Network Management

last person joined: yesterday 

Keep an informative eye on your network with HPE Aruba Networking network management solutions
Back to discussions
Expand all | Collapse all

Issues converting an IAP205 to a RAP over VPN

This thread has been viewed 1 times

  • 1.  Issues converting an IAP205 to a RAP over VPN

    Posted Oct 25, 2016 12:32 PM

    We are attempting to convert an IAP205 to a RAP for home office use. 

    Input the public facing IP of the firewall and the NAT rules are set up to route to the Master Controller at HQ. Port 4500 is also open.

    Have also tried to statically set the IP address that the AP will get from the HQ network but no method has worked. The FW also is not seeing any hits to the table.

     

    Have worked with TAC for 5 hours on this so far, but no resolution.


    Help anyone? Thank you in advance



  • 2.  RE: Issues converting an IAP205 to a RAP over VPN

    Posted Oct 25, 2016 01:21 PM

    We need more information on your setup.   You say you are trying to convert to a RAP "over VPN".   Do you mean that the location where the RAP is has an existing VPN connection to the corporate location; or do you simply mean "RAP over VPN"?

     

    Some things to check:

    - Does your firewall see any incoming requests from the IAP's external IP?

    - If so, confirm you have UDP 4500 open and not TCP 4500

    - On the IAP, have you looked at "show log convert" to see if you have any details in there.  

    - If the answer to my first question is that the RAP is at a site with an existing VPN connection back to the controller site; try to see if you can convert using the internal IP of the controller.....some firewalls do not like the traversal from internal to external IPs and then back in.

     



  • 3.  RE: Issues converting an IAP205 to a RAP over VPN

    Posted Oct 25, 2016 01:38 PM

    Hey thanks for replying........

     

    So to answer your questions:

     

    -it first was an attempt to RAP over VPN, failure to setup vpn

     

    - we did convert it to a RAP connected directly to the controller, and then brought it to a remote location with DHCP handoff from an ISP router, was not able to reach the controller through VPN again

     

    - not seeing any hits on the FW when we attempt to start the VPN connection

     

    -UDP 4500 is open

     

    -



  • 4.  RE: Issues converting an IAP205 to a RAP over VPN

    Posted Oct 25, 2016 02:53 PM

    Can you confirm the ISP router is not blocking anything; specifically allowing NAT-T (UDP 4500)?

     

    If you can convert it locally; but when remote you do not see any hits on your firewall; it is likely an issue at the remote site or ISP blocking something.

     

    Do you have the ability to try another site/location?  Perhaps your home?



  • 5.  RE: Issues converting an IAP205 to a RAP over VPN

    Posted Oct 26, 2016 11:57 AM

    TAC tried to replicate the request from their lab but got no response from the FW, they wiresharked the test and sent the results, no reply from the FW. Checked with the office ISP just in case any ports are being blocked, but no. 

     

    I never thought this would be so problematic. I'm still trying to ascertain who needs to take the lead to resolve the issue; my network engineers or TAC. 



  • 6.  RE: Issues converting an IAP205 to a RAP over VPN

    Posted Oct 28, 2016 08:48 AM

    If TAC tried to connect to your controller with their own RAP and  you stisll got  no hit on the firewall; then this is something on your end (or the ISP). 

     

    If possible position the RAP right outside the firewall interface and try.  This would rule out any ISP issue and focus on the firewall.