Controllerless Networks

last person joined: 2 days ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

Cannot convert rap-155 IKE SA failed reason ERR_TPM_SIGN_FAIL

This thread has been viewed 3 times

  • 1.  Cannot convert rap-155 IKE SA failed reason ERR_TPM_SIGN_FAIL

    Posted Nov 17, 2014 10:46 AM

    I am not able to convert Rap-155 to remote AP on 3200 controller.

     

    They are both on the most current release of firmware, attached is the convert error log from the rap-155

     

    Thanks!

     

     



  • 2.  RE: Cannot convert rap-155 IKE SA failed reason ERR_TPM_SIGN_FAIL

    Posted Nov 17, 2014 10:50 AM
    - Do you add the MAC address to whitelist ?
    - created a VPN pool ?
    - are you allowing port 4500/Udp on your firewall ?


  • 3.  RE: Cannot convert rap-155 IKE SA failed reason ERR_TPM_SIGN_FAIL

    Posted Nov 17, 2014 10:52 AM

    Yes, to all of the above questions



  • 4.  RE: Cannot convert rap-155 IKE SA failed reason ERR_TPM_SIGN_FAIL

    Posted Nov 17, 2014 10:51 AM 
    Target : 00:0b:86:9e:11:7d


show vpn status


profile name:default
--------------------------------------------------
current using tunnel                            :unselected tunnel
ipsec is preempt status                         :disable
ipsec is fast failover status                   :disable
ipsec hold on period                            :600
ipsec tunnel monitor frequency (seconds/packet) :5
ipsec tunnel monitor timeout by lost packet cnt :2

ipsec     primary tunnel crypto type            :Cert
ipsec     primary tunnel peer address           :192.168.22.15
ipsec     primary tunnel peer tunnel ip         :0.0.0.0
ipsec     primary tunnel ap tunnel ip           :0.0.0.0
ipsec     primary tunnel current sm status      :Retrying
ipsec     primary tunnel tunnel status          :Down
ipsec     primary tunnel tunnel retry times     :110
ipsec     primary tunnel tunnel uptime          :0

ipsec      backup tunnel crypto type            :Cert
ipsec      backup tunnel peer address           :N/A
ipsec      backup tunnel peer tunnel ip         :N/A
ipsec      backup tunnel ap tunnel ip           :N/A
ipsec      backup tunnel current sm status      :Init
ipsec      backup tunnel tunnel status          :Down
ipsec      backup tunnel tunnel retry times     :0
ipsec      backup tunnel tunnel uptime          :0
end of show vpn status
========================================================

show upgrade info

Image Upgrade Progress
----------------------
Mac                IP Address      AP Class  Status    Image Info  Error Detail
---                ----------      --------  ------    ----------  ------------
00:0b:86:9e:11:7d  192.168.12.145  Aries     image-ok  image file  none
Auto reboot           :enable
Use external URL      :enable
end of show upgrade info
========================================================

show log upgrade
----------Download log start----------
download log not available
----------Download log end------------
Download status: incomplete
----------Upgrade log start----------
upgrade log not available
----------Upgrade log end------------
Upgrade status: upgrade status not available
end of show log upgrade
========================================================

show log rapper
Nov 17, 15:01:00: IKE_CUSTOM_getVersion(peerAddr:c0a8160f): ikeVersion:2
Timer ID: 1 Initialized 
Nov 17, 15:01:00: IKE2_newSa(peerAddr:c0a8160f): IKE_SA-lifetime:28000
  I -->
Nov 17, 15:01:00: OutSa(v2-peerAddr:0 pxSa->dwPeerAddr:c0a8160f): Entered
     ENCR_AES 256-BITS
     PRF_HMAC_SHA1
     AUTH_HMAC_SHA1_96
     DH_2
   NAT_D (us): fd aa 7d c0 f4 e5 c6 73 bd a6 53 29 e6 73 86 e6 
ae c5 65 f5 
   NAT_D (peer): e7 b7 05 50 bf ad b6 ee 7a bb 60 be 6a 91 27 8f 
51 1f 90 7a 
Nov 17, 15:01:00: RAPPER_ERROR_FILE exists 

