Wireless Access

last person joined: 22 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

IAP-105 - provisioned as RAP - status Rc2ID

This thread has been viewed 0 times

  • 1.  IAP-105 - provisioned as RAP - status Rc2ID

    Posted May 21, 2014 04:51 PM

    Hi,


    I am looking for an idea how to solve the problem.

     

    IAP-105 provisioning as RAP to 650 controller.
    When an AP connect to the controller I get a flag Rc2ID
    The same AP as RAP connected to the controller 6000 works without a problem.
    re-connection to 650 and again the flag Rc2ID (both controllers have the same thing this version 6.3.1.6)

    any idea how to solve this problem?



  • 2.  RE: IAP-105 - provisioned as RAP - status Rc2ID

    Posted May 21, 2014 06:08 PM

    R = remote
    c = certificate based
    2 = IKE version
    I = Inactive
    D = dirty

    Validate whether you have AP licenses installed or enough AP licenses left.

    show license
    show license-usage ap

     

    Also check whether the group it is associated to is the proper one.



  • 3.  RE: IAP-105 - provisioned as RAP - status Rc2ID

    Posted May 22, 2014 02:34 AM


    Hi,

     
    I checked what it means RC2ID before sending this email.

    Installed Licenses:
    Access Points: 8 + 1
    Next Generation Policy Enforcement Firewall Module: 8 +1

    show license usage ap-

    AP Licenses
    -----------
    Type Number
    ----------
    AP Licenses 9
    PEF Licenses 9
    Overall AP License Limit 9

    AP Usage
    --------
    Type Count
    ---------
    Active CAPs 0
    Standby CAPs 0
    RAPs 2
    Remote-node APs 0
    Tunneled nodes 0
    Total APs 2

    Remaining Capacity AP
    ---------------------
    Type Number
    ----------
    CAPs 7
    RAPs 7

    So it seems that the licnecjemi is all right.



  • 4.  RE: IAP-105 - provisioned as RAP - status Rc2ID

    Posted May 21, 2014 10:54 PM

    The D (dirty) flag could be for a variety of reasons.  On the controller that is having a problem; run the following to see if there are any profile errors that may be affecting its functionality on the 650 vs. the M3.

     

    show profile-errors



  • 5.  RE: IAP-105 - provisioned as RAP - status Rc2ID

    Posted May 22, 2014 03:22 AM

    Hi,

    @clembo wrote:

    The D (dirty) flag could be for a variety of reasons.  On the controller that is having a problem; run the following to see if there are any profile errors that may be affecting its functionality on the 650 vs. the M3.

     

    show profile-errors

    show profile-errors

    Invalid Profiles
    ----------------
    Profile  Error
    -------  -----

    there are no errors and does not work

     

    I checked the logs, and what I found
    controller 650

    show log user all | include VPN

    May 22 08:45:14 :522018:  <WARN> |authmgr|  MAC=00:00:00:00:00:00 IP=?? Derived unknown role 'N/A' from server rules: server-group=default, authentication=VPN

     

    but on 6000

    May 22 08:47:40 :522038:  <INFO> |authmgr|  username=9c:1c:12:c9:65:61 MAC=9c:1c:12:c9:65:61 IP=79.187.221.239 Authentication result=Authentication Successful method=VPN server=Internal
    May 22 08:47:40 :522017:  <INFO> |authmgr|  MAC=00:00:00:00:00:00 IP=?? Derived role 'N/A' from server rules: server-group=default, authentication=VPN
    May 22 08:47:40 :522018:  <WARN> |authmgr|  MAC=00:00:00:00:00:00 IP=?? Derived unknown role 'N/A' from server rules: server-group=default, authentication=VPN
    May 22 08:47:40 :522008:  <NOTI> |authmgr|  User Authentication Successful: username=9c:1c:12:c9:65:61 MAC=00:00:00:00:00:00 IP=10.1.1.40 role=ap-role VLAN=0 AP=N/A SSID=N/A AAA profile=default-rap auth method=VPN auth server=Internal
    May 22 08:47:40 :522050:  <INFO> |authmgr|  MAC=00:00:00:00:00:00,IP=10.1.1.40 User data downloaded to datapath, new Role=ap-role/4, bw Contract=0/0, reason= IP up for non VPN transport, idle-timeout=300
    May 22 08:47:40 :522050:  <INFO> |authmgr|  MAC=00:00:00:00:00:00,IP=79.187.221.239 User data downloaded to datapath, new Role=logon/1, bw Contract=0/0, reason=IP up for non VPN transport for external user, idle-timeout=300



