Wireless Access

last person joined: yesterday

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.

Back to discussions

Expand all | Collapse all

ArubaGRE between IAP and Controller

This thread has been viewed 6 times

1. ArubaGRE between IAP and Controller

Kudos

msundman

Posted Apr 03, 2017 10:04 AM

I have a IAP-315 that is managed though Central and trying to create a L2 GRE tunnel to a Aruba 7005 controller, to tunnel a Guest network to the remote AP.

I want to continue using Central to manage the APs and only use the controller to terminate GRE tunnels from remote IAP clusters.

Currently in my lab I only have this single IAP and a controller:

IAP IP: 192.168.100.111/23

IAP VC IP: 192.168.101.250/23

Controller IP: 192.168.52.251

Routing between AP and Controller is though a Palo Alto firewall that is allowing GRE and UDP/4500 bidirectionally, and I don't see anything blocked.

I've successfully managed to configure a Manual GRE tunnel to achieve what I want, but I'm now trying to get ArubaGRE/Automatic GRE working but not beeing very successful.

On the controller I've configured:

interface gigabitethernet 0/0/1
   description "GuestWiFi"
   trusted
   trusted vlan 1-4094
   switchport access vlan 114

whitelist-db rap add mac-address 34:fc:b9:c6:6a:22 ap-group default
iap trusted-branch-db allow-all
ip local pool "rapng" 172.16.1.100 172.16.1.200

Licenses:

Access Points: 1

Next Generation Policy Enforcement Firewall Module: 1

Controller Version: 6.4.3.8

IAP Version: 6.5.1.0-4.3.1.1

(ArubaCTL) #show user

Users
-----
    IP                MAC            Name              Role              Age(d:h:m)  Auth  VPN link         AP name  Roaming  Essid/Bssid/Phy  Profile      Forward mode  Type  Host Name
----------       ------------       ------             ----              ----------  ----  --------         -------  -------  ---------------  -------      ------------  ----  ---------
192.168.100.111  00:00:00:00:00:00                     logon             00:01:49    VPN                    N/A                                             tunnel              
172.16.1.107     00:00:00:00:00:00  34:fc:b9:c6:6a:22  default-vpn-role  00:00:00    VPN   192.168.100.111  N/A                                default-iap  tunnel              

User Entries: 2/2
 Curr/**bleep** Alloc:2/211 Free:0/209 Dyn:2 AllocErr:0 FreeErr:0
 
 (ArubaCTL) #show iap table 

Trusted Branch Validation: Disabled
IAP Branch Table
----------------
Name  VC MAC Address  Status  Inner IP  Assigned Subnet  Assigned Vlan
----  --------------  ------  --------  ---------------  -------------

Total No of UP Branches   : 0
Total No of DOWN Branches : 0
Total No of Branches      : 0

(ArubaCTL) #show packet-capture controlpath-pcap 

14:14:30.685389 IP 192.168.100.111.64604 > 192.168.52.251.4500: NONESP-encap: isakmp: parent_sa ikev2_init[I]
14:14:30.685670 IP 192.168.52.251.4500 > 192.168.100.111.64604: NONESP-encap: isakmp: parent_sa ikev2_init[R]
14:14:30.687886 IP 192.168.100.111.64604 > 192.168.52.251.4500: NONESP-encap: isakmp: parent_sa ikev2_init[I]
14:14:30.689738 IP 192.168.52.251.4500 > 192.168.100.111.64604: NONESP-encap: isakmp: parent_sa ikev2_init[R]
14:14:31.155025 IP 192.168.100.111.64604 > 192.168.52.251.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
14:14:31.155122 IP 192.168.100.111.64604 > 192.168.52.251.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
14:14:31.155175 IP 192.168.100.111.64604 > 192.168.52.251.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
14:14:31.155227 IP 192.168.100.111.64604 > 192.168.52.251.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
14:14:31.155281 IP 192.168.100.111.64604 > 192.168.52.251.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]

