VLAN 202 for the RAP termination. The IP address is mapped to a WAN interface

There is a default route to the next hop in vlan 202 (the RAP vlan) and a route to 10.0.0.0/8 in vlan 201.

The VMC is behind a Firewall, I created port forwarding for UDP 4500

I created a RAP-POOL

Choose the option certificate based authentication

The AP is in the allowlist

When I check with show datapath session I see the traffic coming in

I did a packet capture and saw ISAKMP traffic (IKE SA init)

It doesn't go past the first two packets it seems.

I am kind of at a loss. 

(VMC01) #show datapath session | include 4500
75.207.183.xxx    10.20.202.253   17   60487 4500   0/0     0    0   0   0/0/0       111  50         28686      FC              2
10.20.202.253     75.207.183.xxx  17   4500  60487  0/0     0    0   0   0/0/0       111  50         4400       F               2

show crypto ipsec sa does not show anything except for the Mobility Conductor.

What am I missing? Anyone have an idea what I can try next.

Thank you

I followed the guidelines and setup two controllers in a cluster with two separate IP addresses

I set the MTU on the VLAN to 1300

I used a DNS record to point to two separate Public IP addresses

When the IPSEC tunnel gets established VMC1 (Spectrum Cable Internet) seems to be fine

VMC2 (Google Fiber) however keeps flapping

I reviewed the configurations and could find a whole lot of differences

Left side is the snippet from VMC1 that is working while right side is from VMC2 that is not working. 

When issueing show ap database the tunnel keeps flapping

Below a screenshot of some of the logs that might give in indication where this is coming from. Hope anyone has an idea.

Below the raw logs, appreciate some feedback

Thank you

LMS/B-LMS configuration allows the administrator to move the device to other VPNCs as needed.

LMS for RAP is usually best pointed at a DNS A record configured for round robin, using all of the public IP addresses for the one cluster or all of the VPNC at a single datacenter.  Utilize B-LMS if necessary to fail over to a secondary VPNC or datacenter.  Use a cluster or VRRP to provide redundancy within a single datacenter.

Update:

I actually have it working now finally

Initially I did not have the Public IP address configured in the RAPGROUP under LMS

I feel kind of stupid but despite re-reading the documentation several times and keep watching the videos I just can't the remote AP to work in my setup.

All devices run: Version 8.10.0.14 LSR

Setup consists of 2x Virtual Mobility Conductors with AP capacity, MM, MC-VA-US, PEF, and 1xVMC license

The VMC has a VLAN 201 interface that is used for Campus AP termination and MM communication

I created an additional VLAN 202 for the RAP termination. The IP address is mapped to a WAN interface

There is a default route to the next hop in vlan 202 (the RAP vlan) and a route to 10.0.0.0/8 in vlan 201.

The VMC is behind a Firewall, I created port forwarding for UDP 4500

I created a RAP-POOL

Choose the option certificate based authentication

The AP is in the allowlist

When I check with show datapath session I see the traffic coming in

I did a packet capture and saw ISAKMP traffic (IKE SA init)

It doesn't go past the first two packets it seems.

I am kind of at a loss. 

(VMC01) #show datapath session | include 4500
75.207.183.xxx    10.20.202.253   17   60487 4500   0/0     0    0   0   0/0/0       111  50         28686      FC              2
10.20.202.253     75.207.183.xxx  17   4500  60487  0/0     0    0   0   0/0/0       111  50         4400       F               2

show crypto ipsec sa does not show anything except for the Mobility Conductor.

What am I missing? Anyone have an idea what I can try next.

Thank you

Why did you change the MTU?

I followed the guidelines and setup two controllers in a cluster with two separate IP addresses

I set the MTU on the VLAN to 1300

I used a DNS record to point to two separate Public IP addresses

When the IPSEC tunnel gets established VMC1 (Spectrum Cable Internet) seems to be fine

VMC2 (Google Fiber) however keeps flapping

I reviewed the configurations and could find a whole lot of differences

Left side is the snippet from VMC1 that is working while right side is from VMC2 that is not working. 

When issueing show ap database the tunnel keeps flapping

Below a screenshot of some of the logs that might give in indication where this is coming from. Hope anyone has an idea.

Below the raw logs, appreciate some feedback

Thank you

LMS/B-LMS configuration allows the administrator to move the device to other VPNCs as needed.

LMS for RAP is usually best pointed at a DNS A record configured for round robin, using all of the public IP addresses for the one cluster or all of the VPNC at a single datacenter.  Utilize B-LMS if necessary to fail over to a secondary VPNC or datacenter.  Use a cluster or VRRP to provide redundancy within a single datacenter.

