Hi,
We are currently setting up a new greenfield Aruba deployment with a 7205 controller terminating both RAPs and CAPs.
We have an active open case with TAC for days now and still trying to troubleshoot why the APs are not coming up correctly.
There is a firewall in path at the datacentre where the controller has been deployed between the CAPs @ the branches and the RAPs but the policy is currently an IP any to and from the controller (to elminate the FW being the problem) - we do not see any denies and do see an active session in the session table.
The IPSEC tunnel seems to be flapping constantly - trauling through the logs I'm seeing the below for the CAPs.
Sep 7 21:54:13 :103063: <3960> <DBUG> |ike| 192.168.2.88:4500-> ikev2_same_sa:
Sep 7 21:54:13 :103063: <3960> <DBUG> |ike| 192.168.2.88:4500-> Cookies : Initiator cookie:dbb0bcbf2b4a345c new sa Initiator cookie:668ed1df46d25865
Sep 7 21:54:13 :103063: <3960> <DBUG> |ike| 192.168.2.88:4500-> ikev2_same_sa: compareResult not equal for Initiator cookies
The RAPs connect to the controller look to go through IPSEC phase 1 and phase 2, get an IP address from the vpdn pool and then fall over.
show datapath session | include 4500
220.244.129.186 10.160.0.20 17 36079 4500 0/0 0 0 0 pc0 32 11 1504 FC
220.244.129.186 10.160.0.20 17 31270 4500 1/0 0 0 0 pc0 1 8 3480 FC
10.160.0.20 220.244.129.186 17 4500 36079 0/0 0 0 1 pc0 32 0 0 F
10.160.0.20 220.244.129.186 17 4500 31270 0/0 0 0 0 pc0 1 9 6557 F
show crypto ipsec sa peer 220.244.129.186
Initiator IP: 220.244.129.186
Responder IP: 10.160.0.20
Initiator: No
SA Creation Date: Thu Sep 7 23:02:47 2017
Life secs: 7200
Exchange Type: IKE_SA (IKEV2)
Phase2 Transform:Encryption Alg: AES 256 Authentication Alg: SHA1
Encapsulation Mode Tunnel
IP Compression Disabled
PFS: no
IN SPI: 3AE17800, OUT SPI: 98729000
CFG Inner-IP 10.160.17.110
Responder IP: 10.160.0.20
show crypto ipsec sa peer 220.244.129.186
Initiator IP: 220.244.129.186
Responder IP: 10.160.0.20
Initiator: No
SA Creation Date: Thu Sep 7 23:04:16 2017
Life secs: 7200
Exchange Type: IKE_SA (IKEV2)
Phase2 Transform:Encryption Alg: AES 256 Authentication Alg: SHA1
Encapsulation Mode Tunnel
IP Compression Disabled
PFS: no
IN SPI: 5B81F700, OUT SPI: DBC800
CFG Inner-IP 10.160.17.111
Responder IP: 10.160.0.20
Notice that due the IPSEC flapping I can never ping the inner IP of the RAP and they rotate through the RAP pool addressing - notice the Inner-IP change above.
Does anyone have any ideas? I have followed the following to no avail...
http://community.arubanetworks.com/t5/Controller-Based-WLANs/Understanding-and-Troubleshooting-IPSec-issues/ta-p/240527
http://www.arubanetworks.com/techdocs/ArubaOS_65x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/Firewall_Port_Info/Communication_Between__D.htm
http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-troubleshoot-RAP-in-ArubaOS/ta-p/178634