(ArubaCTL) #show log security  50 | include INFO
Apr 3 15:47:35 :124003:  <INFO> |authmgr|  Authentication result=Authentication Successful(0), method=VPN, server=Internal, user=34:fc:b9:c6:6a:22 
Apr 3 06:47:35 :103082:  <INFO> |ike|  IKEv2 Client-Authentication succeeded for 172.16.1.108 (External 192.168.100.111) for default-vpn-role
Apr 3 06:47:35 :103077:  <INFO> |ike|  IKEv2 IKE_SA succeeded for peer 192.168.100.111:53201
Apr 3 06:47:35 :103076:  <INFO> |ike|  IKEv2 IPSEC Tunnel created for peer 192.168.100.111:53201
Apr 3 06:47:35 :103078:  <INFO> |ike|  IKEv2 CHILD_SA successful for peer 192.168.100.111:53201
Apr 3 06:48:06 :103101:  <INFO> |ike|  IPSEC SA deleted for peer 192.168.100.111
Apr 3 06:48:06 :103102:  <INFO> |ike|  IKE SA deleted for peer 192.168.100.111
Apr 3 15:48:06 :124038:  <INFO> |authmgr|  Reused server Internal for method=VPN; user=34:fc:b9:c6:6a:22,  essid=<>, domain=<>, server-group=default
Apr 3 06:48:06 :133005:  <INFO> |localdb|  User 34:fc:b9:c6:6a:22  Successfully Authenticated
Apr 3 15:48:06 :124003:  <INFO> |authmgr|  Authentication result=Authentication Successful(0), method=VPN, server=Internal, user=34:fc:b9:c6:6a:22 
Apr 3 06:48:06 :103082:  <INFO> |ike|  IKEv2 Client-Authentication succeeded for 172.16.1.109 (External 192.168.100.111) for default-vpn-role
Apr 3 06:48:06 :103077:  <INFO> |ike|  IKEv2 IKE_SA succeeded for peer 192.168.100.111:53203
Apr 3 06:48:06 :103076:  <INFO> |ike|  IKEv2 IPSEC Tunnel created for peer 192.168.100.111:53203
Apr 3 06:48:06 :103078:  <INFO> |ike|  IKEv2 CHILD_SA successful for peer 192.168.100.111:53203
Apr 3 06:48:36 :103101:  <INFO> |ike|  IPSEC SA deleted for peer 192.168.100.111
Apr 3 06:48:36 :103102:  <INFO> |ike|  IKE SA deleted for peer 192.168.100.111
Apr 3 15:48:36 :124038:  <INFO> |authmgr|  Reused server Internal for method=VPN; user=34:fc:b9:c6:6a:22,  essid=<>, domain=<>, server-group=default
Apr 3 06:48:36 :133005:  <INFO> |localdb|  User 34:fc:b9:c6:6a:22  Successfully Authenticated
Apr 3 15:48:36 :124003:  <INFO> |authmgr|  Authentication result=Authentication Successful(0), method=VPN, server=Internal, user=34:fc:b9:c6:6a:22 
Apr 3 06:48:36 :103082:  <INFO> |ike|  IKEv2 Client-Authentication succeeded for 172.16.1.110 (External 192.168.100.111) for default-vpn-role
Apr 3 06:48:36 :103077:  <INFO> |ike|  IKEv2 IKE_SA succeeded for peer 192.168.100.111:53205
Apr 3 06:48:36 :103076:  <INFO> |ike|  IKEv2 IPSEC Tunnel created for peer 192.168.100.111:53205
Apr 3 06:48:36 :103078:  <INFO> |ike|  IKEv2 CHILD_SA successful for peer 192.168.100.111:53205
Apr 3 06:49:06 :103101:  <INFO> |ike|  IPSEC SA deleted for peer 192.168.100.111
Apr 3 06:49:06 :103102:  <INFO> |ike|  IKE SA deleted for peer 192.168.100.111

From the IAP I never see the VPN getting established though:

34:fc:b9:c6:6a:22# show vpn status


profile name:default
--------------------------------------------------
current using tunnel                            :unselected tunnel
current tunnel using time                       :0
ipsec is preempt status                         :disable
ipsec is fast failover status                   :disable
ipsec hold on period                            :600s
ipsec tunnel monitor frequency (seconds/packet) :5
ipsec tunnel monitor timeout by lost packet cnt :6

ipsec     primary tunnel crypto type            :Cert
ipsec     primary tunnel peer address           :192.168.52.251
ipsec     primary tunnel peer tunnel ip         :0.0.0.0
ipsec     primary tunnel ap tunnel ip           :0.0.0.0
ipsec     primary tunnel using interface        :
ipsec     primary tunnel using MTU              :0
ipsec     primary tunnel current sm status      :Retrying
ipsec     primary tunnel tunnel status          :Down
ipsec     primary tunnel tunnel retry times     :101
ipsec     primary tunnel tunnel uptime          :0

ipsec      backup tunnel crypto type            :Cert
ipsec      backup tunnel peer address           :N/A
ipsec      backup tunnel peer tunnel ip         :N/A
ipsec      backup tunnel ap tunnel ip           :N/A
ipsec      backup tunnel using interface        :N/A
ipsec      backup tunnel using MTU              :N/A
ipsec      backup tunnel current sm status      :Init
ipsec      backup tunnel tunnel status          :Down
ipsec      backup tunnel tunnel retry times     :0
ipsec      backup tunnel tunnel uptime          :0