Nov 17, 15:01:00: AP err cookie retval 9 cookie:4618a4f63cdb4536 err 2b

Nov 17, 15:01:00: RAPPER_ERROR_FILE exists 

Nov 17, 15:01:00: AP err cookie retval 9 cookie:4618a4f63cdb4536 err 2b

Nov 17, 15:01:00: RAPPER_ERROR_FILE exists 

Nov 17, 15:01:00: AP err cookie retval 9 cookie:4618a4f63cdb4536 err 2b

Nov 17, 15:01:00: RAPPER_ERROR_FILE exists 

Nov 17, 15:01:00: AP err cookie retval 9 cookie:4618a4f63cdb4536 err 2b

Nov 17, 15:01:00: RAPPER_ERROR_FILE exists 

Nov 17, 15:01:00: AP err cookie retval 9 cookie:4618a4f63cdb4536 err 2b

 spi={6defde9680a2b8fa 0000000000000000} np=SA
 exchange=IKE_SA_INIT msgid=0 len=380
#SEND 384 bytes to 192.168.22.15[4500] (0.0)(pid:14882)  time:2014-11-17 15:01:00

Nov 17, 15:01:00: IKE_SAMPLE_ikeXchgSend Successfully setsockopt UDP_ENCAP port 65059

IKE_EXAMPLE: IKE_keyConnect() started, id = 0xNov 17, 15:01:00: IKE_EXAMPLE: IKE_keyConnect() started, id = 0x on device br0
e9afcb16...
Nov 17, 15:01:00: papi:15200

#RECV 60 bytes from 192.168.22.15[4500] (0.0)(pid:14882)  time:2014-11-17 15:01:00

 spi={6defde9680a2b8fa 0000000000000000} np=N
 exchange=IKE_SA_INIT msgid=0 len=56
  I <--
   Notify: COOKIE
 spi={6defde9680a2b8fa 0000000000000000} np=N
 exchange=IKE_SA_INIT msgid=0 len=408
#SEND 412 bytes to 192.168.22.15[4500] (0.0)(pid:14882)  time:2014-11-17 15:01:00


#RECV 417 bytes from 192.168.22.15[4500] (0.0)(pid:14882)  time:2014-11-17 15:01:00

 spi={6defde9680a2b8fa 910d03d3eef556f5} np=SA
 exchange=IKE_SA_INIT msgid=0 len=413
  I <--
    Proposal #1: IKE[4]
     ENCR_AES 256-BITS
     PRF_HMAC_SHA1
     AUTH_HMAC_SHA1_96
     DH_2
   Notify: NAT_DETECTION_SOURCE_IP
   Notify: NAT_DETECTION_DESTINATION_IP
   NAT_D (us/NAT): f5 c4 97 91 6f 34 cf d1 69 04 e3 60 0c 4a 72 c0 
8f 91 fc b3 
   VID: 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 
Nov 17, 15:01:00: Fragmentation is enabled
  I -->
   Notify: INITIAL_CONTACT
Nov 17, 15:01:00: OutCert: adding leaf Cert of Len:1574
Nov 17, 15:01:00: RAPPER priority old: -19, set to -20

 (0.0)(pid:14882)  time:2014-11-17 15:01:00

   HASH_i bc 1f fa 74 0b 6b 37 f9 d5 fc 00 16 98 da 2f dd 
bd da 3f f0 
Nov 17, 15:01:00: OutAuth TPM sign api failed with return-code:-1
 (0.0)(pid:14882)  time:2014-11-17 15:01:00

Nov 17, 15:01:00: IKE_SAMPLE_ikeStatHdlr(CHILD_SA): dwPeerAddr:c0a8160f index:0 mPeerType:0
Nov 17, 15:01:00: IKE SA failed reason = ERR_TPM_SIGN_FAIL, errorcode = -90001 ikeVer 2
Nov 17, 15:01:00: send_sapd_error: InnerIP:0  error:43 debug_error:-90001


  • 5.  RE: Cannot convert rap-155 IKE SA failed reason ERR_TPM_SIGN_FAIL

    EMPLOYEE
    Posted Nov 17, 2014 10:51 AM

    Factory reset the AP.



  • 6.  RE: Cannot convert rap-155 IKE SA failed reason ERR_TPM_SIGN_FAIL

    Posted Nov 17, 2014 10:53 AM

    I have factory reset the AP twice manually, I will try doing it from the web interface now.