  • 6.  RE: IAP-105 - provisioned as RAP - status Rc2ID

    EMPLOYEE
    Posted May 22, 2014 05:04 AM

    In the ap system profile of that ap-group, do you have an LMS-ip?  If you do, is it a private ip address?  If yes, please remove the LMS-IP and try again.  It looks like you are making a connection, but your RAP could be redirected to an unreachable private ip address.



  • 7.  RE: IAP-105 - provisioned as RAP - status Rc2ID

    Posted May 23, 2014 05:20 AM
    @cjoseph wrote:

    In the ap system profile of that ap-group, do you have an LMS-ip?  If you do, is it a private ip address?  If yes, please remove the LMS-IP and try again.  It looks like you are making a connection, but your RAP could be redirected to an unreachable private ip address.

    Hi,

    I do not set the LMS-IP
    vpn tunnel is connected - when I connect to the AP via console cable I can ping the local address of the controller (standard left him 172.16.0.254).

     

     

    ====

    #show crypto ipsec sa


    IPSEC SA (V2) Active Session Information
    -----------------------------------
    Initiator IP     Responder IP     SPI(IN/OUT)        Flags Start Time        Inner IP
    ------------     ------------     ----------------   ----- ---------------   --------
    81.18.220.1      213.241.33.58    7cbc6500/8e6dfe00  UT2   May 23 10:22:08   192.168.202.2

    Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
           L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2

    Total IPSEC SAs: 1

    #show crypto isakmp sa

    ISAKMP SA Active Session Information
    ------------------------------------
    Initiator IP     Responder IP   Flags       Start Time      Private IP
    ------------     ------------   -----     ---------------   ----------
    81.18.220.1      213.241.33.58  r-v2-c-R  May 23 10:22:07   192.168.202.2

    Flags: i = Initiator; r = Responder
           m = Main Mode; a = Agressive Mode v2 = IKEv2
           p = Pre-shared key; c = Certificate/RSA Signature; e =  ECDSA Signature
           x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled
           3 = 3rd party AP; C = Campus AP; R = RAP;  Ru = Custom Certificate RAP; I = IAP
           V = VIA; S = VIA over TCP

    Total ISAKMP SAs: 1


    #show datapath session table | include 4500
    213.241.33.58   81.18.220.1     17   4500  64247  0/0     0 0   18  1/5         c8f  0         0          F
    81.18.220.1     213.241.33.58   17   64247 4500   0/0     0 0   0   1/5         c8f  0         0          FC
    ====

     

    LG

     



  • 8.  RE: IAP-105 - provisioned as RAP - status Rc2ID

    EMPLOYEE
    Posted May 23, 2014 06:04 AM

    This might be a difficult one if you don't open a support case.  The #1 reason for dirty in Raps is the LMS-IP,  the #2 being licensing, and #3 is a profile error like Clembo says.  #4 is usually that we are not allowing the correct firewall ports (which you are), or you have modified the logon or default-rap role so that it is blocking some traffic.



  • 9.  RE: IAP-105 - provisioned as RAP - status Rc2ID

    Posted May 23, 2014 07:21 AM
    @cjoseph wrote:

    This might be a difficult one if you don't open a support case.  The #1 reason for dirty in Raps is the LMS-IP,  the #2 being licensing, and #3 is a profile error like Clembo says.  #4 is usually that we are not allowing the correct firewall ports (which you are), or you have modified the logon or default-rap role so that it is blocking some traffic.

    Thanks,

     

      I open a support case,  and tell you later were was the problem.

     

    LG



  • 10.  RE: IAP-105 - provisioned as RAP - status Rc2ID

    Posted May 25, 2014 12:49 AM

    Do you have IP nat inside enabled on the controller s management vlan?