34:fc:b9:c6:6a:22# show log vpn-tunnel 30

2017-04-03 16:00:13 [primary tunnel] tunnel_start_up_timer(786): tunnel primary tunnel start up timer
2017-04-03 16:00:13 [primary tunnel] tunnel_stop_up_timer(651): stop up timer.
2017-04-03 16:00:14 [primary tunnel] cli_proc_rapper_msg(864): Receive rapper msg from 59168 port.
2017-04-03 16:00:14 [primary tunnel] Error!!!: Received RC_OPCODE_ERROR lms 192.168.52.251 tunnel 0.0.0.0 RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED
2017-04-03 16:00:14 tunnel_err_msg_recv 1624: Cause tunnel down by ipsec error, index primary tunnel
2017-04-03 16:00:43 [primary tunnel] tunnel_up_timeout(723): tunnel primary tunnel up timeout.
2017-04-03 16:00:43 [primary tunnel] tunnel_up_timeout(769): primary tunnel tunnel is not up by retry 105 times, the max retry times on one tunnel is 2.  try itself
2017-04-03 16:00:43 [primary tunnel] State TUNNEL_STATE_RETRY Event TUNNEL_EVENT_TUNNEL_RETRY Next state TUNNEL_STATE_RETRY
2017-04-03 16:00:43 [primary tunnel] tunnel_retry(201): tunnel primary tunnel, type ipsec tunnel, peer public address 192.168.52.251
2017-04-03 16:00:43 [primary tunnel] tunnel_retry(222): setting up tunnel to primary tunnel, retry=106
2017-04-03 16:00:43 [primary tunnel] ipsec_tunnel_connect(1384): connect to primary tunnel, peer address 192.168.52.251. 
2017-04-03 16:00:43 [primary tunnel] ipsec_tunnel_connect(1390): stop primary tunnel first before connect to it
2017-04-03 16:00:43 [primary tunnel] stop_rapper: client->pid=29638, tunnel public ip 0.0.0.0, peer tunnel ip 0.0.0.0, tunnel ip 0.0.0.0, port 8423
2017-04-03 16:00:43 [primary tunnel] stop_rapper(1324): Kill client->pid=29638.
2017-04-03 16:00:43 [primary tunnel] stop_rapper(1345): Waiting until the client 29638 is killed 
2017-04-03 16:00:43 [primary tunnel] stop_rapper(1357): result of wait4 29638 for pid (client->pid) 29638
2017-04-03 16:00:43 [primary tunnel] ipsec_tunnel_connect(1410): primary tunnel, cli_local_ip 192.168.100.111 netmask 255.255.254.0
2017-04-03 16:00:43 addroute(490):Dst fb34a8c0 mask 0 gw fe64a8c0
2017-04-03 16:00:43 set_route_af: ioctl (SIOCADDRT) failed error no(17)
2017-04-03 16:00:43 [primary tunnel] ipsec_tunnel_connect(1431): add route table destination 192.168.52.251, gw 192.168.100.254, interface br0.
2017-04-03 16:00:43 [primary tunnel] Starting rapper with lifetime p1 = 28000 p2 = 7200
2017-04-03 16:00:43 [primary tunnel] Starting IAP rapper 0 to 192.168.52.251:8423 attmpt 0
2017-04-03 16:00:43 [primary tunnel] lauch rapper command: rapper -c 192.168.52.251 -b 1 -i br0 -x -G 0 -r 8423 -l 28000 -L 7200 -w 1 -o /tmp/rapper.txt
2017-04-03 16:00:43 [primary tunnel] Eth - Populate the PID 29936 in file /tmp/rapper_pid_1
2017-04-03 16:00:43 [primary tunnel] tunnel_retry(277): setting up tunnel to primary tunnel, success.
2017-04-03 16:00:43 [primary tunnel] tunnel_start_up_timer(786): tunnel primary tunnel start up timer
2017-04-03 16:00:43 [primary tunnel] tunnel_stop_up_timer(651): stop up timer.
2017-04-03 16:00:44 [primary tunnel] cli_proc_rapper_msg(864): Receive rapper msg from 59168 port.
2017-04-03 16:00:44 [primary tunnel] Error!!!: Received RC_OPCODE_ERROR lms 192.168.52.251 tunnel 0.0.0.0 RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED
2017-04-03 16:00:44 tunnel_err_msg_recv 1624: Cause tunnel down by ipsec error, index primary tunnel