  • 7.  RE: Cannot convert rap-155 IKE SA failed reason ERR_TPM_SIGN_FAIL

    Posted Nov 17, 2014 11:54 AM

    I have tried factory resetting the device, it still won't convert, same error. Any other assistance would be greatly appreciated! Thanks! 



  • 8.  RE: Cannot convert rap-155 IKE SA failed reason ERR_TPM_SIGN_FAIL

    Posted Nov 17, 2014 12:19 PM
    Is your controller on AOS 6.3?


  • 9.  RE: Cannot convert rap-155 IKE SA failed reason ERR_TPM_SIGN_FAIL

    Posted Nov 17, 2014 12:33 PM
    @victorfabian wrote:
    Is your controller on AOS 6.3?

    Yes



  • 10.  RE: Cannot convert rap-155 IKE SA failed reason ERR_TPM_SIGN_FAIL

    Posted Nov 17, 2014 01:30 PM

    Is there any other information I can provide for you guys?



  • 11.  RE: Cannot convert rap-155 IKE SA failed reason ERR_TPM_SIGN_FAIL

    Posted Nov 17, 2014 04:18 PM

    bump



  • 12.  RE: Cannot convert rap-155 IKE SA failed reason ERR_TPM_SIGN_FAIL

    EMPLOYEE
    Posted Nov 17, 2014 04:23 PM

    Keithlamar,

     

    What is the exact version of Code on the Controller and what is the version of Instant code on the 155?

     

     



  • 13.  RE: Cannot convert rap-155 IKE SA failed reason ERR_TPM_SIGN_FAIL

    EMPLOYEE
    Posted Nov 18, 2014 02:33 PM

    keithlamar,

     

    Please open a TAC case for this AP and PM me the ticket number.



  • 14.  RE: Cannot convert rap-155 IKE SA failed reason ERR_TPM_SIGN_FAIL

    Posted Dec 02, 2016 03:18 PM

    I am currently having this problem, and have opened a TAC case. Did you ever come to a resolution?



  • 15.  RE: Cannot convert rap-155 IKE SA failed reason ERR_TPM_SIGN_FAIL

    Posted Dec 02, 2016 03:28 PM

    here is some output from the RAP


    9c:1c:12:cb:1d:46# show log rapper-brief
    2016-12-02 20:24:04 RECV: f8b9dfe909f34859 : 6565f5b360972420 , np=132, EXHG: IKE_AUTH
    2016-12-02 20:24:04 RECV: f8b9dfe909f34859 : 6565f5b360972420 , np=132, EXHG: IKE_AUTH
    2016-12-02 20:24:04 RECV: f8b9dfe909f34859 : 6565f5b360972420 , np=132, EXHG: IKE_AUTH
    2016-12-02 20:24:04 RECV: f8b9dfe909f34859 : 6565f5b360972420 , np=132, EXHG: IKE_AUTH
    2016-12-02 20:24:04 RECV: f8b9dfe909f34859 : 6565f5b360972420 , np=132, EXHG: IKE_AUTH
    2016-12-02 20:24:04 RECV: f8b9dfe909f34859 : 6565f5b360972420 , np=46, EXHG: IKE_AUTH
    2016-12-02 20:24:04IKE FAILED err: RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED
    2016-12-02 20:24:33 ConnectTo: 192.168.42.23
    2016-12-02 20:24:34 SEND: 2bf3b68674e44305 : 0000000000000000 , np=33, EXHG: IKE_SA_INIT
    2016-12-02 20:24:34 RECV: 2bf3b68674e44305 : 0000000000000000 , np=41, EXHG: IKE_SA_INIT
    2016-12-02 20:24:34 SEND: 2bf3b68674e44305 : 0000000000000000 , np=41, EXHG: IKE_SA_INIT
    2016-12-02 20:24:34 RECV: 2bf3b68674e44305 : 4d88d91f31988476 , np=33, EXHG: IKE_SA_INIT
    2016-12-02 20:24:35 SEND: 2bf3b68674e44305 : 4d88d91f31988476 , np=46, EXHG: IKE_AUTH
    2016-12-02 20:24:35 RECV: 2bf3b68674e44305 : 4d88d91f31988476 , np=132, EXHG: IKE_AUTH
    2016-12-02 20:24:35 RECV: 2bf3b68674e44305 : 4d88d91f31988476 , np=132, EXHG: IKE_AUTH
    2016-12-02 20:24:35 RECV: 2bf3b68674e44305 : 4d88d91f31988476 , np=132, EXHG: IKE_AUTH
    2016-12-02 20:24:35 RECV: 2bf3b68674e44305 : 4d88d91f31988476 , np=132, EXHG: IKE_AUTH
    2016-12-02 20:24:35 RECV: 2bf3b68674e44305 : 4d88d91f31988476 , np=132, EXHG: IKE_AUTH
    2016-12-02 20:24:35 RECV: 2bf3b68674e44305 : 4d88d91f31988476 , np=132, EXHG: IKE_AUTH
    2016-12-02 20:24:35 RECV: 2bf3b68674e44305 : 4d88d91f31988476 , np=132, EXHG: IKE_AUTH
    2016-12-02 20:24:35 RECV: 2bf3b68674e44305 : 4d88d91f31988476 , np=132, EXHG: IKE_AUTH
    2016-12-02 20:24:35 RECV: 2bf3b68674e44305 : 4d88d91f31988476 , np=46, EXHG: IKE_AUTH
    2016-12-02 20:24:35IKE FAILED err: RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED

     

    9c:1c:12:cb:1d:46# show log rapper-counter
    AP Mac: 9c:1c:12:cb:1d:46
    TIME PEER IP COOKIES SPI EXCH ERR
    ---- ------- ------- --- ---- ---
    2016-12-02 19:32:07 | 192.168.42.23 | {532c22eec2ab52ba : 7c7caf046f336fec} | {0x00000000 : 0x00000000} | IKE_AUTH | RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED
    2016-12-02 19:32:39 | 192.168.42.23 | {0ed614d0d9d9675e : 99bb4109970daf53} | {0x00000000 : 0x00000000} | IKE_AUTH | RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED
    2016-12-02 19:33:12 | 192.168.42.23 | {da5e48e211681fe4 : 558b9efd480072f8} | {0x00000000 : 0x00000000} | IKE_AUTH | RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED
    2016-12-02 19:33:43 | 192.168.42.23 | {57d77fd1ef2e3aac : 0d821bc24a0af796} | {0x00000000 : 0x00000000} | IKE_AUTH | RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED
    2016-12-02 19:34:14 | 192.168.42.23 | {731c8e24567e59c9 : 2ac113a2bd8774fe} | {0x00000000 : 0x00000000} | IKE_AUTH | RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED
    2016-12-02 19:34:46 | 192.168.42.23 | {99553d6b53a5a9ff : 9e576b7bf7ad252b} | {0x00000000 : 0x00000000} | IKE_AUTH | RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED
    2016-12-02 19:35:17 | 192.168.42.23 | {5a26dfae4fb000a9 : 741fa1f630cd6c2e} | {0x00000000 : 0x00000000} | IKE_AUTH | RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED
    2016-12-02 19:35:48 | 192.168.42.23 | {85b0caa71caca589 : 004fe1c992e5d5e1} | {0x00000000 : 0x00000000} | IKE_AUTH | RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED
    2016-12-02 19:36:20 | 192.168.42.23 | {d8756817998e8694 : 9e44b054df311094} | {0x00000000 : 0x00000000} | IKE_AUTH | RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED
    2016-12-02 19:36:52 | 192.168.42.23 | {c28b01d5bbf51ede : c3abecfbe2ce3c28} | {0x00000000 : 0x00000000} | IKE_AUTH | RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED
    2016-12-02 19:37:25 | 192.168.42.23 | {fa2c92481156eea0 : 4f9c5a834cd3373c} | {0x00000000 : 0x00000000} | IKE_AUTH | RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED
    2016-12-02 19:37:57 | 192.168.42.23 | {f9aebe387c718915 : 1fe8a44cca438c3d} | {0x00000000 : 0x00000000} | IKE_AUTH | RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED
    2016-12-02 19:38:28 | 192.168.42.23 | {85ebf9a4e9fc92d3 : 3d47e36846626bcd} | {0x00000000 : 0x00000000} | IKE_AUTH | RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED

     



  • 16.  RE: Cannot convert rap-155 IKE SA failed reason ERR_TPM_SIGN_FAIL

    Posted Dec 02, 2016 03:21 PM

    I have come across what seems to be the same issue. Did you ever come to a resolution?