Hi,
I'm experiencing this problem:
------
Continual Changes to the L2TP IP address
If you use the show user-table command or show crypto ipsec sa command several times and see
a different L2TP IP address in each instance of command output for the same peer, this may indicate
IPsec tunnel flapping.
-------
And the ap's don't become active.
The network design is the following:
Controller<-->Firewall<-->Private WAN<-->Branch offices with ap's 105 working as RAP.
Only one of the branch offices is having the problem. This branch office was provisioned and working fine before. The firewall is managing all the branchs with /16 network, so all they have applied the same firewall policy.
The virtual branch networks VRD guide indicates that the problem could be a possible packet loss on the path. We are checking the Wan but I am not sure that it will be the problem.
The ipsec tunnel is established but is deleted automatically.
Mar 25 17:02:59 :103063: <DBUG> |ike| ipc_mocana_setup_ipsec_dp_sa sa src=[controller ip]:4500,dst=[ap ip address]:49196,srcnet:0.0.0.0/0.0.0.0 dstnet:0.0.0.0/0.0.0.0
Mar 25 17:02:59 :103063: <DBUG> |ike| ipc_mocana_setup_ipsec_dp_sa innerip:192.168.124.117
Mar 25 17:02:59 :103063: <DBUG> |ike| ipc_mocana_setup_ipsec_dp_sa: out:0 natt:1 mode:1 proto:1 cipher:4 auth:2 spi:f1858700 oppspi:1eaac200 esrc:a3cbb05 edst:ac13000a dstnet:0 dstmask:0 nattport:49196 trust:0 dpd:0
Mar 25 17:02:59 :103063: <DBUG> |ike| Setup the IPSEC SA --- DONE !!
Mar 25 17:02:59 :103063: <DBUG> |ike| IKE_deleteSaByInnerIPExtIP delete IKE SA [ap ip address]:(inner:192.168.124.117)
Mar 25 17:02:59 :103063: <DBUG> |ike| IKE2_delSa sa:0x1027bcb4 peer:[ap ip address]:49196 id:2395091297 err:-90035 saflags:51 arflags
Mar 25 17:02:59 :103063: <DBUG> |ike| IKE2_delSa before IKE2_delXchg
Mar 25 17:02:59 :103063: <DBUG> |ike| IKE2_delSa before send-info-delete
Mar 25 17:02:59 :103063: <DBUG> |ike| IKE2_newXchg oExchange:37 bReq:1 dwMsgId:0
Mar 25 17:02:59 :103063: <DBUG> |ike| I --> Deleted: 1 IKE_ SA
Mar 25 17:02:59 :103063: <DBUG> |ike| IKE2_delSa(peer=[ap ip address] cookies={4dd3806355a42b0d 8b673f041231a876})
Mar 25 17:02:59 :103063: <DBUG> |ike| spi={4dd3806355a42b0d 8b673f041231a876} np=E{D}
Mar 25 17:02:59 :103063: <DBUG> |ike| exchange=INFORMATIONAL msgid=0 len=76
Mar 25 17:02:59 :103063: <DBUG> |ike| #SEND 80 bytes to [ap ip address](49196) (966281.195)
Mar 25 17:02:59 :103040: <INFO> |ike| IKE XAuth idle timeout for 192.168.124.117 (External [ap ip address])
(CONTROLLER) # show crypto ipsec sa peer [ap ip address]
Initiator IP: [ap ip address]
Responder IP: [controller ip]
Initiator: No
SA Creation Date: Mon Mar 25 18:02:47 2013
Life secs: 7200
Exchange Type: IKE_SA (IKEV2)
Phase2 Transform:Encryption Alg: AES 256 Authentication Alg: SHA1
Encapsulation Mode Tunnel
PFS: no
IN SPI: C4D97C00, OUT SPI: A6F6A100
CFG Inner-IP 192.168.124.150
Responder IP: [controller ip]
(CONTROLLER) #show crypto isakmp sa peer [ap ip address]
Initiator IP: [ap ip address]
Responder IP: [controller ip]
Initiator: No
Initiator cookie:f2fd63d2447a327a Responder cookie:53b6f205a6625f45
SA Creation Date: Mon Mar 25 18:03:52 2013
Life secs: 28800
Initiator Phase1 ID: CN=BE0313093::d8:c7:c8:c6:c9:03
Responder Phase1 ID: CN=A00012152::00:0b:86:14:9e:80 L=SW
Exchange Type: IKE_SA (IKEV2)
Phase1 Transform:EncrAlg:AES HashAlg:HMAC_SHA1_96 DHGroup:2
Authentication Method: RSA Digital Signature 2048-bits
CFG Inner-IP 192.168.124.168
IPSEC SA Rekey Number: 0
Aruba AP
In the datapath session appears the D flag.
(CONTROLLER) #show datapath session table [ap ip address]
Datapath Session Table Entries
------------------------------
Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal
u - User Index
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge UsrIdx UsrVer Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- ------ ------ -----
[ap ip address] [controller ip] 17 49352 4500 0/0 0 0 0 pc0 10 10e 1f4d FC
0/0 0 0 149 pc0 FYC
[controller ip] [ap ip address] 17 4500 49352 0/0 0 0 1 pc0 10 ce ce F
0/0 0 0 0 pc0 FY
[controller ip] [ap ip address] 17 4500 49174 0/0 0 0 0 local 6 ce ce FDYC
0/0 0 0 149 local FDYC
Any ideas about what could be the cause of the problem. The only test we haven't done is to purge or factory reset the ap.
Thanks
Jose