34:fc:b9:c6:6a:22# show log rapper

Insert Timer  type 1 Sec 70 uSec 0 
Apr 03, 16:00:14: IKE2_msgRecv:1737 exit:
Apr 03, 16:00:14: IKE2_msgRecv:1406 original ike_context created

#RECV 900 bytes from 192.168.52.251[4500] (0.0)(pid:29638)  time:2017-04-03 16:00:14

 spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
 exchange=IKE_AUTH msgid=1 len=896
ike2.c (670): errorCode = ERR_FRAGMENTATION_REQUIRED
Apr 03, 16:00:14: IKE2_xchgIn:1148  bResponse=1 status=-90023
 spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
 exchange=IKE_AUTH msgid=1 len=896
Apr 03, 16:00:14: IKE2_msgRecv:1737 exit:
Apr 03, 16:00:14: IKE2_msgRecv:1406 original ike_context created

#RECV 900 bytes from 192.168.52.251[4500] (0.0)(pid:29638)  time:2017-04-03 16:00:14

 spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
 exchange=IKE_AUTH msgid=1 len=896
ike2.c (670): errorCode = ERR_FRAGMENTATION_REQUIRED
Apr 03, 16:00:14: IKE2_xchgIn:1148  bResponse=1 status=-90023
 spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
 exchange=IKE_AUTH msgid=1 len=896
Apr 03, 16:00:14: IKE2_msgRecv:1737 exit:
Apr 03, 16:00:14: IKE2_msgRecv:1406 original ike_context created

#RECV 900 bytes from 192.168.52.251[4500] (0.0)(pid:29638)  time:2017-04-03 16:00:14

 spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
 exchange=IKE_AUTH msgid=1 len=896
ike2.c (670): errorCode = ERR_FRAGMENTATION_REQUIRED
Apr 03, 16:00:14: IKE2_xchgIn:1148  bResponse=1 status=-90023
 spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
 exchange=IKE_AUTH msgid=1 len=896
Apr 03, 16:00:14: IKE2_msgRecv:1737 exit:
Apr 03, 16:00:14: IKE2_msgRecv:1406 original ike_context created

#RECV 900 bytes from 192.168.52.251[4500] (0.0)(pid:29638)  time:2017-04-03 16:00:14

 spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
 exchange=IKE_AUTH msgid=1 len=896
ike2.c (670): errorCode = ERR_FRAGMENTATION_REQUIRED
Apr 03, 16:00:14: IKE2_xchgIn:1148  bResponse=1 status=-90023
 spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
 exchange=IKE_AUTH msgid=1 len=896
Apr 03, 16:00:14: IKE2_msgRecv:1737 exit:
Apr 03, 16:00:14: IKE2_msgRecv:1406 original ike_context created

#RECV 900 bytes from 192.168.52.251[4500] (0.0)(pid:29638)  time:2017-04-03 16:00:14

 spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
 exchange=IKE_AUTH msgid=1 len=896
ike2.c (670): errorCode = ERR_FRAGMENTATION_REQUIRED
Apr 03, 16:00:14: IKE2_xchgIn:1148  bResponse=1 status=-90023
 spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
 exchange=IKE_AUTH msgid=1 len=896
Apr 03, 16:00:14: IKE2_msgRecv:1737 exit:
Apr 03, 16:00:14: IKE2_msgRecv:1406 original ike_context created

#RECV 816 bytes from 192.168.52.251[4500] (0.0)(pid:29638)  time:2017-04-03 16:00:14

 spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
 exchange=IKE_AUTH msgid=1 len=812
ike2.c (670): errorCode = ERR_FRAGMENTATION_REQUIRED
Apr 03, 16:00:14: IKE2_xchgIn:1148  bResponse=1 status=-90023
 spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
 exchange=IKE_AUTH msgid=1 len=812
Apr 03, 16:00:14: IKE2_fragRecv Rcvd all 7 fragments

Delete Timer Type 1 
Apr 03, 16:00:14: IKE2_msgRecv:1406 original ike_context created

#RECV 5968 bytes from 192.168.52.251[4500] (0.0)(pid:29638)  time:2017-04-03 16:00:14

 spi={d80a77acff556c34 3b0bcd03eaf5d009} np=E{IDr}
 exchange=IKE_AUTH msgid=1 len=5964
  I <--
Apr 03, 16:00:14: InId: cert_DN in ID Payload:CN=CP0016110::00:0b:86:bf:77:70 wIdLen=54
Apr 03, 16:00:14: InId:6974 ERROR: failed to read /tmp/is_cert_rap
Apr 03, 16:00:14: |ocsp| check_rap = 0
Apr 03, 16:00:14: |ocsp| check_rap = 0
Apr 03, 16:00:14: |ocsp| check_rap = 0
Apr 03, 16:00:14: |ocsp| check_rap = 0
Apr 03, 16:00:14: sort_certificate_chain: Size of certificate chain to be sorted: 4
Apr 03, 16:00:14: sort_certificate_chain: Current cert index being considered: 0
Apr 03, 16:00:14: sort_certificate_chain: Cert at index 1 is an issuer cert for cert at  index 0
Apr 03, 16:00:14: sort_certificate_chain: Current cert index being considered: 1
Apr 03, 16:00:14: sort_certificate_chain: Cert at index 0 is not an issuer cert for cert at  index 1
Apr 03, 16:00:14: sort_certificate_chain: Cert at index 2 is an issuer cert for cert at  index 1
Apr 03, 16:00:14: sort_certificate_chain: Current cert index being considered: 2
Apr 03, 16:00:14: sort_certificate_chain: Cert at index 0 is not an issuer cert for cert at  index 2
Apr 03, 16:00:14: sort_certificate_chain: Cert at index 1 is not an issuer cert for cert at  index 2
Apr 03, 16:00:14: sort_certificate_chain: Cert at index 3 is an issuer cert for cert at  index 2
Apr 03, 16:00:14: sort_certificate_chain: Current cert index being considered: 3
Apr 03, 16:00:14: sort_certificate_chain: Cert at index 0 is not an issuer cert for cert at  index 3
Apr 03, 16:00:14: sort_certificate_chain: Cert at index 1 is not an issuer cert for cert at  index 3
Apr 03, 16:00:14: sort_certificate_chain: Cert at index 2 is not an issuer cert for cert at  index 3
Apr 03, 16:00:14: sort_certificate_chain: Last cert has n parent in chain
Apr 03, 16:00:14: CERT_ComputeCertificateHash: status :0
Apr 03, 16:00:14: CERT_verifyRSACertSignature: comparison result 0
Apr 03, 16:00:14: CERT_ComputeCertificateHash: status :0
Apr 03, 16:00:14: CERT_verifyRSACertSignature: comparison result 0
Apr 03, 16:00:14: CERT_ComputeCertificateHash: status :0
Apr 03, 16:00:14: CERT_verifyRSACertSignature: comparison result 0
Apr 03, 16:00:14: IKE_certGetKey(peer:c0a834fb): isCSS:0 Check in ArubaTrustedCaCerts, numCaCerts:2
Apr 03, 16:00:14: IKE_certGetKey(): Cert trying ArubaTrustedCaCerts[0]
Apr 03, 16:00:14: IKE_certGetKey(): verify the validity
Apr 03, 16:00:14: IKE_certGetKey(): Cert trying ArubaTrustedCaCerts[1]
Apr 03, 16:00:14: IKE_certGetKey(): verify the validity
Apr 03, 16:00:14: CERT_ComputeCertificateHash: status :0
Apr 03, 16:00:14: CERT_verifyRSACertSignature: comparison result 0
Apr 03, 16:00:14: IKE_certGetKey(): iset the key value 0x1fdf6a4
ike2_state.c (5861): errorCode = ERR_RSA_DECRYPTION
Apr 03, 16:00:14: IKE_SAMPLE_ikeStatHdlr(CHILD_SA): dwPeerAddr:c0a834fb index:0 mPeerType:0
Apr 03, 16:00:14: IKE SA failed reason = ERR_RSA_DECRYPTION, errorcode = -7702 ikeVer 2
Apr 03, 16:00:14: send_sapd_error: InnerIP:0  error:50 debug_error:0

Apr 03, 16:00:14: send_sapd_error: error:50 debug_error:0

Apr 03, 16:00:14: rapper_log_error: buf = d8 0a 77 ac ff 55 6c 34 32


Apr 03, 16:00:14: |ocsp| IKE2_delSa: 1008
Apr 03, 16:00:14: IKE_SAMPLE_ikeStatHdlr(SA): dwPeerAddr:c0a834fb index:0 mPeerType:0
Apr 03, 16:00:14: IKE_SA [v2 I] (id=0x9bd8093a) flags 0x41000015 failed reason = ERR_RSA_DECRYPTION, errorcode = -7702
Apr 03, 16:00:14: IKE_SAMPLE_ikeStatHdlr(IST_FAIL): g_ikeversion:2
Apr 03, 16:00:14: |ocsp| IKE2_delSa: 1090
Apr 03, 16:00:14: |ocsp| ap_remove_certmgr_packet: start
Timer ID: 1 Deleted 
Apr 03, 16:00:14: IKE2_xchgIn:1148  bResponse=1 status=-7702
Apr 03, 16:00:14: IKE2_msgRecv:1737 exit:
Apr 03, 16:00:14: |ocsp| cleanup_context_data:1984
Apr 03, 16:00:14: IKE2_msgRecv:1561 status=-7702
Apr 03, 16:00:14: IKE2_msgRecv:1737 exit:
Apr 03, 16:00:14: |ocsp| cleanup_context_data:1984
rapperSendStatusCB

Any suggestions on how to further troubleshoot the issue?

2. RE: ArubaGRE between IAP and Controller

0 Kudos
msundman
Posted Apr 03, 2017 10:17 AM

Reply Reply Privately
I should add that I had to perform a factory reset of the controller. After that it complains on every login:
Ancillary files are not present ********************************************************************* * WARNING: An additional image upgrade is required to complete the * * installation of the AP and WebUI files. Please upgrade the boot * * partition again and reload the controller. * *********************************************************************
Could this be the root cause of my problems? I'm currently struggeling with getting the product registered properly so I can download the firmware as google says replay firmware twice to resolve that issue :)
3. RE: ArubaGRE between IAP and Controller

0 Kudos
nitesh87@airheads
Posted Apr 03, 2017 11:33 AM

Reply Reply Privately
Hi,

This could be very weel related to the error that you are seeing related to missing files.

Can you please check the output for :
"show tpm cert-info"

It could be related to tpm cert corruption on the controller side.
4. RE: ArubaGRE between IAP and Controller

0 Kudos
msundman
Posted Apr 03, 2017 03:43 PM

Reply Reply Privately
I've now upgraded the controller to 6.5.1.4 and no longer have the error message about missing files. Same status on the VPN though.

(ArubaCTL) #show tpm cert-info ===================================== TPM manufacturing factory certificate ===================================== subject= /CN=CP0016110::00:0b:86:bf:77:70 issuer= /DC=com/DC=arubanetworks/DC=dc-device-ca5/CN=device-ca5 serial=2C1C909700000083A306 notBefore=Aug 8 16:28:05 2016 GMT notAfter=Sep 14 03:21:14 2032 GMT ===================================== Generated Factory certificate ===================================== subject= /CN=CP0016110::00:0b:86:bf:77:70/L=SW issuer= /CN=CP0016110::00:0b:86:bf:77:70 serial=2C1C909700000083A306 notBefore=Aug 8 16:28:05 2016 GMT notAfter=Sep 14 03:21:14 2032 GMT
But I think you're on the right track with the certificates as the IAP complains about RSA DECRYPTION:
2017-04-03 21:39:01 [primary tunnel] Error!!!: Received RC_OPCODE_ERROR lms 192.168.52.251 tunnel 0.0.0.0 RC_ERROR_ ISAKMP_N_RSA_DECRYPTION_FAILED
Do I have to enable Auto Cert Provisioning on the Controller?

(ArubaCTL) #show control-plane-security Control Plane Security Profile ------------------------------ Parameter Value --------- ----- Control Plane Security Enabled Auto Cert Provisioning Disabled Auto Cert Allow All Enabled Auto Cert Allowed Addresses N/A
I tried to disable CPsec in a hope for certificates not to be needed at all, but the IAP logs shows the same errors anyway.
5. RE: ArubaGRE between IAP and Controller

0 Kudos
msundman
Posted Apr 03, 2017 04:27 PM

Reply Reply Privately
From the controller side everything looks good as far as I can see. Both IPsec P1 and P2 seems to esablish successfully, but the IAP never seems to be happy and keeps restarting the tunnel, requesting a new "Inner IP" each time:

