Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

RAP Not working VPN setup failed . all APs do not connect , what am i missing

This thread has been viewed 12 times

  • 1.  RAP Not working VPN setup failed . all APs do not connect , what am i missing

    Posted Apr 16, 2020 10:12 AM

    Hi all ,

     

    I really need help in this cause i have trying to make this work for 3 days no hope , no AP is turning to RAP

    setup is very simple

    1 virtual controller of the same region of APs version 8.6

    2 AP models , 305 and 303H , both from same region , tested multiple OS versions lower than controller  , nothing , now testing on 8.3 and 8.6

     

    I do not see anything useful from the logs , they keep changing , sometime XAUTH failed sometimes it is not there , the log shows the tunnel is being formed and IPs are being set then tunnel deleted

     

    nothing comes up from show crypto isakam sa or any show crypto sub commands

    connectivity is fine data flow is ok and tested , one firewall in the middle but i enabled all traffic between subnets all ports are open and traffic is passing fine (both can even ping each other)

    controller is using direct IP and reachable , not behind a router

    vpn pool is made standard

    added in whitelist remote APs with macs

    attached the log from the AP and controller debugging the state

     

    I need to know what am i missing here?? why i see the tunnel forming ok then deleted

    the only thing i see now is something called "no mac for user xxxxxx" if it means anything

     

     

    Attachment(s)

    txt
    aplog.txt   70 KB 1 version
    txt
    controller.txt   11 KB 1 version


  • 2.  RE: RAP Not working VPN setup failed . all APs do not connect , what am i missing

    Posted Apr 16, 2020 10:17 AM

    Added note if it matters 

     

    Controller is on EVAL license , active AP and PEF counts on 1024 all available not expired

    control-plane security i disabled it

    L3 authentication for VPN profile checked , tried all default , internal , and even a custom one

    APs are whitelisted in remote APs by MAC address only no name or any data entered (tried multiple options did not work)

     

    If someone is willing to work remotely with me on this case , i would be really grateful

    Also if info is needed i can easily provide

     

     

     

     



  • 3.  RE: RAP Not working VPN setup failed . all APs do not connect , what am i missing

    MVP GURU
    Posted Apr 16, 2020 10:22 AM

    Were the RAPs preprovisioned, or are you converting/configuring them to reach the controller via Activate or IAP conversion? 



  • 4.  RE: RAP Not working VPN setup failed . all APs do not connect , what am i missing

    Posted Apr 16, 2020 10:38 AM

    No they were not provisioned by the controller before , started by factory , connected to internet , updated , click on convert to remote , enter controller reachable IP , VPN setup failed

     

    reason is because client will receive newly boxed APs directly shipped to him , then as we understand we only need to provide him with our controller IP (and whitelist the APs MACs)



  • 5.  RE: RAP Not working VPN setup failed . all APs do not connect , what am i missing

    MVP GURU
    Posted Apr 16, 2020 10:40 AM

    Have you tried upgrading the RAP to a newer version, and trying again. I have ran into issues on certain images before that showed similar results.

     

     



  • 6.  RE: RAP Not working VPN setup failed . all APs do not connect , what am i missing

    Posted Apr 16, 2020 10:49 AM

    controller is 8.6 , did not test on older images cause this will require reinstalling the controller

    Images tested on APs

    6.4

    8.3

    8.6

    all same , something wrong with the either the tunnel process or adding the AP to provision process

     

    how can i debug the authentication and vpn process step by step ?

    do i need special AP group? i just added the APs in default or new group

     



  • 7.  RE: RAP Not working VPN setup failed . all APs do not connect , what am i missing

    Posted Apr 16, 2020 10:47 AM
    Where did you configured the RAP Pool ?

    Sent from Mail for Windows 10


  • 8.  RE: RAP Not working VPN setup failed . all APs do not connect , what am i missing

    Posted Apr 16, 2020 10:57 AM

    RAP pool i set it under services/vpn/general vpn

    is there a different pool for RAPs? i also see the AP takes an IP from the pool in the log provided from controller side

    pool.jpg



  • 9.  RE: RAP Not working VPN setup failed . all APs do not connect , what am i missing

    MVP GURU
    Posted Apr 16, 2020 11:00 AM

    Is this a standalone VMC, or is it MM/VMC. If MM/VMC, is the RAP configuration under the MM level, or the MD level?



  • 10.  RE: RAP Not working VPN setup failed . all APs do not connect , what am i missing

    Posted Apr 16, 2020 11:17 AM

    Its a standalone controller , i applied the settings to both main controller tree and controller sub tree no change

     



  • 11.  RE: RAP Not working VPN setup failed . all APs do not connect , what am i missing

    Posted Apr 16, 2020 11:19 AM

    I need to know if this line means anything useful

     

    Apr 16 09:15:47 :124155: <5508> <DBUG> |authmgr| No macuser for ip 1.1.1.22, mac 00:00:00:00:00:00

     

    Also does these lines mean anything?

     

    Apr 16 09:17:18 :103061: <5482> <ERRS> |ike| IKE_CUSTOM_useCert: can't find Server-Cert
    Apr 16 09:17:18 :124004: <5508> <DBUG> |authmgr| user_download 3952 called
    Apr 16 09:17:18 :124004: <5508> <DBUG> |authmgr| user_download: User 192.168.248.7 Router Acl(0)
    Apr 16 09:17:18 :124163: <5508> <DBUG> |authmgr| download-L3: ip=192.168.248.7 acl=2/0 role=logon, Ubwm=0, Dbwm=0 tunl=0x0, PA=0, HA=1, RO=0, VPN=1, MAC=00:00:00:00:00:00.



  • 12.  RE: RAP Not working VPN setup failed . all APs do not connect , what am i missing

    Posted Apr 16, 2020 11:53 AM

    Maybe this is not a VPN issue , how can i debug the AP joining controller process ?

    i have a feeling that the tunnel comes up then down , maybe the AP is rejected by the controller?

    how can i verify this



  • 13.  RE: RAP Not working VPN setup failed . all APs do not connect , what am i missing

    Posted Apr 16, 2020 11:57 AM

    Ok i found these lines on the controllers same time of VPN tunnel starts

    I see XAUTH client failed and cant fine server Cert ,

    where do i go from here?

     

     

    Apr 16 06:35:06 <isakmpd 103061> <5482> <ERRS> |ike| IKE_CUSTOM_useCert: can't find Server-Cert
    Apr 16 06:35:37 <isakmpd 103061> <5482> <ERRS> |ike| IKE_CUSTOM_useCert: can't find Server-Cert
    Apr 16 06:37:07 <isakmpd 103061> <5482> <ERRS> |ike| IKE_CUSTOM_useCert: can't find Server-Cert
    Apr 16 06:38:08 <isakmpd 103061> <5482> <ERRS> |ike| IKE_CUSTOM_useCert: can't find Server-Cert
    Apr 16 06:39:08 <isakmpd 103046> <5482> <ERRS> |ike| IKE XAuth client UP failed 192.168.248.7 (External 192.168.248.7)
    Apr 16 06:39:39 <isakmpd 103046> <5482> <ERRS> |ike| IKE XAuth client UP failed 192.168.248.7 (External 192.168.248.7)
    Apr 16 06:41:10 <isakmpd 103046> <5482> <ERRS> |ike| IKE XAuth client UP failed 192.168.248.7 (External 192.168.248.7)



  • 14.  RE: RAP Not working VPN setup failed . all APs do not connect , what am i missing
    Best Answer

    EMPLOYEE
    Posted Apr 16, 2020 03:00 PM

    If you are using a virtual controller (VMC), the VMC has a self-signed cert and an AP cannot connect to it as a RAP with cert-based authentication.

    Therefore, the first step is to connect the AP as a campus AP to the VMC with CPSec enabled, which will let the AP get the VMC self-signed cert and use it as a trust anchor.

    Once the AP is up on the VMC, go ahead and provision it as a RAP.

    From there, the RAP will connect fine to the VMC.

     



  • 15.  RE: RAP Not working VPN setup failed . all APs do not connect , what am i missing

    Posted Apr 16, 2020 03:21 PM

    hey there ,

    your answer seems logical to what i see 

    but this makes me wonder cause this solution will get the APs shipped directly to client "multiple different remote locations acting as health care mobile units in different areas not in my city"

    APs will not come to our office , is there a way to bypass this or let the APs accept a self signed Cert?

     

    Another idea , can we export the self signed cert and mail it to client so atleast we can import them later?

     

    Are there different types of auth instead of cert? like shared password instead

     

    I will check your solution for sure and provide feedback but i just need to know if there are alternatives



  • 16.  RE: RAP Not working VPN setup failed . all APs do not connect , what am i missing

    EMPLOYEE
    Posted Apr 17, 2020 03:56 AM

    I'm not aware of a zero-touch provisioning of Remote-AP in combination with a VMC because of the lack of a TPM and a trusted certificate in the VMC for the trust root.

     

    For this scenario, you would need a hardware controller as far as my understanding is correct.



  • 17.  RE: RAP Not working VPN setup failed . all APs do not connect , what am i missing

    Posted Apr 17, 2020 04:20 AM

    Is it possible to import the self signed cert from VMC to the APs? and make them trusted



  • 18.  RE: RAP Not working VPN setup failed . all APs do not connect , what am i missing

    Posted Apr 17, 2020 04:25 AM

    Just feedback for anyone who might experience same issue

    The APs successfully became RAPs but after provisioning them for 1 time first locally as campus APs , then convert to RAP

     

    i will check to see if it is possible to import the self signed cert to a new AP and see if this works and update this post