Update:

I actually have it working now finally

Initially I did not have the Public IP address configured in the RAPGROUP under LMS

I feel kind of stupid but despite re-reading the documentation several times and keep watching the videos I just can't the remote AP to work in my setup.

All devices run: Version 8.10.0.14 LSR

Setup consists of 2x Virtual Mobility Conductors with AP capacity, MM, MC-VA-US, PEF, and 1xVMC license

The VMC has a VLAN 201 interface that is used for Campus AP termination and MM communication

I created an additional VLAN 202 for the RAP termination. The IP address is mapped to a WAN interface

There is a default route to the next hop in vlan 202 (the RAP vlan) and a route to 10.0.0.0/8 in vlan 201.

The VMC is behind a Firewall, I created port forwarding for UDP 4500

I created a RAP-POOL

Choose the option certificate based authentication

The AP is in the allowlist

When I check with show datapath session I see the traffic coming in

I did a packet capture and saw ISAKMP traffic (IKE SA init)

It doesn't go past the first two packets it seems.

I am kind of at a loss. 

(VMC01) #show datapath session | include 4500
75.207.183.xxx    10.20.202.253   17   60487 4500   0/0     0    0   0   0/0/0       111  50         28686      FC              2
10.20.202.253     75.207.183.xxx  17   4500  60487  0/0     0    0   0   0/0/0       111  50         4400       F               2

show crypto ipsec sa does not show anything except for the Mobility Conductor.

What am I missing? Anyone have an idea what I can try next.

Thank you

I thought it was a safe number, I also noticed something about fragmentation in the IKE debugging messages.

I changed it back to 1500

And see if that helps

Why did you change the MTU?

I followed the guidelines and setup two controllers in a cluster with two separate IP addresses

I set the MTU on the VLAN to 1300

I used a DNS record to point to two separate Public IP addresses

When the IPSEC tunnel gets established VMC1 (Spectrum Cable Internet) seems to be fine

VMC2 (Google Fiber) however keeps flapping

I reviewed the configurations and could find a whole lot of differences

Left side is the snippet from VMC1 that is working while right side is from VMC2 that is not working. 

When issueing show ap database the tunnel keeps flapping

Below a screenshot of some of the logs that might give in indication where this is coming from. Hope anyone has an idea.

Below the raw logs, appreciate some feedback

Thank you

LMS/B-LMS configuration allows the administrator to move the device to other VPNCs as needed.

LMS for RAP is usually best pointed at a DNS A record configured for round robin, using all of the public IP addresses for the one cluster or all of the VPNC at a single datacenter.  Utilize B-LMS if necessary to fail over to a secondary VPNC or datacenter.  Use a cluster or VRRP to provide redundancy within a single datacenter.

Update:

I actually have it working now finally

Initially I did not have the Public IP address configured in the RAPGROUP under LMS

I feel kind of stupid but despite re-reading the documentation several times and keep watching the videos I just can't the remote AP to work in my setup.

All devices run: Version 8.10.0.14 LSR

Setup consists of 2x Virtual Mobility Conductors with AP capacity, MM, MC-VA-US, PEF, and 1xVMC license

The VMC has a VLAN 201 interface that is used for Campus AP termination and MM communication

I created an additional VLAN 202 for the RAP termination. The IP address is mapped to a WAN interface

There is a default route to the next hop in vlan 202 (the RAP vlan) and a route to 10.0.0.0/8 in vlan 201.

The VMC is behind a Firewall, I created port forwarding for UDP 4500

I created a RAP-POOL

Choose the option certificate based authentication

The AP is in the allowlist

When I check with show datapath session I see the traffic coming in

I did a packet capture and saw ISAKMP traffic (IKE SA init)

It doesn't go past the first two packets it seems.

I am kind of at a loss. 

(VMC01) #show datapath session | include 4500
75.207.183.xxx    10.20.202.253   17   60487 4500   0/0     0    0   0   0/0/0       111  50         28686      FC              2
10.20.202.253     75.207.183.xxx  17   4500  60487  0/0     0    0   0   0/0/0       111  50         4400       F               2

show crypto ipsec sa does not show anything except for the Mobility Conductor.

What am I missing? Anyone have an idea what I can try next.

Thank you

I thought it was a safe number, I also noticed something about fragmentation in the IKE debugging messages.

I changed it back to 1500

And see if that helps

Why did you change the MTU?

I followed the guidelines and setup two controllers in a cluster with two separate IP addresses

I set the MTU on the VLAN to 1300

I used a DNS record to point to two separate Public IP addresses

When the IPSEC tunnel gets established VMC1 (Spectrum Cable Internet) seems to be fine

VMC2 (Google Fiber) however keeps flapping

I reviewed the configurations and could find a whole lot of differences

Left side is the snippet from VMC1 that is working while right side is from VMC2 that is not working. 

When issueing show ap database the tunnel keeps flapping

Below a screenshot of some of the logs that might give in indication where this is coming from. Hope anyone has an idea.

Below the raw logs, appreciate some feedback

Thank you

LMS/B-LMS configuration allows the administrator to move the device to other VPNCs as needed.

LMS for RAP is usually best pointed at a DNS A record configured for round robin, using all of the public IP addresses for the one cluster or all of the VPNC at a single datacenter.  Utilize B-LMS if necessary to fail over to a secondary VPNC or datacenter.  Use a cluster or VRRP to provide redundancy within a single datacenter.

Update:

I actually have it working now finally

Initially I did not have the Public IP address configured in the RAPGROUP under LMS

I feel kind of stupid but despite re-reading the documentation several times and keep watching the videos I just can't the remote AP to work in my setup.

All devices run: Version 8.10.0.14 LSR

Setup consists of 2x Virtual Mobility Conductors with AP capacity, MM, MC-VA-US, PEF, and 1xVMC license

The VMC has a VLAN 201 interface that is used for Campus AP termination and MM communication

I created an additional VLAN 202 for the RAP termination. The IP address is mapped to a WAN interface

There is a default route to the next hop in vlan 202 (the RAP vlan) and a route to 10.0.0.0/8 in vlan 201.

The VMC is behind a Firewall, I created port forwarding for UDP 4500

I created a RAP-POOL

Choose the option certificate based authentication

The AP is in the allowlist

When I check with show datapath session I see the traffic coming in

I did a packet capture and saw ISAKMP traffic (IKE SA init)

It doesn't go past the first two packets it seems.

I am kind of at a loss. 

(VMC01) #show datapath session | include 4500
75.207.183.xxx    10.20.202.253   17   60487 4500   0/0     0    0   0   0/0/0       111  50         28686      FC              2
10.20.202.253     75.207.183.xxx  17   4500  60487  0/0     0    0   0   0/0/0       111  50         4400       F               2

show crypto ipsec sa does not show anything except for the Mobility Conductor.

What am I missing? Anyone have an idea what I can try next.

Thank you

I set it to 1300 initially because my Verizon FWA has an MTU of 1428.

I actually did notice that by turning of my VMC1 (still with an MTU 1300) the VMC2 (MTU1500) eventually did stabilize.

When I turned on VMC1 again VMC1 started with the alternating flapping

I will change the MTU but do want to point out that it appears to be the AP that has the flags Rc2SID that flaps. 

The AP with Rc2r (VMC2) appears to be stable.

I thought it was a safe number, I also noticed something about fragmentation in the IKE debugging messages.

I changed it back to 1500

And see if that helps

Why did you change the MTU?

I followed the guidelines and setup two controllers in a cluster with two separate IP addresses

I set the MTU on the VLAN to 1300

I used a DNS record to point to two separate Public IP addresses

When the IPSEC tunnel gets established VMC1 (Spectrum Cable Internet) seems to be fine

VMC2 (Google Fiber) however keeps flapping

I reviewed the configurations and could find a whole lot of differences

Left side is the snippet from VMC1 that is working while right side is from VMC2 that is not working. 

When issueing show ap database the tunnel keeps flapping

Below a screenshot of some of the logs that might give in indication where this is coming from. Hope anyone has an idea.

Below the raw logs, appreciate some feedback

Thank you

LMS/B-LMS configuration allows the administrator to move the device to other VPNCs as needed.

LMS for RAP is usually best pointed at a DNS A record configured for round robin, using all of the public IP addresses for the one cluster or all of the VPNC at a single datacenter.  Utilize B-LMS if necessary to fail over to a secondary VPNC or datacenter.  Use a cluster or VRRP to provide redundancy within a single datacenter.

Update:

I actually have it working now finally

Initially I did not have the Public IP address configured in the RAPGROUP under LMS

I feel kind of stupid but despite re-reading the documentation several times and keep watching the videos I just can't the remote AP to work in my setup.

All devices run: Version 8.10.0.14 LSR

Setup consists of 2x Virtual Mobility Conductors with AP capacity, MM, MC-VA-US, PEF, and 1xVMC license

The VMC has a VLAN 201 interface that is used for Campus AP termination and MM communication

I created an additional VLAN 202 for the RAP termination. The IP address is mapped to a WAN interface

There is a default route to the next hop in vlan 202 (the RAP vlan) and a route to 10.0.0.0/8 in vlan 201.

The VMC is behind a Firewall, I created port forwarding for UDP 4500

I created a RAP-POOL

Choose the option certificate based authentication

The AP is in the allowlist

When I check with show datapath session I see the traffic coming in

I did a packet capture and saw ISAKMP traffic (IKE SA init)

It doesn't go past the first two packets it seems.

I am kind of at a loss. 

(VMC01) #show datapath session | include 4500
75.207.183.xxx    10.20.202.253   17   60487 4500   0/0     0    0   0   0/0/0       111  50         28686      FC              2
10.20.202.253     75.207.183.xxx  17   4500  60487  0/0     0    0   0   0/0/0       111  50         4400       F               2

show crypto ipsec sa does not show anything except for the Mobility Conductor.

What am I missing? Anyone have an idea what I can try next.

Thank you

What also strikes me as odd is that both tunnels have the same inner IP address

Is the AP to VPNC a point-to-multipoint tunnel?

I set it to 1300 initially because my Verizon FWA has an MTU of 1428.

I actually did notice that by turning of my VMC1 (still with an MTU 1300) the VMC2 (MTU1500) eventually did stabilize.

When I turned on VMC1 again VMC1 started with the alternating flapping

I will change the MTU but do want to point out that it appears to be the AP that has the flags Rc2SID that flaps. 

The AP with Rc2r (VMC2) appears to be stable.

I thought it was a safe number, I also noticed something about fragmentation in the IKE debugging messages.

I changed it back to 1500

And see if that helps

Why did you change the MTU?

I followed the guidelines and setup two controllers in a cluster with two separate IP addresses

I set the MTU on the VLAN to 1300

I used a DNS record to point to two separate Public IP addresses

When the IPSEC tunnel gets established VMC1 (Spectrum Cable Internet) seems to be fine

VMC2 (Google Fiber) however keeps flapping

I reviewed the configurations and could find a whole lot of differences

Left side is the snippet from VMC1 that is working while right side is from VMC2 that is not working. 

When issueing show ap database the tunnel keeps flapping

Below a screenshot of some of the logs that might give in indication where this is coming from. Hope anyone has an idea.

Below the raw logs, appreciate some feedback

Thank you

LMS/B-LMS configuration allows the administrator to move the device to other VPNCs as needed.

LMS for RAP is usually best pointed at a DNS A record configured for round robin, using all of the public IP addresses for the one cluster or all of the VPNC at a single datacenter.  Utilize B-LMS if necessary to fail over to a secondary VPNC or datacenter.  Use a cluster or VRRP to provide redundancy within a single datacenter.

Update:

I actually have it working now finally

Initially I did not have the Public IP address configured in the RAPGROUP under LMS

I feel kind of stupid but despite re-reading the documentation several times and keep watching the videos I just can't the remote AP to work in my setup.

All devices run: Version 8.10.0.14 LSR

Setup consists of 2x Virtual Mobility Conductors with AP capacity, MM, MC-VA-US, PEF, and 1xVMC license

The VMC has a VLAN 201 interface that is used for Campus AP termination and MM communication

I created an additional VLAN 202 for the RAP termination. The IP address is mapped to a WAN interface

There is a default route to the next hop in vlan 202 (the RAP vlan) and a route to 10.0.0.0/8 in vlan 201.

The VMC is behind a Firewall, I created port forwarding for UDP 4500

I created a RAP-POOL

Choose the option certificate based authentication

The AP is in the allowlist

When I check with show datapath session I see the traffic coming in

I did a packet capture and saw ISAKMP traffic (IKE SA init)

It doesn't go past the first two packets it seems.

I am kind of at a loss. 

(VMC01) #show datapath session | include 4500
75.207.183.xxx    10.20.202.253   17   60487 4500   0/0     0    0   0   0/0/0       111  50         28686      FC              2
10.20.202.253     75.207.183.xxx  17   4500  60487  0/0     0    0   0   0/0/0       111  50         4400       F               2

show crypto ipsec sa does not show anything except for the Mobility Conductor.

What am I missing? Anyone have an idea what I can try next.

Thank you