(ArubaCTL) #show crypto ipsec sa IPSEC SA (V2) Active Session Information ----------------------------------- Initiator IP Responder IP SPI(IN/OUT) Flags Start Time Inner IP ------------ ------------ ---------------- ----- --------------- -------- 192.168.20.103 192.168.52.251 4a9d4800/edda1c00 UT2 Apr 3 22:18:18 172.16.1.172 Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2 Total IPSEC SAs: 1 (ArubaCTL) #show crypto isakmp sa ISAKMP SA Active Session Information ------------------------------------ Initiator IP Responder IP Flags Start Time Private IP ------------ ------------ ----- --------------- ---------- 192.168.20.103 192.168.52.251 r-v2-c-I Apr 3 22:18:18 172.16.1.172 (ArubaCTL) #show crypto ipsec sa IPSEC SA (V2) Active Session Information ----------------------------------- Initiator IP Responder IP SPI(IN/OUT) Flags Start Time Inner IP ------------ ------------ ---------------- ----- --------------- -------- 192.168.20.103 192.168.52.251 e29cbf00/a924db00 UT2 Apr 3 22:18:48 172.16.1.173 Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2 Total IPSEC SAs: 1 (ArubaCTL) #show crypto isakmp sa ISAKMP SA Active Session Information ------------------------------------ Initiator IP Responder IP Flags Start Time Private IP ------------ ------------ ----- --------------- ---------- 192.168.20.103 192.168.52.251 r-v2-c-I Apr 3 22:18:48 172.16.1.173
6. RE: ArubaGRE between IAP and Controller

0 Kudos
nitesh87@airheads
Posted Apr 04, 2017 12:45 AM

Reply Reply Privately
If possible (given it is lab setup), please try converting the IAP in to RAP & see if it comes up.

As you have said, manual GRE works fine. Issue is only seen with AutoGRE.

The main difference involved between manual vs Auto-GRE is use of IPSEC traffic in Auto-GRE

RAP also makes use of IPSEC.
7. RE: ArubaGRE between IAP and Controller

0 Kudos
msundman
Posted Apr 04, 2017 01:18 AM

Reply Reply Privately
Thanks, I'll try to find some time today to test that. First I'll test to put the IAP on the same subnet as the controller to bypass the firewall just to make sure it's not messing with the traffic like this as I do see references to packets beeing fragmented, but afaics this option is not enabled in their firewall:

https://live.paloaltonetworks.com/t5/Management-Articles/VPN-session-does-not-come-up-when-passing-through-a-Palo-Alto/ta-p/66025

Another question, most guides sais I need to create a new user-profile and apply to default-iaf so I've created:

ip access-list session iaprole any any any permit user-role iaprole session-acl iaprole
However when I try to apply this to aaa authentication vpn default-iap, there is no knob called default-role:

ArubaCTL) (config) #aaa authentication vpn default-iap (ArubaCTL) (VPN Authentication Profile "default-iap") #server-group default (ArubaCTL) (VPN Authentication Profile "default-iap") #default-role iaprole ^ % Invalid input detected at '^' marker. (ArubaCTL) (VPN Authentication Profile "default-iap") #? cert-cn-lookup Check certificate common name against AAA server. Default is enabled. clone Copy data from another VPN Authentication Profile export-route Whether to export server-returned VPN ip address as a route to external world. Default is enabled. max-authentication-fa.. Maximum auth failures before user is blacklisted. Range: 1-10. Default: 0. no Delete Command pan-integration Require IP mapping at Palo Alto Networks firewalls radius-accounting Configure server group for radius accounting server-group Name of server group user-idle-timeout User idle timeout value. Valid range is 30-15300 seconds in multiples of 30 seconds
Is this step no longer needed, or do you why I don't have this knob?
8. RE: ArubaGRE between IAP and Controller

0 Kudos
msundman
Posted Apr 04, 2017 05:11 AM

Reply Reply Privately
I've now tested deploying a new IAP-315 on the same IP subnet as the controller, so the firewall is not involved, but it shows the exact same symptoms.
9. RE: ArubaGRE between IAP and Controller

0 Kudos
msundman
Posted Apr 04, 2017 05:43 AM

Reply Reply Privately
I've tried to convert one IAP-315 to RAP with:
convert-aos-ap RAP 192.168.52.251
But it fails to create the VPN tunnel to the controller:
Apr 4 11:35:22 cli[24405]: <341101> <WARN> |AP 34:fc:b9:c6:6a:22@192.168.100.111 cli| Execute command-convert-aos-ap RAP 192.168.52.251 . Apr 4 11:35:22 cli[3407]: <341098> <WARN> |AP 34:fc:b9:c6:6a:22@192.168.100.111 cli| recv_convert_ap: Convert AP url-, mode-1, master-1 92.168.52.251. Apr 4 11:35:22 cli[3407]: <341182> <WARN> |AP 34:fc:b9:c6:6a:22@192.168.100.111 cli| Setup vpn for rap conversion - 192.168.52.251. Apr 4 11:36:24 cli[3407]: <341184> <WARN> |AP 34:fc:b9:c6:6a:22@192.168.100.111 cli| Downloading rap image via vpn timeout - count 21.
10. RE: ArubaGRE between IAP and Controller

