Wireless Access

 View Only
last person joined: 23 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

Remote Access Point unable to connect, Auth Request

This thread has been viewed 23 times
  • 1.  Remote Access Point unable to connect, Auth Request

    MVP
    Posted Dec 07, 2023 02:41 AM

    Hey everyone,

    I have an ArubaMM-VA (pri/backup) on version 8.10.0.7 LSR orchestrating two Physical 7210 controllers. I am trying to get some remote APs going, but am hitting a snag and I haven't been able to find the cause. The traffic is coming from a typical home user network with a NAT to the public Internet over to the corporate Palo firewall. There are two NAT addresses configured both in the firewall and the profile for the RAP in the controller, and a corresponding policy to allow "any" traffic from the home location ip address to the two NAT addresses on the controller. The controllers have private IP addresses, but the NAT rule points to those IPs. I don't think I should have to include specific ports, but I can do that (I'm testing now with wide open settings to get it working).

    The AP is an AP-303, it's in the allow list, and I can see it connect to the controller, but it will never come all the way online.  I'm unsure what I have missed, but I did see the AP go Up, then Down a few times

    The message is:
    AP is down since 2023-12-07 02:01:02 because of the following reason: Auth Request.

    On the controller:

    show datapath session table 10.200.200.51

    Source IP or MAC  Destination IP  Prot SPort DPort Cntr     Prio ToS Age Destination TAge Packets    Bytes      Flags           CPU ID
    ----------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------- ---------- --------------- -------
    10.200.200.51     10.29.0.101     17   8211  8515   0/0     0    0   1   local       4    0          0          FYI             11
     
    10.29.0.101       10.200.200.51   17   8515  8211   1/0     0    0   0   local       6    2          786        FCI             11

    I'm not sure what else to check. I'm sure I missed a step, as the RAP configuring isn't as well documented as I hoped. Where do I go next?

    Thanks!

    PH



  • 2.  RE: Remote Access Point unable to connect, Auth Request
    Best Answer

    EMPLOYEE
    Posted Dec 07, 2023 08:24 AM

    Are your controllers in a cluster? In that case you would need to configure the public IPs in your configuration as well... and there is a separate allow list for remote APs (from normal / Campus APs).

    If the controllers are not in a cluster, the NAT should be enough.

    This page seems to have a good summary... a bit down from the top there is the cluster configuration.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Remote Access Point unable to connect, Auth Request

    MVP
    Posted Dec 07, 2023 04:09 PM

    Thanks Herman! I was hoping it was something simple.  I had followed that guide, but somehow missed the remote AP tab.  I'll try that and see if it comes online.  

    I did have the AP in the wrong list (Campus)

    I do have the LMS ip set for both controllers in the cluster here in the IP address and Backup IP address field. This is the public NAT address (which is surely working since I can see the RAP trying to connect.



    I'm not in the same area as the AP right now but I'll give it another reset this eve and see if it will come online if it doesn't before that.  




  • 4.  RE: Remote Access Point unable to connect, Auth Request

    EMPLOYEE
    Posted Dec 08, 2023 09:14 AM

    Did you set the RAP Public IP in your cluster?

    With controller clusters, most of LMS configuration is ignored and an AP will connect directly to the controller IP as configured in the cluster, or when in RAP mode to the RAP Public IP.

    The Auth Request message suggests an authentication problem, but it may be that the RAP just cannot reach its anchor or user controllers.

    If this is not your issue, it may be more effective to work with your partner or Aruba Support as there are many things to look at and verify.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: Remote Access Point unable to connect, Auth Request

    MVP
    Posted Dec 08, 2023 10:22 AM

     

    Herman,

     

    Thanks for checking back. Yes – I believe that's what the issue was. I had followed that guide mostly but I missed both the Remote AP (in the previous post) and the RAP IP for the cluster.

     

     

    For those following along, you can not change the entry for the cluster, and deleting a single device and adding it back won't allow you to use the RAP IP.  But you can re-create a new cluster, in the GUI; MD/Config/Services/Clusters, add a new cluster profile with the proper values, then go to the actual devices and move them to the new profile.

     

    Remove existing profile, then add them to the new profile, and that may or may not cause a blip on some of the APs connected..  But not many people notice at 2AM.

     

    Create new profile:

    Change the profile for each controller:

     

    Now I just have to remember how to activate the ports on the 303H..  Thanks for the help!

     

    Thanks,

    Phillip

     

    -

     

    Phillip Horn

    Network and Systems Engineer

    Union College

    606-546-1650