Hi All,
I've got a few RAPs that I can see in the logon role but not in the ap database. This is happenning with all RAPs.
(A3200) #show user
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ----
186.188.56.242 00:00:00:00:00:00 logon 00:00:05 VPN N/A default tunnel
186.169.76.203 00:00:00:00:00:00 logon 00:00:05 VPN N/A default tunnel
181.133.34.140 00:00:00:00:00:00 logon 00:00:05 VPN N/A default tunnel
User Entries: 3/3
I can see they've got an IPSec security association but none of them have a private IP assigned.
(A3200) #show crypto isakmp sa
ISAKMP SA Active Session Information
------------------------------------
Initiator IP Responder IP Flags Start Time Private IP
------------ ------------ ----- --------------- ----------
10.69.19.80 10.164.90.251 i-a-p Aug 8 14:37:19 - (this is the local - master sa)
186.188.56.242 10.169.119.80 r-v2-c-R Aug 8 14:36:13 -
186.169.76.203 10.169.119.80 r-v2-c-R Aug 8 14:36:13 -
181.133.34.140 10.169.119.80 r-v2-c-R Aug 8 14:36:13 -
I've setup a RAP pool of IP addresses but they're not being used.
(A3200) # show vpdn l2tp local pool
IP addresses used in pool 3200RAP_Pool
0 IPs used - 32 IPs free - 32 IPs configured
IP pool allocations / de-allocations - L2TP: 0/0 IKE: 0/0
The logon role has not been changed from defaults as far as I'm aware:
(A3200) #show rights logon
Derived Role = 'logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 1/0
Max Sessions = 65535
access-list List
----------------
Position Name Location
-------- ---- --------
1 logon-control
2 vpnlogon
3 v6-logon-control
4 captiveportal6
logon-control
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any udp 68 deny Low 4
2 any any svc-icmp permit Low 4
3 any any svc-dns permit Low 4
4 any any svc-dhcp permit Low 4
5 any any svc-natt permit Low 4
vpnlogon
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any svc-ike permit Low 4
2 user any svc-esp permit Low 4
3 any any svc-l2tp permit Low 4
4 any any svc-pptp permit Low 4
5 any any svc-gre permit Low 4
v6-logon-control
----------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any udp 68 deny Low 6
2 any any svc-v6-icmp permit Low 6
--More-- (q) quit (u) pageup (/) search (n) repeat 3 any any svc-v6-dhcp permit Low 6
4 any any svc-dns permit Low 6
captiveportal6
--------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user controller6 svc-https captive Low 6
2 user any svc-http captive Low 6
3 user any svc-https captive Low 6
4 user any svc-http-proxy1 captive Low 6
5 user any svc-http-proxy2 captive Low 6
6 user any svc-http-proxy3 captive Low 6
Expired Policies (due to time constraints) = 0
The MAC addresses are in the RAP whitelist.
Can anyone shed some light on this please?
I'm sure I've probably overlooked something simple.
Thanks
James