Wireless Access

last person joined: 18 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

CPSec issue

This thread has been viewed 25 times

  • 1.  CPSec issue

    Posted Feb 17, 2017 01:19 PM

    On a controller I have following issue. AP is in a rebooting loop with Hold certificate state. Modifing cert to approved switch-cert or factory-cert during provisioning gives no result.

     

    On show log system I get constant message log in a loop:

    Feb 17 19:08:47 :311020:  <ERRS> |AP 9c:1c:12@10.10.10.6 sapd|  An internal system error has occurred at file sapd_redun.c function redun_retry_tunnel line 4555 error redun_retry_tunnel: Switching to clear. Error:RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED. Ipsec not successful after reboot.
Feb 17 19:09:56 :311002:  <WARN> |AP 9c:1c:12@10.10.10.6 sapd|  Rebooting: SAPD: Rebooting after setting cert_cap=1. Need to open a secure channel(IPSEC)
Feb 17 19:09:56 :303086:  <ERRS> |AP 9c:1c:12@10.10.10.6 nanny| Process Manager (nanny) shutting down - AP will reboot!
Feb 17 19:11:12 :303022:  <WARN> |AP 9c:1c:12@10.10.10.6 nanny|  Reboot Reason: AP rebooted Fri Feb 17 19:09:56 CET 2017; SAPD: Rebooting after setting cert_cap=1. Need to open a secure channel(IPSEC)
Feb 17 19:12:30 :311020:  <ERRS> |AP 9c:1c:12@10.10.10.6 sapd|  An internal system error has occurred at file sapd_redun.c function redun_retry_tunnel line 4550 error redun_retry_tunnel: Ipsec not successful to saved lms. Error:RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED. rebooting.
Feb 17 19:12:31 :311002:  <WARN> |AP 9c:1c:12@10.10.10.6 sapd|  Rebooting: Unable to set up IPSec tunnel to saved lms, Error:RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED
Feb 17 19:12:31 :303086:  <ERRS> |AP 9c:1c:12@10.10.10.6 nanny| Process Manager (nanny) shutting down - AP will reboot!
Feb 17 19:13:47 :303022:  <WARN> |AP 9c:1c:12@10.10.10.6 nanny|  Reboot Reason: AP rebooted Fri Dec 31 16:02:06 PST 1999; Unable to set up IPSec tunnel to saved lms, Error:RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED

    This IAP103 (converted, controller managed) used to work fine with this controller 6.5.0.3. After resetting controller to factory defaults, this issue came up.

     

    Is it possible that controller cert is somehow damaged? How to verify this? Is there a way to fix this cert by software upgrade?

     



  • 2.  RE: CPSec issue

    Posted Feb 20, 2017 03:31 AM

    Based on the logs you have IKE phase 1 issue.

     

    I would re check the setup in case something got changed in the upgrade

     

     

    Check the IAP mac is still in the whitelist

    Check the VPN pool make sure it non routable ip range

    Check default-vpn-role

    show references user-role default-vpn-role

    References to User Role "default-vpn-role"
    ------------------------------------------
    aaa authentication vpn "default" default-role
    aaa authentication vpn "default-iap" default-role
    aaa authentication vpn "default-rap" default-role

     

     

    Run the following commands, if you still have issue

     

    - show datapath session table <ipaddress> | include 4500 

    - show crypto ipsec sa

    -show user-table verbose 

     

    Make sure UDP/4500 is allowed

     

     



  • 3.  RE: CPSec issue

    Posted Feb 22, 2017 10:45 PM
    - Are all APs affected?
    - This could be due to cert
    - Is this a master controller?

    Collect output for commands below;

    show tpm cert-info
    Show tpm error