Airheads Community

Apr 06, 2015 02:13 AM

vikrams@aruba

Environment Information- Network Setup:

Standalone Master with three RAP3WNP.
All three RAPs are connected to the Linksys Router.

Controller >> Firewall >> ISP >> Linksys Router >> RAP3WNP
AOS: 6.4.2.3

Symptoms-

RAP-3WNP is coming up as CAP when its provisioned as Cert-based RAP.

In #show ap database output we can see the RAP got inner IP address and it went down.

#show ap database

Fri Jan 16 14:58:35.144 2015

AP Database
-----------
Name Group AP Type IP Address Status Flags Switch IP Standby IP
---- ----- ------- ---------- ------ ----- --------- ----------

Kraton_RAP_03 Kraton_RAP RAP-3WNP 1.1.1.2 Down Rc2 10.208.4.38 0.0.0.0 ====================> RAP got inner IP address and rebooted.

show crypto isakmp sa peer 204.57.67.86

Fri Jan 16 14:56:52.404 2015

Initiator IP: 204.57.67.86
Responder IP: 10.208.4.38
Initiator: No
Initiator cookie:e03b0e59f9343018 Responder cookie:ff7b09bf1c440712
SA Creation Date: Fri Jan 16 14:56:47 2015
Life secs: 28800
Initiator Phase1 ID: CN=BF0099183::00:0b:86:bb:4f:6e
Responder Phase1 ID: CN=CR0001928::00:0b:86:b4:e7:77 L=SW
Exchange Type: IKE_SA (IKEV2)
Phase1 Transform:EncrAlg:AES256 HashAlg:HMAC_SHA1_96 DHGroup:2
Authentication Method: RSA Digital Signature 2048-bits
CFG Inner-IP 1.1.1.2
IPSEC SA Rekey Number: 0
Aruba AP

(Kraton_Aruba_7030) #show crypto ipsec sa peer 204.57.67.86

Fri Jan 16 14:57:05.014 2015

Initiator IP: 204.57.67.86
Responder IP: 10.208.4.38
Initiator: No
SA Creation Date: Fri Jan 16 14:56:48 2015
Life secs: 7200
Exchange Type: IKE_SA (IKEV2)
Phase2 Transform:Encryption Alg: AES 256 Authentication Alg: SHA1
Encapsulation Mode Tunnel
PFS: no
IN SPI: 70689000, OUT SPI: CB231800
CFG Inner-IP 1.1.1.2
Responder IP: 10.208.4.38

In the user-table output we could see the RAP is falling into ap-role when it got valid inner IP address.

(Kraton_Aruba_7030) #show user-table verbose

Fri Jan 16 14:57:13.122 2015

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name Server Vlan Bwm UaStr:ParseDisable/Flag/ShortIndex
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- --------- ------ ---- --- ----------------------------------
204.57.67.86 00:00:00:00:00:00 logon 00:00:03 VPN N/A tunnel 0 (0) OFF/0/0
1.1.1.2 00:00:00:00:00:00 00:0b:86:bb:4f:6e ap-role 00:00:00 VPN 204.57.67.86 N/A default-rap tunnel Internal 0 (0) OFF/0/0
10.208.28.21 f8:16:54:90:d7:b0 KRATON\juknotts authenticated 00:00:08 802.1x Kraton_RAP_02 Wireless WMS2/18:64:72:7a:a4:a1/g Kraton_802.1x tunnel Win 7 10.208.9.77 29 (29) OFF/0/14
172.31.98.163 f8:16:54:90:d7:b0 KRATON\juknotts authenticated 00:00:02 802.1x Kraton_RAP_02 Wireless WMS2/18:64:72:7a:a4:a1/g Kraton_802.1x tunnel Win 7 10.208.9.77 29 (29) OFF/0/14

User Entries: 4/4
Curr/Cum Alloc:3/4 Free:0/1 Dyn:3 AllocErr:0 FreeErr:0

In the security logs we see IPSEC SA is deleted due to invalid cookies.

