Wireless Access

Reply
Highlighted
Occasional Contributor II

RAP Not working VPN setup failed . all APs do not connect , what am i missing

Hi all ,

 

I really need help in this cause i have trying to make this work for 3 days no hope , no AP is turning to RAP

setup is very simple

1 virtual controller of the same region of APs version 8.6

2 AP models , 305 and 303H , both from same region , tested multiple OS versions lower than controller  , nothing , now testing on 8.3 and 8.6

 

I do not see anything useful from the logs , they keep changing , sometime XAUTH failed sometimes it is not there , the log shows the tunnel is being formed and IPs are being set then tunnel deleted

 

nothing comes up from show crypto isakam sa or any show crypto sub commands

connectivity is fine data flow is ok and tested , one firewall in the middle but i enabled all traffic between subnets all ports are open and traffic is passing fine (both can even ping each other)

controller is using direct IP and reachable , not behind a router

vpn pool is made standard

added in whitelist remote APs with macs

attached the log from the AP and controller debugging the state

 

I need to know what am i missing here?? why i see the tunnel forming ok then deleted

the only thing i see now is something called "no mac for user xxxxxx" if it means anything

 

 


Accepted Solutions
Highlighted
Aruba Employee

Re: RAP Not working VPN setup failed . all APs do not connect , what am i missing

If you are using a virtual controller (VMC), the VMC has a self-signed cert and an AP cannot connect to it as a RAP with cert-based authentication.

Therefore, the first step is to connect the AP as a campus AP to the VMC with CPSec enabled, which will let the AP get the VMC self-signed cert and use it as a trust anchor.

Once the AP is up on the VMC, go ahead and provision it as a RAP.

From there, the RAP will connect fine to the VMC.

 

View solution in original post


All Replies
Highlighted
Occasional Contributor II

Re: RAP Not working VPN setup failed . all APs do not connect , what am i missing

Added note if it matters 

 

Controller is on EVAL license , active AP and PEF counts on 1024 all available not expired

control-plane security i disabled it

L3 authentication for VPN profile checked , tried all default , internal , and even a custom one

APs are whitelisted in remote APs by MAC address only no name or any data entered (tried multiple options did not work)

 

If someone is willing to work remotely with me on this case , i would be really grateful

Also if info is needed i can easily provide

 

 

 

 

Highlighted
Super Contributor II

Re: RAP Not working VPN setup failed . all APs do not connect , what am i missing

Were the RAPs preprovisioned, or are you converting/configuring them to reach the controller via Activate or IAP conversion? 

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX #509 | ACCX #1272 | ACSA | ACDA | ACEA | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!
Highlighted
Occasional Contributor II

Re: RAP Not working VPN setup failed . all APs do not connect , what am i missing

No they were not provisioned by the controller before , started by factory , connected to internet , updated , click on convert to remote , enter controller reachable IP , VPN setup failed

 

reason is because client will receive newly boxed APs directly shipped to him , then as we understand we only need to provide him with our controller IP (and whitelist the APs MACs)

Highlighted
Super Contributor II

Re: RAP Not working VPN setup failed . all APs do not connect , what am i missing

Have you tried upgrading the RAP to a newer version, and trying again. I have ran into issues on certain images before that showed similar results.

 

 

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX #509 | ACCX #1272 | ACSA | ACDA | ACEA | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!
Highlighted
MVP Expert

Re: RAP Not working VPN setup failed . all APs do not connect , what am i missing

Where did you configured the RAP Pool ?

Sent from Mail for Windows 10
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
Occasional Contributor II

Re: RAP Not working VPN setup failed . all APs do not connect , what am i missing

controller is 8.6 , did not test on older images cause this will require reinstalling the controller

Images tested on APs

6.4

8.3

8.6

all same , something wrong with the either the tunnel process or adding the AP to provision process

 

how can i debug the authentication and vpn process step by step ?

do i need special AP group? i just added the APs in default or new group

 

Highlighted
Occasional Contributor II

Re: RAP Not working VPN setup failed . all APs do not connect , what am i missing

RAP pool i set it under services/vpn/general vpn

is there a different pool for RAPs? i also see the AP takes an IP from the pool in the log provided from controller side

pool.jpg

Highlighted
Super Contributor II

Re: RAP Not working VPN setup failed . all APs do not connect , what am i missing

Is this a standalone VMC, or is it MM/VMC. If MM/VMC, is the RAP configuration under the MM level, or the MD level?

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX #509 | ACCX #1272 | ACSA | ACDA | ACEA | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!
Highlighted
Occasional Contributor II

Re: RAP Not working VPN setup failed . all APs do not connect , what am i missing

Its a standalone controller , i applied the settings to both main controller tree and controller sub tree no change

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: