Wireless Access

Hi All,

Scenario...

Controller running 6.4.2.5.

CPsec enabled - auto cert provisioning on

AP connect to the controller but the status in cpsec is certified-hold-factory-cert. When changing the status to certified-factory-cert the AP reboots and the status changes back to certified-hold-factory-cert!

Here's what the controller says:

May 26 11:46:49 <sapd 311020> <ERRS> |AP 94:b4:0f:c8:da:c0@xxx.xxx.xxx.xxx sapd| An internal system error has occurred at file sapd_redun.c function redun_retry_tunnel line 4461 error redun_retry_tunnel: Switching to clear. Error:RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED. Ipsec not successful after reboot.
May 26 11:48:14 <nanny 303086> <ERRS> |AP 94:b4:0f:c8:da:c0@xxx.xxx.xxx.xxx nanny| Process Manager (nanny) shutting down - AP will reboot!
May 26 11:49:42 <sapd 311020> <ERRS> |AP 94:b4:0f:c8:da:c0@xxx.xxx.xxx.xxx sapd| An internal system error has occurred at file sapd_redun.c function redun_retry_tunnel line 4456 error redun_retry_tunnel: Ipsec not successful to saved lms. Error:RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED. rebooting.
May 26 11:49:44 <nanny 303086> <ERRS> |AP 94:b4:0f:c8:da:c0@xxx.xxx.xxx.xxx nanny| Process Manager (nanny) shutting down - AP will reboot!
May 26 11:51:13 <sapd 311020> <ERRS> |AP 94:b4:0f:c8:da:c0@xxx.xxx.xxx.xxx sapd| An internal system error has occurred at file sapd_redun.c function redun_retry_tunnel line 4461 error redun_retry_tunnel: Switching to clear. Error:RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED. Ipsec not successful after reboot.
May 26 11:52:38 <nanny 303086> <ERRS> |AP 94:b4:0f:c8:da:c0@xxx.xxx.xxx.xxx nanny| Process Manager (nanny) shutting down - AP will reboot!

Can anyone shed light on this?

Cheers

James

Have also tried deleting the AP entry and rebooting the AP, the same thing occurrs.

JrWhitehead,

What model of access point is this?

It's an AP225.

JrWhitehead,

If CPSEC never worked previously with this access point, it is looking like there is a problem with the built-in certificate on this AP.

I got the same result from 2 different AP225's. Hope they're both not broken. :(

How many access points do you already have connected to the controller successfully with CPSEC?

Do you have a redundant configuration?

Please execute "show whitelist-db cpsec-status"

None. CPSec is disabled.

We have 2 controllers in a master-standby configuration.

So, to be clear, you are trying to enable CPSEC with no access points connected to the controller(s), and then connecting the AP225s?

Yes that's correct.

Any update whit this problem?. I have the same issue.

Two AP 225 working fine, and if I try to enable CPSec is there no way for the AP to connect to controller.

Regards,

Hi,

Are you able paste the output of the below command?

#show control-plane-security

You'll need to check if the AP is in the whitelist and if the certificate has been approved or not. I believe the controller will approve the ceritifcate after a few minutes which will then cause the AP to reboot.

What version of code are you running?

Hi,

(Aruba7210) (config) #show control-plane-security

Control Plane Security Profile
------------------------------
Parameter Value
--------- -----
Control Plane Security Enabled
Auto Cert Provisioning Enabled
Auto Cert Allow All Enabled
Auto Cert Allowed Addresses N/A

AP is in the white list but in "hold" state. I have tried to set approved state manually but I still have the same error

Regards

Forget to say code version: 6.4.2.13

Regards

Any update on this?

I have the same issue. 90 APs out 100 were shown hold in the whitelist. Rebooting APs didn't help. Manually changed APs to factory certified state, still not up. APs are 104 and 135. Controller is 6.1.3.6.

Then upgraded controller to 6.4.2.12. Same. Deleting AP entry in the whitelist and rebooting AP, same issue. Controller keeps saying:

Nov 18 17:48:10 stm[2366]: <305048> <WARN> |stm| Dropping unsecure AP message code 16121 from AP at 192.168.17.253 (MAC address 6c:f3:7f:c2:a6:16)

Nov 18 17:47:52 sapd[832]: <311020> <ERRS> |AP TMPB01WA02@192.168.17.253 sapd| An internal system error has occurred at file sapd_redun.c function redun_retry_tunnel line 3233 error redun_retry_tunnel: Switching to clear. Error:RC_ERROR_IKEP1. Ipsec not successful after reboot.

---

@pydiao wrote:

Any update on this?

 

I have the same issue. 90 APs out 100 were shown hold in the whitelist. Rebooting APs didn't help. Manually changed APs to factory certified state, still not up. APs are 104 and 135. Controller is 6.1.3.6.

 

Then upgraded controller to 6.4.2.12. Same. Deleting AP entry in the whitelist and rebooting AP, same issue. Controller keeps saying:

 

Nov 18 17:48:10 stm[2366]: <305048> <WARN> |stm| Dropping unsecure AP message code 16121 from AP at 192.168.17.253 (MAC address 6c:f3:7f:c2:a6:16)

 

Nov 18 17:47:52 sapd[832]: <311020> <ERRS> |AP TMPB01WA02@192.168.17.253 sapd| An internal system error has occurred at file sapd_redun.c function redun_retry_tunnel line 3233 error redun_retry_tunnel: Switching to clear. Error:RC_ERROR_IKEP1. Ipsec not successful after reboot.

 

 

---

How many controllers do you have?  At a maintenence window, you should try turning off control plane security, or opening a TAC case.

Only one controller. M3.

I tried disabling CPSEC. However, from the wired packet capture from AP port, it still shows the AP sending ISAKMP to the controller. The controller doesn't reply at all. And AP still shown as down.

Just a question: does the AP keep the CPSEC config even after reboot? What's the AP startup procedure? Say it was CPSEC to controller before, then always CPSEC? I think this is not right.

When the AP comes out of the box, it tries to connect without CPSEC.  The controller will tell it to use CPSEC and then it will have to accept a certificate and then use CPSEC.  This process takes about 15 minutes.  When you turn off CPSEC, the APs will continue to try with CPSEC, and then fall back to unencrypted.  Please give it 15 minutes for this to complete.  CPSEC is really only needed if you want to bridge AP traffic using Campus APs.  If all of you traffic is tunneled, you do not need CPSEC.  Give it 15 or 20 minutes until all of your APs come up without CPSEC, and you could sidestep whatever issue you are having.

Thanks.

Sounds more logical. After disabling CPSEC, it's been hours and the down APs couldn't be up. Then I did the wire capture and found the AP still used ISAKMP. (I didn't clear the APs from the whitelist)

Maybe should do this: 1) disable CPSEC; 2) clear all AP entries in whitelist; 3) reboot the APs? 4) wait for 15 mins?

Yes.  If that doesn't work, you should contact TAC.

Hi.

In my case Aruba support had to connect to my controller an reinstall default controller certicate. The default certificate was corrupt so IPSEC couldn't get stablished.

Regards,