Wireless Access

How to check If RAP turn on nat traversal ? We are do the followed network, and we input the show datapath session table | include 4500 get the followed information. are there anybody can tell us what'a meah FC FY ? and If we can khow the RAP tun on or off the NAT-N ? and how to know this ?

 

A Y flag means that the 3 way hand shake is not occurring so the IPSEC tunnel isn’t established. Provision the RAP so that it is pointing to your 47.x.x.x address.

Do you have UDP4500 permitted via all firewalls? Is this just affecting a single RAP or all RAPs?

Dear Mr Zalion

 

1. you can see all of the detail here 

http://community.arubanetworks.com/t5/Wireless-Access/Aruba-RAP-contact-to-public-IP-VMC-AOS8-3-problem-need-help/td-p/438204

 

2. all of the rap same problem.

 

3. we have open the udp 4500 and GRE protocol in all of the firewall we can controll.

 

4.please check if you can access 47.104.193.111 by web or ssh, if yes, we can give you password to check them. This VMC is for test, So please do not worry about, you can do any change inside, because we can reset it to default in a few minitue

 

If you see port 4500 used, the RAP is using NAT Traversal. As far as I know, RAPs always use NAT Traversal.

 

If you see IKE (udp/500) and AH (ip proto 51) then there is no NAT-T.

 

For RAP, just udp/4500 should be ok.

 

Also in general, there are only few things that can go wrong with RAP. What I have seen: Firewalls that open the udp/4500 IPSec session (disable DPI on VPN traffic for your RAPs), RAP not whitelisted (show log system all returns authentication errors for the MAC of the RAP), no IP VPN pool (RAP should be able to get an IP), or authentication issues (rarely with TPM certificate authentication; more with PSK wrong passwords).

 

Do you have access to an Aruba partner, and/or Aruba Support? Please work with them as interactive troubleshooting will likely get a result much faster than asking through this forum.

Finially we found the way to test VMC and firewall,but we still do not know if RAP run at UDP 4500 ?

 

(AOS83) [mynode] #show ap database

AP Database
-----------
Name Group AP Type IP Address Status Flags Switch IP Standby IP
---- ----- ------- ---------- ------ ----- --------- ----------

Flags: 1 = 802.1x authenticated AP use EAP-PEAP; 1+ = 802.1x use EST; 1- = 802.1x use factory cert; 2 = Using IKE version 2

(AOS83) [mynode] #show ap-group
default
NoAuthApGroup
rap
<profile-name> Profile name
| Output Modifiers
<cr>

(AOS83) [mynode] #show ap-group rap

AP group "rap"
--------------
Parameter Value
--------- -----
Virtual AP ArubaRAP
802.11a radio profile default
802.11g radio profile default
Ethernet interface 0 port configuration default
Ethernet interface 1 port configuration default
Ethernet interface 2 port configuration shutdown
Ethernet interface 3 port configuration shutdown
Ethernet interface 4 port configuration shutdown
AP system profile default
AP multizone profile default
802.11a Traffic Management profile N/A
802.11g Traffic Management profile N/A
Regulatory Domain profile default
RF Optimization profile default
RF Event Thresholds profile default
IDS profile default
Mesh Radio profile default
Mesh Cluster profile N/A
Provisioning profile N/A
AP authorization profile N/A

 

(AOS83) [mynode] #show wlan virtual-ap
ArubaRAP
default
<profile-name> Profile name
| Output Modifiers
<cr>

(AOS83) [mynode] #show wlan virtual-ap arubaRAP

Virtual AP profile "ArubaRAP"
-----------------------------
Parameter Value
--------- -----
AAA Profile ArubaRAP
802.11K Profile default
Hotspot 2.0 Profile N/A
Virtual AP enable Enabled
VLAN 1
Forward mode tunnel
SSID Profile ArubaRAP
Allowed band all
Band Steering Disabled
Cellular handoff assist Disabled
Openflow Enable Enabled
Steering Mode prefer-5ghz
Dynamic Multicast Optimization (DMO) Disabled
Dynamic Multicast Optimization (DMO) Threshold 6
Drop Broadcast and Multicast Disabled
Convert Broadcast ARP requests to unicast Enabled
Authentication Failure Blacklist Time 3600 sec
Blacklist Time 3600 sec
Deny inter user traffic Disabled
Deny time range N/A
DoS Prevention Disabled
HA Discovery on-association Enabled
Mobile IP Enabled
Preserve Client VLAN Disabled
Remote-AP Operation standard
Station Blacklisting Enabled
Strict Compliance Disabled
VLAN Mobility Disabled
WAN Operation mode always
FDB Update on Assoc Disabled
WMM Traffic Management Profile N/A
Anyspot profile N/A