Jan 16 14:56:47 :103078: <INFO> |ike| IKEv2 CHILD_SA successful for peer 204.57.67.86:49154
Jan 16 14:57:14 :103063: <DBUG> |ike| 204.57.67.86:49154-> message_recv: invalid cookie(s) e03b0e59f9343018 ff7b09bf1c440712
Jan 16 14:57:14 :103060: <DBUG> |ike| 204.57.67.86:49154-> message.c:message_drop:2886 Message drop from 204.57.67.86 port -16382 due to notification type INVALID_COOKIE
Jan 16 14:57:58 :103063: <DBUG> |ike| IPSEC_deleteSaByInnerIPExtIP delete IPSEC SA 204.57.67.86:(inner:1.1.1.2)
Jan 16 14:57:58 :103101: <INFO> |ike| IPSEC SA deleted for peer 204.57.67.86

Once the RAP is rebooted it came up as CAP.

#show ap database

Fri Jan 16 14:40:03.521 2015

AP Database
-----------
Name           Group       AP Type   IP Address    Status         Flags Switch IP    Standby IP
----           -----       -------   ----------    ------         ----- ---------    ----------

Kraton_RAP_03 Kraton_RAP RAP-3WNP 204.57.67.86 Up 1h:38m:10s         10.208.4.38 0.0.0.0 ==============> After reboot the RAP came up as CAP.

Cause- In the ap-group the provisioning profile is set to default however there was no configuration done in the default provisioning-profile.

ap-group "Kraton_RAP"
virtual-ap "Kra_Home"
virtual-ap "WMS2"
enet1-port-profile "wport_prof-mac33"
enet2-port-profile "wport_prof-qfo99"
enet3-port-profile "wport_prof-xsp49"
enet4-port-profile "wport_prof-jgf16"
ap-system-profile "apsys_prof-jxu94"
voip-cac-profile "Kraton_RAP_VoIP_Call_Admission_Control"
provisioning-profile "default" ================================================>

IKE deletes the IKE/IPSEC SAs.

Jan 16 14:57:58 authmgr[3535]: <124220> <DBUG> |authmgr| stm_message_handler : msg_type 3099
Jan 16 14:57:58 isakmpd[3399]: <103060> <DBUG> |ike| ipc.c:ipc_rcvcb:1846 Auth ip down message. ip=1.1.1.2
Jan 16 14:57:58 isakmpd[3399]: <103063> <DBUG> |ike| IPSEC_deleteSaByInnerIPExtIP delete IPSEC SA 204.57.67.86:(inner:1.1.1.2)
Jan 16 14:57:58 isakmpd[3399]: <103101> <INFO> |ike| IPSEC SA deleted for peer 204.57.67.86

Resolution- By removing the provisioning profile and re-provisioned it as RAP, it came up fine.

AP Database
-----------
Name Group AP Type IP Address Status Flags Switch IP Standby IP
---- ----- ------- ---------- ------ ----- --------- ----------

Kraton_RAP_03 Kraton_RAP RAP-3WNP 1.1.1.3 Up 4m:30s Rc2 10.208.4.38 0.0.0.0 ==================> After re-provisioning it came up as RAP.

Answer- By removing the provisioning profile and re-provisioned it as RAP, it came up fine.

AP Database
-----------
Name Group AP Type IP Address Status Flags Switch IP Standby IP
---- ----- ------- ---------- ------ ----- --------- ----------
Kraton_RAP_01 Kraton_RAP RAP-3WNP 204.57.67.86 Down 10.208.4.38 0.0.0.0
Kraton_RAP_02 Kraton_RAP RAP-3WNP 10.208.6.113 Up 39m:2s 10.208.4.38 0.0.0.0
Kraton_RAP_03 Kraton_RAP RAP-3WNP 1.1.1.3 Up 4m:30s Rc2 10.208.4.38 0.0.0.0 ==================> After re-provisioning it came up as RAP.

Controller Based WLANs

RAP-3WNP is coming up as CAP though its provisioned as Cert-based RAP.

Related Entries and Links