Controllerless Networks

Reply
New Contributor

IAP to Controller via IPSEC ?

Hello all,

 

I'm newbie on aruba. I have two 7010 controller as cluster.(ArubaOS 8.2.2.3). I'm using all APs normally in HQ. But I located 2 IAP on my remote location that we connected via IPSEC vpn. (via Firewalls). But I cannot provise my remote IAPs. I'm sharing the logs with you. Please can you help me how I need a configuration? Thanks.

 

#show log system 10 | include 192.168.50
Nov 8 10:34:20 :311020: <ERRS> |AP b0:b8:67:c9:21:2c@192.168.50.111 sapd| An internal system error has occurred at file sapd_redun.c function redun_retry_tunnel line 4530 error redun_retry_tunnel: Switching to clear. Error:RC_ERROR_IKEV2_TIMEOUT. Ipsec not successful after reboot.
Nov 8 10:34:44 :305049: <3801> <WARN> |stm| Unsecure AP "b0:b8:67:c9:21:2c" (MAC b0:b8:67:c9:21:2c, IP 192.168.50.111) has been denied access because Control Plane Security is enabled and the AP is not approved.
Nov 8 10:35:29 :305049: <3801> <WARN> |stm| Unsecure AP "b0:b8:67:c9:21:2c" (MAC b0:b8:67:c9:21:2c, IP 192.168.50.111) has been denied access because Control Plane Security is enabled and the AP is not approved.
Nov 8 10:36:31 :311002: <WARN> |AP b0:b8:67:c9:21:2c@192.168.50.111 sapd| Rebooting: SAPD: Rebooting after setting cert_cap=1. Need to open a secure channel(IPSEC)
Nov 8 10:36:33 :303086: <ERRS> |AP b0:b8:67:c9:21:2c@192.168.50.111 nanny| Process Manager (nanny) shutting down - AP will reboot!
Nov 8 10:37:34 :303022: <WARN> |AP b0:b8:67:c9:21:2c@192.168.50.111 nanny| Reboot Reason: AP rebooted Fri Nov 8 10:36:33 +03 2019; SAPD: Rebooting after setting cert_cap=1. Need to open a secure channel(IPSEC)
Nov 8 10:49:05 :311020: <ERRS> |AP b0:b8:67:c9:22:18@192.168.50.55 sapd| An internal system error has occurred at file sapd_redun.c function redun_retry_tunnel line 4525 error redun_retry_tunnel: Ipsec not successful to saved lms. Error:RC_ERROR_IKEV2_TIMEOUT. rebooting.
Nov 8 10:49:06 :311002: <WARN> |AP b0:b8:67:c9:22:18@192.168.50.55 sapd| Rebooting: Unable to set up IPSec tunnel to saved lms, Error:RC_ERROR_IKEV2_TIMEOUT
Nov 8 10:49:06 :303086: <ERRS> |AP b0:b8:67:c9:22:18@192.168.50.55 nanny| Process Manager (nanny) shutting down - AP will reboot!
Nov 8 10:50:07 :303022: <WARN> |AP b0:b8:67:c9:22:18@192.168.50.55 nanny| Reboot Reason: AP rebooted Wed Dec 31 16:24:13 PST 1969; Unable to set up IPSec tunnel to saved lms, Error:RC_ERROR_IKEV2_TIMEOUT

Guru Elite

Re: IAP to Controller via IPSEC ?

It looks like your access points are connecting as Campus APs but are not in the CPSEC whitelist.  What model numbers are these access points, and do you have auto cert provisioning enabled in your CPSEC whitelist?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
New Contributor

Re: IAP to Controller via IPSEC ?

APs model is 305. The working APs are seeming in CampusAPs section. Actually I'm not sure that what is CPSEC. But I attached CPSEC screenshot on the attachment.

Guru Elite

Re: IAP to Controller via IPSEC ?

Did you say that there was a firewall between the remote location and the controller?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
New Contributor

Re: IAP to Controller via IPSEC ?

Absolutely yes. Firewalls provides IPSEC vpn. But all ports and services allowed for APs and APController's IPs. I attached detailed network diagram.

Highlighted
MVP Guru

Re: IAP to Controller via IPSEC ?

Did you add the Aps mac address to the RAP-Whitelist ?

Are you attempting to use IAP-VPN or as a RAP ?

Is this the mac address of the AP ? b0:b8:67:c9:21:2c

Sent from Mail for Windows 10
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
New Contributor

Re: IAP to Controller via IPSEC ?

Actually I have no idea what is IAP-VPN and RAP. I think I need a detailed guide for setup. Also I add a screenshot, methinks its RAP WhiteList.

Thanks.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: