Wireless Access

I am running a 3400 controller with 6.4.3.6-FIPS software.

I am attempting to connect a remote office to my campus.

Nat-t is working through the firewall to the controller

I can see ipsec and l2tp tunnels establish successfully, but the image then fails to download and forces the AP to re cycle repeatedly with the same error.

Any suggestions?

Regards

mark

Zero touch provisioning

From the controller I can see the below isakmp sa info and ipsec sa info:

(NINBURWIRCN01) # show crypto isakmp sa

ISAKMP SA Active Session Information
------------------------------------
Initiator IP     Responder IP   Flags       Start Time      Private IP
------------     ------------   -----     ---------------   ----------
125.236.200.158  172.18.145.3   r-v2-c-I  Apr 15 15:12:00   8.8.8.6

Flags: i = Initiator; r = Responder
       m = Main Mode; a = Agressive Mode v2 = IKEv2
       p = Pre-shared key; c = Certificate/RSA Signature; e =  ECDSA Signature
       x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled
       3 = 3rd party AP; C = Campus AP; R = RAP;  Ru = Custom Certificate RAP; I = IAP
       V = VIA; S = VIA over TCP

Total ISAKMP SAs: 1

(NINBURWIRCN01) # show crypto ipsec sa

IPSEC SA (V2) Active Session Information
-----------------------------------
Initiator IP     Responder IP     SPI(IN/OUT)        Flags Start Time        Inner IP
------------     ------------     ----------------   ----- ---------------   --------
125.236.200.158  172.18.145.3     87144400/c1da2d00  UT2   Apr 15 15:12:43   8.8.8.8

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
       L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2

Total IPSEC SAs: 1

After that it fails to retrieve the image

Not sure what to look for now can cut debug log if you are able to assist?

Mark

You should type "show log system 50" to see if there is anything happen.  Is there a specific reason that you are using FIPS software?  That could be part of your issue.

Thanks again

Have run: show log system 50

The only entry in the log not related to existing campas AP's is below:

 <ERRS> |fpapps| |configuration| Configuration error: Unable to find the ipsec map for tunnel down event. ip 134744070 in procIkeIpsecMsg, arubaIpsecRouteUtils.c:241.

Have also disabled FIPS mode but still has the same entry repeating

Yes started of as an IAP, Country code NZ

Selected maintenence>convert>remote APs managed by a mobility controller

Pointed at the controllers external IP address and clicked convert now

IAP log shows :

Executing '/aruba/bin/download_image_swarm ac-ftp://172.18.145.3/armv5te.ari'

fetching ('/usr/sbin/wget -T 120 -t 3 ftp://sap:x@172.18.145.3/armv5te.ari')

Error: failed to retrieve image

cleaning up

done

Controller at my end sees it as below:

(NINBURWIRCN01) #show crypto ipsec sa

IPSEC SA (V2) Active Session Information
-----------------------------------
Initiator IP     Responder IP     SPI(IN/OUT)        Flags Start Time        Inner IP
------------     ------------     ----------------   ----- ---------------   --------
125.236.###.###  172.18.145.3     5f8f3800/caba5900  UT2   Apr 18 12:39:46   8.8.8.4

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
       L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2

Total IPSEC SAs: 1

(NINBURWIRCN01) #show crypto isakmp sa

ISAKMP SA Active Session Information
------------------------------------
Initiator IP     Responder IP   Flags       Start Time      Private IP
------------     ------------   -----     ---------------   ----------
125.236.###.###  172.18.145.3   r-v2-c-I  Apr 18 12:39:47   8.8.8.4

Flags: i = Initiator; r = Responder
       m = Main Mode; a = Agressive Mode v2 = IKEv2
       p = Pre-shared key; c = Certificate/RSA Signature; e =  ECDSA Signature
       x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled
       3 = 3rd party AP; C = Campus AP; R = RAP;  Ru = Custom Certificate RAP; I = IAP
       V = VIA; S = VIA over TCP

Total ISAKMP SAs: 1

(NINBURWIRCN01) #show datapath session | include 4500
125.236.###.### 172.18.145.3    17   58660 4500   1/0     0    0   0   1/1         6    0          0          FC
172.18.145.3    125.236.###.### 17   4500  58660  0/0     0    0   0   1/1         6    0          0          F

(NINBURWIRCN01) #

What is the output of "show rights sys-ap-role"?

(NINBURWIRCN01) #show rights sys-ap-role

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'sys-ap-role'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Number of users referencing it = 0
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Youtube education: Disabled
 Web Content Classification: Enabled
 ACL Number = 10/0
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name         Type     Location
--------  ----         ----     --------
1         sys-control  session
2         sys-ap-acl   session

sys-control
-----------
Priority  Source  Destination  Service               Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------               -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any          sys-svc-icmp                       permit                           Low                                                           4
2         any     any          sys-svc-dns                        permit                           Low                                                           4
3         any     any          sys-svc-papi                       permit                           Low                                                           4
4         any     any          sys-svc-sec-papi                   permit                           Low                                                           4
5         any     any          sys-svc-cfgm-tcp                   permit                           Low                                                           4
6         any     any          sys-svc-adp                        permit                           Low                                                           4
7         any     any          sys-svc-tftp                       permit                           Low                                                           4
8         any     any          sys-svc-dhcp                       permit                           Low                                                           4
9         any     any          sys-svc-natt                       permit                           Low                                                           4
10        any     any          sys-svc-openflow-tcp               permit                           Low                                                           4
sys-ap-acl
----------
Priority  Source  Destination  Service               Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------               -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any          sys-svc-gre                        permit                           Low                                                           4
2         any     any          sys-svc-syslog                     permit                           Low                                                           4
3         any     any          sys-svc-snmp                       permit                           Low                                                           4
4         any     any          sys-svc-http                       permit                           Low                                                           4
5         user    any          sys-svc-kerberos-tcp               permit                           Low                                                           4
6         user    any          sys-svc-smb-tcp                    permit                           Low                                                           4
7         any     any          sys-svc-snmp-trap                  permit                           Low                                                           4
8         any     any          sys-svc-ntp                        permit                           Low                                                           4
9         user    any          sys-svc-ftp                        permit                           Low                                                           4
10        any     user         sys-svc-telnet                     deny                             Low                                                           4

Expired Policies (due to time constraints) = 0

Please execute "show firewall | include FTP"    

no output

Just "show firewall"

(NINBURWIRCN01) # show firewall

Global firewall policies
------------------------
Policy                                       Action                                            Rate       Port
------                                       ------                                            ----       ----
Enforce TCP handshake before allowing data   Disabled
Prohibit RST replay attack                   Disabled
Deny all IP fragments                        Disabled
Prohibit IP Spoofing                         Enabled
Monitor ping attack                          Disabled
Monitor TCP SYN attack                       Disabled
Monitor IP sessions attack                   Disabled
Deny inter user bridging                     Disabled
Log all received ICMP errors                 Disabled
Per-packet logging                           Disabled
Blacklist Grat ARP attack client             Disabled
Stateful SIP Processing                      Enabled
Allow tri-session with DNAT                  Disabled
Disable FTP server                           No
Blacklist ARP attack client                  Disabled
Monitor ARP attack                           Disabled
Monitor Gratuitous ARP attack                Enabled                                           50/30sec
GRE call id processing                       Disabled
Session Idle Timeout                         Disabled
WMM content enforcement                      Disabled
Session VOIP Timeout                         Disabled
Stateful H.323 Processing                    Enabled
Stateful SCCP Processing                     Enabled
Only allow local subnets in user table       Disabled
Monitor/police CP attacks                    Disabled
Rate limit CP untrusted ucast traffic        Enabled                                           9765 pps
Rate limit CP untrusted mcast traffic        Enabled                                           1953 pps
Rate limit CP trusted ucast traffic          Enabled                                           65535 pps
Rate limit CP trusted mcast traffic          Enabled                                           1953 pps
Rate limit CP route traffic                  Enabled                                           976 pps
Rate limit CP session mirror traffic         Enabled                                           976 pps
Rate limit CP auth process traffic           Enabled                                           976 pps
Rate limit CP vrrp traffic                   Enabled                                           512 pps
Rate limit CP ARP traffic                    Enabled                                           976 pps
Rate limit CP L2 protocol/other traffic      Enabled                                           976 pps
Deny inter user traffic                      Disabled
Prohibit ARP Spoofing                        Disabled
Stateful VOCERA Processing                   Enabled
Stateful UA Processing                       Enabled
Enforce bw contracts for broadcast traffic   Disabled
Multicast automatic shaping                  Disabled
Stall Detection                              Enabled
Enforce TCP Sequence numbers                 Disabled
AMSDU Rx                                     Enabled
Jumbo Frames                                 Disabled
Session-tunnel FIB                           Enabled
Prevent DHCP exhaustion                      Disabled
Stateful SIPS Processing                     Enabled
Deny source routing                          Disabled
Immediate Freeback                           Disabled
DPI Classification                           Disabled [Cfg: disabled, PEF license: installed]
STUN Based Traversal                         Enabled
Web Content Classification                   Disabled
Web Content Cache Miss Drop                  Disabled
Stateful ICMP Processing                     Disabled
Optimize Duplicate Address Detection frames  Enabled
Mcast RED                                    Disabled
Deny reserved IP frames                      Disabled
Log all received IP errors                   Disabled

I don't see anything on the surface that could cause you a problem.  The image should be on the controller.  You should probably open a case with TAC so that they can look at your configuration.

What is the process for raising a case with TAC

Thanks for your help

Mark

Please send an email to support@arubanetworks.com

Is there any way of confirming the image is on the controller? armv5te.ari?

Or pull the image locally and then deploy?

Mark

Run this on TMG; requires a restart.

netsh tmg set global name=BlockSecuredInDefaultState value=0 persistent

set the value to 1 to reverse.

I am not 100% sure of the details behind the command, however do know it resolved an unrelated VPN/L2TP issue behind TMG.