Wireless Access

Reply
Highlighted
Contributor II

RAP 8.5 over double nat'ted address

Under ArubaOS 6.5 I can connect a RAP-109 from a double nat'ted private address. Under 8.5 this is failing. Using certificate config on RAP doesn't work at all. Using username/pw on RAP I get multiple short tunnels. What changed? Is there a workaround? Using VMM, hardware 7220, RAP-109. RAP coming from 208.69.x.x address. Log from controller:

Feb 13 09:18:02 isakmpd[3846]: <103103> <3846> <WARN> |ike| IPSec SA Deletion: IPSEC_delSa SPI:eefd7b00 OppSPI:29c17e00 Dst:208.69.211.228 Src:129.82.168.24 flags:1001 dstPort:0 srcPort:0

 

# show crypto ipsec sa

208.69.211.228 129.82.168.24 192.168.193.33/32 0.0.0.0/0 UT Feb 14 07:18:08 192.168.193.33
208.69.211.228 129.82.168.24 192.168.193.60/32 0.0.0.0/0 UT Feb 14 08:12:44 192.168.193.60
208.69.211.228 129.82.168.24 192.168.193.57/32 0.0.0.0/0 UT Feb 14 08:06:42 192.168.193.57
208.69.211.228 129.82.168.24 192.168.193.53/32 0.0.0.0/0 UT Feb 14 07:58:40 192.168.193.53
208.69.211.228 129.82.168.24 192.168.193.28/32 0.0.0.0/0 UT Feb 14 07:08:05 192.168.193.28

IPSEC SA (V2) Active Session Information
-----------------------------------
Initiator IP Responder IP SPI(IN/OUT) Flags Start Time Inner IP
------------ ------------ ---------------- ----- --------------- --------
10.82.168.24 10.82.168.10 a2eba300/c763e700 UT2 Feb 14 09:02:37 -

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2
l = uplink load-balance

Total IPSEC SAs: 60

 

Thank you!

Highlighted
Contributor II

Re: RAP 8.5 over double nat'ted address

Adding my own solution to this after opening a TAC case. It seems the APs were never connecting to the point of upgrading from 6.5 to 8.5 code, even though I could see isakmp associations and ipsec associations and even broadcast ssids from the RAPs for about 60 seconds. Turns out the problem was twofold:

 

When clusters are in place, the RAPs use the RAP Pool from the MM -- Services -- Clusters -- Controller 

Cluster RAP Pool. If there is no cluster, then the RAPs use the pool created under the controller vpn pool. Under the cluster setup Cluster -- Services -- Clusters -- Cluster Profile the Controller entry needs to have a RAP Public IP address set for each controller. Nat works fine now. If this was in the Aruba documentation I missed it completely. I hope this might help someone else getting this working. -- Jim

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: