Unlisted 1

Reply
Frequent Contributor II

来帮忙可笑的Aruba 北京400-810-6618女客服回答她所不知道的问题,同时看看有没有高人能给看看ipsec故障所在

关于北京笑话Aruba 400女客服的具体内容可看下列链接,经过测试以及翻阅资料现在给出大家确定答案

1. RAP连接控制器的时候,如果工作模式是Bridge或者Tunnel则只要有AP Lic即可,PEF是不需要的

2.如果RAP是以Split-Tunnel模式连接控制器,则PEF Lic是必须的.

 

https://community.arubanetworks.com/t5/%E4%B8%AD%E6%96%87%E8%AE%A8%E8%AE%BA%E5%8C%BA/%E5%BC%BA%E7%83%88%E9%84%99%E8%A7%86%E8%B0%B4%E8%B4%A3%E4%B8%AD%E5%9B%BD%E5%8C%97%E4%BA%ACAruba-400-8106618%E7%9A%84%E5%A5%B3%E5%AE%A2%E6%88%B7%E6%94%AF%E6%8C%81%E4%...

Frequent Contributor II

Re: 来帮忙可笑的Aruba 北京400-810-6618女客服回答她所不知道的问题,同时看看有没有高人能给看看ipsec故障所在

托管环境.jpg

目前有上面这么一个测试环境

1. VMC AOS8.3是托管在公网的控制器,控制器对外的IP事47.104.193.111这是通过1:1nat 从公网防火墙映射给VMC的 vlan1 ip 172.31.4.51的,下面是VMC命令输出

 

(AOS83) [mynode] #show ip interface bri

Interface IP Address / IP Netmask Admin Protocol VRRP-IP
vlan 1 172.31.4.51 / 255.255.240.0 up up
loopback 172.31.4.52 / 255.255.255.255 up up

 

2.RAP这头就是普通的Home Router 上网模式 内网网段是192.168.100.xx

Router内网网口Ip 192.168.100.222, RAP 自动从Home Router获取ip并且上网,Home router外网口的Ip也是运营商DHCP过来的,这个IP经过运营商的nat之后最终体现到公网的IP是47.104.193.111,因为这里面存在多层Nat,所以VMC上开启了NAT-T

 

3.RAP是通过预制共享秘钥的方式连接VMC的,下面是VMC的命令输出

QQ截图20180628112358.png

这里是RAP启动后查看其路由表
~ # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
47.104.193.111 192.168.100.222 255.255.255.255 UGH -3 0 0 br0
172.31.4.52 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 这个ip是VMC loop口的
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 这ip是从homerouter dhcp获取到的
192.168.11.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 这ip是怎回事后面有介绍
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 tun0
0.0.0.0 192.168.100.222 0.0.0.0 UG -3 0 0 br0
~ # ping 192.168.11.1 (This ip we are not sure where is it ?,but we know it dhcp from VMC)
PING 192.168.11.1 (192.168.11.1): 56 data bytes
64 bytes from 192.168.11.1: icmp_seq=0 ttl=64 time=0.1 ms
64 bytes from 192.168.11.1: icmp_seq=1 ttl=64 time=0.1 ms

--- 192.168.11.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.1 ms

~ # ping 47.104.193.111
PING 47.104.193.111 (47.104.193.111): 56 data bytes
64 bytes from 47.104.193.111: icmp_seq=0 ttl=50 time=13.2 ms
64 bytes from 47.104.193.111: icmp_seq=1 ttl=50 time=13.1 ms

--- 47.104.193.111 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 13.1/13.1/13.2 ms

~ # ping 172.31.4.52 This ip is VMC Controller-IP from loopback
PING 172.31.4.52 (172.31.4.52): 56 data bytes

--- 172.31.4.52 ping statistics ---
11 packets transmitted, 0 packets received, 100% packet loss

 

The followed information we get from our Public VMC

下面这些命令是从VMC输出的,从这里可以看到RAP上192.168.11.x的ip 来历,但经过测试只有11.1的ip可以ping通,其他都不存在.

