Controllerless Networks

Reply
Highlighted
Occasional Contributor II

Convert IAP to RAP error (AOS8 + Mobility Master)

I’ve an issue with RAP in a new deployment with two VMM and 1x 7210 Mobility Controller (for now, then I'll add two controllers).

 

The problem is when I try to convert an IAP to RAP, the Mobility Controller (MD) is behind a NAT that is configured for the Mobility Controller DMZ IP Address <PUBLIC_IPADDR: 4500> -> <DMZ_IPADDR_MC: 4500>. Firewall can reach the Mobility Controller DMZ IP Address.

 

I already configured VPN-POOL, enabled NAT-T, configured “Shared Secret”, RAP Whitelist and also created a local user with an AP-ROLE, but it still doesn't work.

 

I see the 4500 UDP port on the Mobility Controller with the command “show datapath session | include 4500”

 

datapath.png

But when I run the command “show crypto ipsec sa” I see only Mobility Device session with Virtual Mobility Master.

 

ipsec.png

I think strange the output below when I ran the command “show log security all”.


Feb 23 17:53:39 :103063: <3600> <DBUG> |ike| exchange_start_ikev2 pre-connect check duplicate mapname:default-local-master-ipsecmap

 

I already have a tunnel established with Virtual Mobility Master, can this be a problem?

 

Has anyone experienced this problem?


I have some environments working with RAP, the only difference in this new scenario are the VMMs.

Network Engineer | ACMP | ACSP | ACEP | ACCX#1231
Highlighted
Occasional Contributor II

Re: Convert IAP to RAP error (AOS8 + Mobility Master)

Could you post the output of following commands:

 

show vpdn l2tp local pool

show crypto isakmp sa
show log system 
show user-table verbose

Highlighted
Occasional Contributor II

Re: Convert IAP to RAP error (AOS8 + Mobility Master)

Hi Ankyt, thanks for replying.

In addition to the logs you requested I also posted,

 

sh log security all

IAP to RAP convert log error

 

Thanks.

Network Engineer | ACMP | ACSP | ACEP | ACCX#1231
Highlighted
Occasional Contributor II

Re: Convert IAP to RAP error (AOS8 + Mobility Master)

I went through the logs and found some error messages in system logs.

It seems your controller is in disaster recovery mode and there is a config sync issue. Please find the logs for the same below:

 

Feb 24 12:12:43 cfgm[3524]: <399814> <3524> <DBUG> |cfgm| handle_read: State(READY:CONFIG DISASTER RECOVERY:CFGID-88:PEND-88:INITCFGID:64) FD=33:Ignoring config sync as LC is in Disaster Recovery Mode, masterid=88 myid=88.

 

Validate the config sync issue by running command #show switches.

 

Please disable the disaster recovery mode if it is enabled. Once disabled again check the controller status by running command #show switches

 

Could you please validate the license as well by running command #show ap license-usage

 

Please let me know OS version of the controller and IAP.

 

Highlighted
Super Contributor I

Re: Convert IAP to RAP error (AOS8 + Mobility Master)

Have you tried disabling the NAT-T setting and testing again. You shouldn't need to enable that if you're already allowing UDP 4500 and you have the translation setup on your upstream device.

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX#509 | ACCP | ACSA | ACDA | ACEA | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!
Highlighted

Re: Convert IAP to RAP error (AOS8 + Mobility Master)

Hi 

 

Please keep in mind that when you work with a cluster you need to have a different config for the RAPs then without a cluster. I am assuming you are creating a cluster out of the two 7210s.

 

Where did you create the VPN pool? At what level?

 

 

Cheers, Frank
AirHeads MVP |AMFX#22| ACCX#613| ACMX#733| ACDX#744

If you like my posts, kudo's are welcome. If it solves your problem, please click 'Accept as Solution'
Highlighted
Occasional Contributor II

Re: Convert IAP to RAP error (AOS8 + Mobility Master)

Hi,

The Controller was in Disaster Recovery mode, but at the time of the logs it was already in Update Succesfull status.

 

#show ap license-usage

Annotation 2020-02-24 215853.png

 

Mobility Controller Version: 8.6.0.2_73853

IAP Version: 8.6.0.2 (build 73853)

 

Thanks,

Network Engineer | ACMP | ACSP | ACEP | ACCX#1231
Highlighted
Occasional Contributor II

Re: Convert IAP to RAP error (AOS8 + Mobility Master)

Hi Dustin-Burns,

 

I hadn't tried to disable NAT-T before.

 

Next Thursday I will disable NAT-T on Controller and analyze the traffic on the custumer's firewall.

 

I update you.

Network Engineer | ACMP | ACSP | ACEP | ACCX#1231
Highlighted
Occasional Contributor II

Re: Convert IAP to RAP error (AOS8 + Mobility Master)

Hi mrtwentytwo,

 

Yes I understand that in the cluster I need to create the vpn pool at the MM level,

 

Annotation 2020-02-24 222716.png

But at the moment I have only 1x 7210 and I haven't configured a cluster, I will configure the cluster only when the second controller arrives at the customer.

 

As I don't have a cluster configured, I configured the rap vpn pool at the "Managed Device" level.

 

Annotation 2020-02-24 223501.png

 

Thanks,

 

 

Network Engineer | ACMP | ACSP | ACEP | ACCX#1231
Highlighted
Guru Elite

Re: Convert IAP to RAP error (AOS8 + Mobility Master)

Nothing you have configured looks wrong, so far.

 

Two suggestions:

- Try to convert an IAP from "inside" your network first (yes it will work).

- Open an Aruba Technical Support case in parallel to this post.  http://www.arubanetworks.com/support-services/support-program/contact-support


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: