Solved: Re: Failed to convert RAP-3WN to RAP

Hi,

I´m trying to convert RAP-3WN in RAP, but when i push de convert buttom the proccess fail in VPN setup.

The RAP-3WN is connected in a VLAN and can reach the controller ip address. I put the MAC of the AP in the whitelist, i setup VPN POOL, but sometihing is wrong because the AP does not finish the convert proccess.

The AP has and ip address in the vlan, 10.21.16.75, because is the only way that i can manage the AP remotely.

the output of the "show log secutiry" in the controller is:

Rx message 0/67108864, length 255 from 127.0.0.1:8345
Oct 10 09:53:27 :124220: <DBUG> |authmgr| stm_message_handler : msg_type 3007
Oct 10 09:53:27 :124004: <DBUG> |authmgr| RX (sock) message of type 19, len 28
Oct 10 09:53:27 :124459: <DBUG> |authmgr| IP DN int: 10.21.16.75, ext:10.21.16.75
Oct 10 09:53:27 :124234: <DBUG> |authmgr| Tx message to Sibyte, blocking with ack, Opcode = 17, msglen = 200 action = 5
Oct 10 09:53:27 :124004: <DBUG> |authmgr| sta_del_l3: mac 00:00:00:00:00:00 ip 10.21.16.75
Oct 10 09:53:27 :124153: <DBUG> |authmgr| Free ipuser 0x0x2e63ab2c (10.21.16.75) for user 0x0x2e9d2fc4.
Oct 10 09:53:27 :124154: <DBUG> |authmgr| Free user 0x0x2e9d2fc4.
Oct 10 09:53:27 :124004: <DBUG> |authmgr| RX (sock) message of type 66, len 760
Oct 10 09:53:27 :124454: <DBUG> |authmgr| auth_user_query_raw: recvd request user:00:0b:86:8e:de:cd ip:10.21.16.75 cookie:-753431465
Oct 10 09:53:27 :124150: <DBUG> |authmgr| Create ipuser and user 00:00:00:00:00:00.
Oct 10 09:53:27 :124156: <DBUG> |authmgr| Called ip_user_new() for ip 10.21.16.75.
Oct 10 09:53:27 :124004: <DBUG> |authmgr| sta_add_l3: mac 00:00:00:00:00:00 ip 10.21.16.75
Oct 10 09:53:27 :124100: <DBUG> |authmgr| Setting auth subtype 'EAP-LEAP' for user 10.21.16.75, client VPN.
Oct 10 09:53:27 :124099: <DBUG> |authmgr| Setting auth type 'VPN' for user 10.21.16.75, client VPN.
Oct 10 09:53:27 :124098: <DBUG> |authmgr| Setting authstate 'started' for user 10.21.16.75, client VPN.
Oct 10 09:53:27 :124546: <DBUG> |authmgr| aal_authenticate user:00:0b:86:8e:de:cd vpnflags:4.
Oct 10 09:53:27 :124004: <DBUG> |authmgr| ncfg_auth_server_group_authtype ip=10.21.16.75, method=VPN vpnflags:4