 

(AOS83) [mynode] #show aaa profile
ArubaRAP
default
default-dot1x
default-dot1x-psk
default-iap-aaa-profile
default-mac-auth
default-open
default-tunneled-user
default-xml-api
NoAuthAAAProfile
<profile-name> Profile name
| Output Modifiers
<cr>

(AOS83) [mynode] #show aaa profile arubaRAP

AAA Profile "ArubaRAP"
----------------------
Parameter Value
--------- -----
Initial role authenticated
MAC Authentication Profile N/A
MAC Authentication Default Role guest
MAC Authentication Server Group default
802.1X Authentication Profile N/A
802.1X Authentication Default Role guest
802.1X Authentication Server Group N/A
Download Role from CPPM Disabled
Set username from dhcp option 12 Disabled
L2 Authentication Fail Through Disabled
Multiple Server Accounting Disabled
User idle timeout N/A
Max IPv4 for wireless user 2
RADIUS Accounting Server Group N/A
RADIUS Roaming Accounting Disabled
RADIUS Interim Accounting Disabled
RADIUS Acct-Session-Id In Access-Request Disabled
XML API server N/A
RFC 3576 server N/A
User derivation rules N/A
Wired to Wireless Roaming Enabled
Reauthenticate wired user on VLAN change Disabled
Device Type Classification Enabled
Enforce DHCP Disabled
PAN Firewall Integration Disabled
Open SSID radius accounting Disabled

 

(AOS83) [mynode] #show wlan ssid-profile
ArubaRAP
default
<profile-name> Profile name
| Output Modifiers
<cr>

(AOS83) [mynode] #show wlan ssid-profile arubaRAP

SSID Profile "ArubaRAP"
-----------------------
Parameter Value
--------- -----
SSID enable Enabled
ESSID ArubaRAP
WPA Passphrase N/A
Encryption opensystem
Enable Management Frame Protection Disabled
Require Management Frame Protection Disabled
DTIM Interval 1 beacon periods
802.11a Basic Rates 6 12 24
802.11a Transmit Rates 6 9 12 18 24 36 48 54
802.11g Basic Rates 1 2
802.11g Transmit Rates 1 2 5 6 9 11 12 18 24 36 48 54
Station Ageout Time 1000 sec
Max Transmit Attempts 8
RTS Threshold 2333 bytes
Short Preamble Enabled
Max Associations 64
Wireless Multimedia (WMM) Disabled
Wireless Multimedia U-APSD (WMM-UAPSD) Powersave Enabled
WMM TSPEC Min Inactivity Interval 0 msec
DSCP mapping for WMM voice AC (0-63) N/A
DSCP mapping for WMM video AC (0-63) N/A
DSCP mapping for WMM best-effort AC (0-63) N/A
DSCP mapping for WMM background AC (0-63) N/A
WMM Access Class of EAP traffic default
Multiple Tx Replay Counters Enabled
Hide SSID Disabled
Deny_Broadcast Probes Disabled
Local Probe Request Threshold (dB) 0
Auth Request Threshold (dB) 0
Disable Probe Retry Enabled
Battery Boost Disabled
WEP Key 1 N/A
WEP Key 2 N/A
WEP Key 3 N/A
WEP Key 4 N/A
WEP Transmit Key Index 1
WPA Hexkey N/A
Maximum Transmit Failures 0
EDCA Parameters Station profile N/A
EDCA Parameters AP profile N/A
BC/MC Rate Optimization Disabled
Rate Optimization for delivering EAPOL frames Enabled
Strict Spectralink Voice Protocol (SVP) Disabled
High-throughput SSID Profile default
802.11g Beacon Rate default
802.11a Beacon Rate default
Video Multicast Rate Optimization default
Advertise QBSS Load IE Disabled
Advertise Location Info Disabled
Advertise AP Name Disabled
Traffic steering from WLAN to cellular Disabled
802.11r Profile N/A
Enforce user vlan for open stations Disabled
Enable OKC Enabled

 

In Fact, we use the role logon frist, and change to authenticated, because we think if there are some limits for logon ?

 

(AOS83) [mynode] #show rights authenticated

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'authenticated'
Up BW:No Limit Down BW:No Limit
L2TP Pool = rap_pool1
PPTP Pool = default-pptp-pool
Number of users referencing it = 0
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 79/0
Openflow: Enabled
Max Sessions = 65535

Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-authenticated-sacl session
3 ra-guard session
4 allowall session
5 v6-allowall session

global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
apprf-authenticated-sacl
------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
ra-guard
--------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 user any icmpv6 rtr-adv deny Low 6
allowall
--------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 any any any permit Low 4
2 any any any-v6 permit Low 6
v6-allowall
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------