 

(AOS83) [mynode] #show ap system-profile default

AP system profile "default"
---------------------------
Parameter Value
--------- -----
RF Band g
Recovery Mode auto
RF Band for AM mode scanning all
Native VLAN ID 1
Tunnel Heartbeat Interval 1
Session ACL ap-uplink-acl
Corporate DNS Domain N/A
SNMP sysContact N/A
LED operating mode (11n/11ac APs only) normal
LED override Disabled
Driver log level warnings
Console log level emergencies
SAP MTU N/A
RAP MTU 1200 bytes
LMS IP N/A
Backup LMS IP N/A
LMS IPv6 N/A
Backup LMS IPv6 N/A
LMS Preemption Disabled
LMS Hold-down Period 600 sec
LMS ping interval 20
Remote-AP DHCP Server VLAN N/A
Remote-AP DHCP Server Id 192.168.11.1
Remote-AP DHCP Default Router 192.168.11.1
Remote-AP DHCP DNS Server N/A
Remote-AP DHCP Pool Start 192.168.11.2
Remote-AP DHCP Pool End 192.168.11.254
Remote-AP DHCP Pool Netmask 255.255.255.0
Remote-AP DHCP Lease Time 0 days
Remote-AP uplink total bandwidth 0 kbps
Remote-AP bw reservation 1 N/A
Remote-AP bw reservation 2 N/A
Remote-AP bw reservation 3 N/A
Remote-AP Local Network Access Disabled
Flex Radio Mode 2.4GHz-and-5GHz
Dual 5GHz Mode Automatic
IPM activation Disabled
IPM power reduction steps with priorities N/A
IPM Steps delete all No
Bootstrap threshold 8

Frequent Contributor II

Re: 来帮忙可笑的Aruba 北京400-810-6618女客服回答她所不知道的问题,同时看看有没有高人能给看看ipsec故障所在

好了现在问题来了,我有一台pc电脑和RAP同网段,ip是192.168.100.xx

通过homerouter上网,我用这台电脑可以通过ssh或者web的方式访问VMC,通过公网ip 47.104.193.111(这个ip最终映射到了VMC的 vlan1 ip 172.31.4.51),现在最奇怪的问题是,当我启动RAP,最终完全启动完毕的时候 pc 和 RAP ping 47.104.193.111都是通的,但pc已经无法通过web和ssh访问 47.104.193.111,直到你给rap断电只有才可以访问.!

请问这是什么原因?

 

We also have one PC in the same network with our RAP,

If we do not power RAP, we can access the VMC public IP 47.104.193.111 bye WEB and SSH (1:1 nat to 172.31.4.51)

 

but If we power up our RAP, and boot finished, we found we still can ping 47.104.193.111 OK, but we CAN NOT access by WEB and SSH!!!

Frequent Contributor II

Re: 来帮忙可笑的Aruba 北京400-810-6618女客服回答她所不知道的问题,同时看看有没有高人能给看看ipsec故障所在

VMC 上看了一下关于ipsec的一些状态如下,一切都有了,就是不通,不通就不通吧,远程web和ssh访问也不通了,只有断开RAP才重新可以web和ssh访问,但icmp ping一直都是没问题的.

(AOS83) [mynode] #show crypto isakmp sa

ISAKMP SA Active Session Information
------------------------------------
Initiator IP Responder IP Flags Start Time Private IP
------------ ------------ ----- --------------- ----------
111.37.21.67 172.31.4.51 r-m-p-x-R Jun 28 11:01:24 172.16.200.20

Flags: i = Initiator; r = Responder
m = Main Mode; a = Agressive Mode; v2 = IKEv2
p = Pre-shared key; c = Certificate/RSA Signature; e = ECDSA Signature
x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled
3 = 3rd party AP; C = Campus AP; R = RAP; Ru = Custom Certificate RAP; I = IAP
V = VIA; S = VIA over TCP

Total ISAKMP SAs: 1
(AOS83) [mynode] #show crypto ipsec sa

IPSEC SA Active Session Information
-----------------------------------
Initiator IP Responder IP InitiatorID ResponderID Flags Start Time Inner IP
------------ ------------ ----------- ----------- ----- --------------- --------
111.37.21.67 172.31.4.51 172.16.200.20/32 0.0.0.0/0 UT Jun 28 11:01:24 172.16.200.20

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2

Total IPSEC SAs: 1
(AOS83) [mynode] #show user role logon
This operation can take a while depending on number of users. Please be patient ....

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name User Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- --------- ---------
36.110.67.20 00:00:00:00:00:00 logon 00:00:02 VPN N/A tunnel WIRELESS
111.37.21.67 00:00:00:00:00:00 logon 00:00:00 N/A tunnel WIRELESS

User Entries: 2/2
Curr/**bleep** Alloc:3/4 Free:0/1 Dyn:3 AllocErr:0 FreeErr:0
(AOS83) [mynode] #show datapath session table | include 4500
172.31.4.51 36.110.67.20 17 4500 4062 0/0 0 0 0 local 39 53 13374 FC 7
36.110.67.20 172.31.4.51 17 4062 4500 0/0 0 0 3 local 39 0 0 FY 7

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: