Controllerless Networks

Hi i have a Aruba controller setup and i try to provisiong my first RAP i have done this at other customers Aruba controllers.

But on my i get the follwoing in the log, anyone have any clue what is going on ?

CERT_ComputeCertificateHash: status :0
CERT_VerifyCertificatePolicies: CN is BG0025375::00:0b:86:6e:65:58
ismacaddress string 00:0b:86:6e:65:58  len:17
CERT_verifyRSACertSignature: decryptRSASignature failed
ike2_state.c (5572): errorCode = ERR_RSA_DECRYPTION
IKE SA failed reason = ERR_RSA_DECRYPTION, errorcode = -7702
send_sapd_error: error:50 debug_error:0

IKE_SA [v2 I] (id=0xa6cd73ac) flags 0x41000015 failed reason = ERR_RSA_DECRYPTION, errorcode = -7702

Switching output streamget_ike_version: Use IKE Version 2

papi_init papifd:12  ack:24

Regards

Peter Andersén

 

 

A couple of questions:

 

- What type of RAP are using ?

- What AOS you have installed ?

- How are trying to configure it ? RAP Whitelist or username/password ?

- Have you configured the RAP ip pool ?

Im running version 6.2.1.3

The RAP is in Whitelist

yes i have an IP Pool setup for the RAP.

 

Are the necessary ports open to allow IPSEC traffic through? UDP 4500?

The controller has a license I assume since you say the RAP is in the whitelist.

Hi

Yes, it has all ports open an i have 16 AP licenses and only using two.

I have 16 PEFNG license and also 16 RF protect so it is fully licensed.

I think there is a problem between the 6.2.1.3 code on the controller.

 

I have done a similar installation at a customer they are running 6.1.4 and it worked like charmed.

So i think this has to do with my version and the 5 version that RAP get shipped with ?

 

Or do you have any other ideeas.

 

regards

Peter

 

---

@peterandersen wrote:

Hi

Yes, it has all ports open an i have 16 AP licenses and only using two.

I have 16 PEFNG license and also 16 RF protect so it is fully licensed.

I think there is a problem between the 6.2.1.3 code on the controller.

 

I have done a similar installation at a customer they are running 6.1.4 and it worked like charmed.

So i think this has to do with my version and the 5 version that RAP get shipped with ?

 

Or do you have any other ideeas.

 

regards

Peter

 

---

What model of  remote access points?

 

Hi

RAP-2 is the model i have tested, but i did earlier test with RAP-3 before i did a factory reset and did a setup from scratch.

Since i tought i got some strange config in the controller that i could not find.

So i did a straight setup the same i have on one of my customers that works but they are running 6.1.4.

 

Regards

Peter

---

@peterandersen wrote:

Hi

RAP-2 is the model i have tested, but i did earlier test with RAP-3 before i did a factory reset and did a setup from scratch.

Since i tought i got some strange config in the controller that i could not find.

So i did a straight setup the same i have on one of my customers that works but they are running 6.1.4.

 

Regards

Peter

---

Okay.  The RAP3 requires 6.2.x and above, otherwise it will not work.

 

The question is, did RAP ever work with this particular setup or is this one new?

 

Did you do "show datapath session table | include 4500" to see the traffic when the RAP is trying to setup?

Did you do "show crypto ipsec sa" to see if the security association has been setup ?

Is this RAP on the public internet?  If so, is there a firewall in front of it doing a 1:1 NAT or does the controller have a public address?

Have you tried to terminate a RAP using the internal ip address of the controller, with a RAP internally?

The error messages in your post do not point to anything specific.

 

Hi

I tried to do a inner termination experinced the same problem SA error.

So that why i think there is some compatibility issues with the 6.2.1.3 relaese with the RAP.

Yes NAt is setup this is where i changed my conf before i had a public IP on the Aruba mobility controller and got the same error.

 

regards

Peter

---

@peterandersen wrote:

Hi

I tried to do a inner termination experinced the same problem SA error.

So that why i think there is some compatibility issues with the 6.2.1.3 relaese with the RAP.

Yes NAt is setup this is where i changed my conf before i had a public IP on the Aruba mobility controller and got the same error.

 

regards

Peter

---

We have controllers that work with that release with RAPs terminating, so it could be specific to your setup.  You probably want to open up a TAC case so that they can take a detailed look at your security logs and your configuration in parallel.

I have open a tac case, so i will see aht they say, it must be something that differs from the other realese since i had it running with to other customer straight out of the box.

 

Regards

peter A

 

---

@peterandersen wrote:

I have open a tac case, so i will see aht they say, it must be something that differs from the other realese since i had it running with to other customer straight out of the box.

 

Regards

peter A

 

---

Anything is possible.   On the forum here, we would only be guessing and that could prove frustrating for you.