Environment Information- Network Setup:Standalone Master with three RAP3WNP.All three RAPs are connected to the Linksys Router.Controller >> Firewall >> ISP >> Linksys Router >> RAP3WNPAOS: 6.4.2.3
Symptoms-
RAP-3WNP is coming up as CAP when its provisioned as Cert-based RAP.In #show ap database output we can see the RAP got inner IP address and it went down.#show ap database Fri Jan 16 14:58:35.144 2015AP Database-----------Name Group AP Type IP Address Status Flags Switch IP Standby IP---- ----- ------- ---------- ------ ----- --------- ----------Kraton_RAP_03 Kraton_RAP RAP-3WNP 1.1.1.2 Down Rc2 10.208.4.38 0.0.0.0 ====================> RAP got inner IP address and rebooted.show crypto isakmp sa peer 204.57.67.86Fri Jan 16 14:56:52.404 2015 Initiator IP: 204.57.67.86 Responder IP: 10.208.4.38 Initiator: No Initiator cookie:e03b0e59f9343018 Responder cookie:ff7b09bf1c440712 SA Creation Date: Fri Jan 16 14:56:47 2015 Life secs: 28800 Initiator Phase1 ID: CN=BF0099183::00:0b:86:bb:4f:6e Responder Phase1 ID: CN=CR0001928::00:0b:86:b4:e7:77 L=SW Exchange Type: IKE_SA (IKEV2) Phase1 Transform:EncrAlg:AES256 HashAlg:HMAC_SHA1_96 DHGroup:2 Authentication Method: RSA Digital Signature 2048-bits CFG Inner-IP 1.1.1.2 IPSEC SA Rekey Number: 0 Aruba AP (Kraton_Aruba_7030) #show crypto ipsec sa peer 204.57.67.86Fri Jan 16 14:57:05.014 2015 Initiator IP: 204.57.67.86 Responder IP: 10.208.4.38 Initiator: No SA Creation Date: Fri Jan 16 14:56:48 2015 Life secs: 7200 Exchange Type: IKE_SA (IKEV2) Phase2 Transform:Encryption Alg: AES 256 Authentication Alg: SHA1 Encapsulation Mode Tunnel PFS: no IN SPI: 70689000, OUT SPI: CB231800 CFG Inner-IP 1.1.1.2 Responder IP: 10.208.4.38 In the user-table output we could see the RAP is falling into ap-role when it got valid inner IP address.(Kraton_Aruba_7030) #show user-table verbose Fri Jan 16 14:57:13.122 2015Users----- IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name Server Vlan Bwm UaStr:ParseDisable/Flag/ShortIndex---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- --------- ------ ---- --- ----------------------------------204.57.67.86 00:00:00:00:00:00 logon 00:00:03 VPN N/A tunnel 0 (0) OFF/0/01.1.1.2 00:00:00:00:00:00 00:0b:86:bb:4f:6e ap-role 00:00:00 VPN 204.57.67.86 N/A default-rap tunnel Internal 0 (0) OFF/0/010.208.28.21 f8:16:54:90:d7:b0 KRATON\juknotts authenticated 00:00:08 802.1x Kraton_RAP_02 Wireless WMS2/18:64:72:7a:a4:a1/g Kraton_802.1x tunnel Win 7 10.208.9.77 29 (29) OFF/0/14172.31.98.163 f8:16:54:90:d7:b0 KRATON\juknotts authenticated 00:00:02 802.1x Kraton_RAP_02 Wireless WMS2/18:64:72:7a:a4:a1/g Kraton_802.1x tunnel Win 7 10.208.9.77 29 (29) OFF/0/14User Entries: 4/4 Curr/Cum Alloc:3/4 Free:0/1 Dyn:3 AllocErr:0 FreeErr:0In the security logs we see IPSEC SA is deleted due to invalid cookies.Jan 16 14:56:47 :103078: <INFO> |ike| IKEv2 CHILD_SA successful for peer 204.57.67.86:49154Jan 16 14:57:14 :103063: <DBUG> |ike| 204.57.67.86:49154-> message_recv: invalid cookie(s) e03b0e59f9343018 ff7b09bf1c440712Jan 16 14:57:14 :103060: <DBUG> |ike| 204.57.67.86:49154-> message.c:message_drop:2886 Message drop from 204.57.67.86 port -16382 due to notification type INVALID_COOKIEJan 16 14:57:58 :103063: <DBUG> |ike| IPSEC_deleteSaByInnerIPExtIP delete IPSEC SA 204.57.67.86:(inner:1.1.1.2)Jan 16 14:57:58 :103101: <INFO> |ike| IPSEC SA deleted for peer 204.57.67.86Once the RAP is rebooted it came up as CAP.
#show ap database
Fri Jan 16 14:40:03.521 2015
AP Database-----------Name Group AP Type IP Address Status Flags Switch IP Standby IP---- ----- ------- ---------- ------ ----- --------- ----------Kraton_RAP_03 Kraton_RAP RAP-3WNP 204.57.67.86 Up 1h:38m:10s 10.208.4.38 0.0.0.0 ==============> After reboot the RAP came up as CAP.
Cause- In the ap-group the provisioning profile is set to default however there was no configuration done in the default provisioning-profile.ap-group "Kraton_RAP" virtual-ap "Kra_Home" virtual-ap "WMS2" enet1-port-profile "wport_prof-mac33" enet2-port-profile "wport_prof-qfo99" enet3-port-profile "wport_prof-xsp49" enet4-port-profile "wport_prof-jgf16" ap-system-profile "apsys_prof-jxu94" voip-cac-profile "Kraton_RAP_VoIP_Call_Admission_Control" provisioning-profile "default" ================================================>IKE deletes the IKE/IPSEC SAs.Jan 16 14:57:58 authmgr[3535]: <124220> <DBUG> |authmgr| stm_message_handler : msg_type 3099Jan 16 14:57:58 isakmpd[3399]: <103060> <DBUG> |ike| ipc.c:ipc_rcvcb:1846 Auth ip down message. ip=1.1.1.2Jan 16 14:57:58 isakmpd[3399]: <103063> <DBUG> |ike| IPSEC_deleteSaByInnerIPExtIP delete IPSEC SA 204.57.67.86:(inner:1.1.1.2)Jan 16 14:57:58 isakmpd[3399]: <103101> <INFO> |ike| IPSEC SA deleted for peer 204.57.67.86
Resolution- By removing the provisioning profile and re-provisioned it as RAP, it came up fine.AP Database-----------Name Group AP Type IP Address Status Flags Switch IP Standby IP---- ----- ------- ---------- ------ ----- --------- ----------Kraton_RAP_03 Kraton_RAP RAP-3WNP 1.1.1.3 Up 4m:30s Rc2 10.208.4.38 0.0.0.0 ==================> After re-provisioning it came up as RAP.
Answer- By removing the provisioning profile and re-provisioned it as RAP, it came up fine.AP Database-----------Name Group AP Type IP Address Status Flags Switch IP Standby IP---- ----- ------- ---------- ------ ----- --------- ----------Kraton_RAP_01 Kraton_RAP RAP-3WNP 204.57.67.86 Down 10.208.4.38 0.0.0.0Kraton_RAP_02 Kraton_RAP RAP-3WNP 10.208.6.113 Up 39m:2s 10.208.4.38 0.0.0.0Kraton_RAP_03 Kraton_RAP RAP-3WNP 1.1.1.3 Up 4m:30s Rc2 10.208.4.38 0.0.0.0 ==================> After re-provisioning it came up as RAP.
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.