Oct 10 09:53:27 :124004: <DBUG> |authmgr| ncfg_auth_server_group_authtype vpnflags:4 vpn-profile:default-iap
Oct 10 09:53:27 :124004: <DBUG> |authmgr| ip=10.21.16.75, sg=internal
Oct 10 09:53:27 :124547: <DBUG> |authmgr| aal_authenticate server_group:internal.
Oct 10 09:53:27 :124004: <DBUG> |authmgr| ncfg_auth_server_group_authtype ip=10.21.16.75, method=VPN vpnflags:4
Oct 10 09:53:27 :124004: <DBUG> |authmgr| ncfg_auth_server_group_authtype vpnflags:4 vpn-profile:default-iap
Oct 10 09:53:27 :124004: <DBUG> |authmgr| ip=10.21.16.75, sg=internal
Oct 10 09:53:27 :124004: <DBUG> |authmgr| Select server for method=VPN, user=00:0b:86:8e:de:cd, essid=<>, server-group=internal, last_srv <>
Oct 10 09:53:27 :124004: <DBUG> |authmgr| server=Internal, ena=1, ins=1 (1)
Oct 10 09:53:27 :124038: <INFO> |authmgr| Selected server Internal for method=VPN; user=00:0b:86:8e:de:cd, essid=<>, domain=<>, server-group=internal
Oct 10 09:53:27 :124230: <DBUG> |authmgr| Rx message 62/63, length 2995 from 127.0.0.1:8344
Oct 10 09:53:27 :124003: <INFO> |authmgr| Authentication result=Authentication Successful(0), method=VPN, server=Internal, user=10.21.16.75
Oct 10 09:53:27 :124004: <DBUG> |authmgr| Auth server 'Internal' response=0
Oct 10 09:53:27 :124097: <DBUG> |authmgr| Setting authserver 'Internal' for user 10.21.16.75, client VPN.
Oct 10 09:53:27 :124453: <DBUG> |authmgr| auth_user_query_resp: response user:00:0b:86:8e:de:cd ip:10.21.16.75 cookie:-753431465
Oct 10 09:53:27 :124184: <DBUG> |authmgr| {L3} Authenticating Server is Internal.
Oct 10 09:53:27 :124004: <DBUG> |authmgr| Matching `internal' rules to derive role ...
Oct 10 09:53:27 :124004: <DBUG> |authmgr| Role 'value-of'
Oct 10 09:53:27 :124004: <DBUG> |authmgr| rule: set role condition Role value-of
Oct 10 09:53:27 :124004: <DBUG> |authmgr| match_rule Value Pair to match User-Name : 00:0b:86:8e:de:cd
Oct 10 09:53:27 :124004: <DBUG> |authmgr| match_rule Value Pair to match E-Mail :
Oct 10 09:53:27 :124004: <DBUG> |authmgr| match_rule Value Pair to match Role :
Oct 10 09:53:27 :124441: <DBUG> |authmgr| auth_user_query_resp: vpnflags:4
Oct 10 09:53:27 :124467: <DBUG> |authmgr| Framed IP: found 0x0x0 (mask 0x0xffffffff)
Oct 10 09:53:27 :103046: <ERRS> |ike| IKE XAuth client UP failed 10.21.16.75 (External 10.21.16.75)

For some reason, The proccess fails and i don't know what i'm missing.

The RAP-3WN log:

#RECV 80 bytes from 10.21.8.16[4500] (2.0)
(pid:14338)  time:2000-01-02 21:46:44

 spi={95ffeee0b90c4e2d d33aac6d1bd90855} np=E{N}
 exchange=IKE_AUTH msgid=1 len=76
  I <--
   Notify: AUTHENTICATION_FAILED (ESP spi=6660d100)
InNotify AP authentication failed
ike2_state.c (7737): errorCode = ERR_IKE_NOTIFY_PAYLOAD
IKE SA failed reason = ERR_IKE_XAUTH_FAILED, errorcode = -8952
send_sapd_error: error:45 debug_error:0

I'm trying to convert the AP in RAP connected in a VLAN that has direct access to the controller, because is my first time working with RAP. Once the AP has converted in RAP and reach the controller i will try to setup the RAP via Internet configuring a public IP address in the controller or doing NAT in a router.

I hope you can help me!

Kind Regards!

Do you have a master-local setup ?

Please run the following commands:

- show datapath session table <ipaddress> | include 4500

- show crypto ipsec sa

-show user-table verbose

Make sure UDP/4500 is allowed

Hi, thanks for reply!

these are the output commands:

show datapath session table 10.21.16.75 | include 4500
10.21.16.75 10.155.154.41 17 40994 4500 0/0 0 0 1 local 3 0 0 FY
10.21.16.75 10.155.154.41 17 40996 4500 0/0 0 0 0 0/0/0 2 2 844 FC
10.155.154.41 10.21.16.75 17 4500 40994 0/0 0 0 1 local 3 1 108 FC
10.155.154.41 10.21.16.75 17 4500 40996 0/0 0 0 1 0/0/0 2 2 513 F

#show crypto ipsec sa

% No active IPSEC SA

show user-table verbose | include 10.21.16.75

10.21.16.75 00:00:00:00:00:00 logon 00:00:00 VPN N/A tunnel 1

Thanks!

Highlighted

Do you have a master-local setup ?

The controller is Master.

But I dont know if i have to set some parameters in ipsec:

Thank you very much!

Are you using AOS 6.2 ?

yes.

show version

Version 6.2.0.0

JuanCarlos,

Did you setup a VPN pool for your IAP?

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars

Yes, i've setud a VPN pool for only one RAP.

start ip address 10.21.16.75 end ip address 10.21.16.75.

But the RAP-3WN has this ip address yet, because is connected in a Vlan in this range and is the only way to manage the AP.Should i configure another different pool?

As i said, i want to try to convert the AP in RAP, after when the RAP works, i will use another VPN pool and configure NAT in router with public address pointing to the controller in order to use RAP across the internet.

But in this moment i'm not able to convert the AP in RAP an register the AP in the controller due to VPN setup failure.

I don't know if i have to configure IPSEC parameters in controller or if is posible to do what i want with the AP directly coneccted to the VLAN. i think RAP can be used across the Internet but isn't mandatory.

Regards!

For the VPN pool, you should use a non-routable address like 8.8.8.1 to 8.8.8.8. Include more than one ip address for troubleshooting.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars

ArubaOS and Controllers

Failed to convert RAP-3WN to RAP

Re: Failed to convert RAP-3WN to RAP

Re: Failed to convert RAP-3WN to RAP

Re: Failed to convert RAP-3WN to RAP

Re: Failed to convert RAP-3WN to RAP

Re: Failed to convert RAP-3WN to RAP

Re: Failed to convert RAP-3WN to RAP

Re: Failed to convert RAP-3WN to RAP

Re: Failed to convert RAP-3WN to RAP

Re: Failed to convert RAP-3WN to RAP

EtherChannel between Aruba and Cisco switch

802.1x Machine Authenication

APs showing as AMs following upgrade

Wildcard certificates for controller?

L2 bridging from ENET1 on RAP to ethernet port on master controller

Creative Configurations

Ap-80mb

Remote AP Split Tunneling

Remote AP

AP Groups

WPA-PSK and VLAN assignment via MAC address

Cisco ACS and Aruba Radius Auth

Rolling out 802.1x with GTC

Making DHCP mandatory on Aruba WLAN

Wireless Group Policy on Windows 2008

Aruba Instant 6.4.2.6-4.1.1.10 Released 9/28/15

Re: ClearPass 6.5.0 CP-SW-EVAL

Re: AirWave 8.0.11 is available for download

Re: ClearPass Downloads

Re: ArubaOS Downloads

Remote AP Networks

Indoor 802.11n Site Survey and Planning

AOS and CPPM – Dot1x Authentication and integration

ClearPass 6.4.0 Release Notes

VRDs Moved

ArubaOS and Controllers

Failed to convert RAP-3WN to RAP

Re: Failed to convert RAP-3WN to RAP

Re: Failed to convert RAP-3WN to RAP

Re: Failed to convert RAP-3WN to RAP

Re: Failed to convert RAP-3WN to RAP

Re: Failed to convert RAP-3WN to RAP

Re: Failed to convert RAP-3WN to RAP

Re: Failed to convert RAP-3WN to RAP

Re: Failed to convert RAP-3WN to RAP

Re: Failed to convert RAP-3WN to RAP

Follow Us