0 Kudos
msundman
Posted Apr 04, 2017 02:14 PM

Reply Reply Privately
I've spent 3h on the phone with the Aruba TAC today, but they couldn't find the issue either, so they will now try to reproduce the problem in their lab.

Is there anyone here on the forum successfully using ArubaGRE? Mind sharing your config/setup?
11. RE: ArubaGRE between IAP and Controller

0 Kudos
nitesh87@airheads
Posted Apr 04, 2017 10:45 PM

Reply Reply Privately
Hi,

I have a 7030 & IAP-225 in my lab setup on which Aruba GRE works fine.

The config on the controller is exactly same as the one you had listed earlier.

I am running 6.5.0.4 on the controller & 4.2.4.3 version on the IAP.

It will be better to wait for the lab replication results from the TAC engineer.

I am still suspecting some kind of cert corruption on the controller as even the RAP conversion failed.
12. RE: ArubaGRE between IAP and Controller

0 Kudos
msundman
Posted Apr 05, 2017 04:42 PM

Reply Reply Privately
I found the following in the release notes for 6.5.0.0-4.3.0.0 -> 6.5.0.3-4.3.0.3:

Sounds quite related to my problem. I don't find anything in the release notes for the 6.5.1.x-4.3.1.x releases about it beeing either fixed or still a known issue though.

I tried to downgrade to 4.2.4.3, but it just says it's not supported on my IAP (from Central).
13. RE: ArubaGRE between IAP and Controller

0 Kudos
msundman
Posted Apr 05, 2017 05:00 PM

Reply Reply Privately
Nitesh, do you have any IAP with a 4.3.x.x release you could test it with? Unfortunately I only have IAP-305 and IAP-315, so nothing that supports 4.2.x.x to test with.

Thanks a lot for your support so far. Still awaiting an update from the TAC. Running with ManualGRE mean while which works fine.
14. RE: ArubaGRE between IAP and Controller

0 Kudos
nitesh87@airheads
Posted Apr 11, 2017 01:16 AM

Reply Reply Privately
Hi,

Sorry for the late reply.

My IAP is running on 4.3.1.2 version & is able to form Auto GRE without any issues.
15. RE: ArubaGRE between IAP and Controller

0 Kudos
pmonardo
Posted Aug 10, 2017 01:38 PM

Reply Reply Privately
Just curious if this was ever resolved
16. RE: ArubaGRE between IAP and Controller

0 Kudos
msundman
Posted Aug 11, 2017 02:28 AM

Reply Reply Privately
No, it took a little to long before I got any feedback from the TAC, so customer had already moved to a Manual GRE solution in production and didn't want to mess with the setup any more, so I've been unable to further diagnose the problem.
17. RE: ArubaGRE between IAP and Controller

0 Kudos
pmonardo
Posted Aug 11, 2017 08:25 AM

Reply Reply Privately
Too bad.

We've had similar issues and it happened yesterday but a reboot of the DSL modem fixed our tunnel issue. Have to confirm if it's arubagre or manual gre

Wireless Access

ArubaGRE between IAP and Controller

1. ArubaGRE between IAP and Controller

2. RE: ArubaGRE between IAP and Controller

3. RE: ArubaGRE between IAP and Controller

4. RE: ArubaGRE between IAP and Controller

5. RE: ArubaGRE between IAP and Controller

6. RE: ArubaGRE between IAP and Controller

7. RE: ArubaGRE between IAP and Controller

8. RE: ArubaGRE between IAP and Controller

9. RE: ArubaGRE between IAP and Controller

10. RE: ArubaGRE between IAP and Controller

11. RE: ArubaGRE between IAP and Controller

12. RE: ArubaGRE between IAP and Controller

13. RE: ArubaGRE between IAP and Controller

14. RE: ArubaGRE between IAP and Controller

15. RE: ArubaGRE between IAP and Controller

16. RE: ArubaGRE between IAP and Controller

17. RE: ArubaGRE between IAP and Controller