Wireless Access

Reply
Highlighted
Contributor II

[RAP] Troubleshooting

Hi,

Recently I converted an AP at a remote location to (from IAP) RAP mode but it fails to setup a tunnel.

It has ping to the controller, it succeeded in setting up the VPN and downloading the firmware from the controller (8.6.0.5-FIPS) but it fails to setup a tunnel after booting into RAP mode.

What troubleshooting can I do? What am I missing?

It fails to setup a tunnel even if I put it on the same L2/L3 segment (over a p2p link) so I suspect the issue is in the RAP <> controller interaction.

 

The error the rapconsole shows is:

 IP [] using Ethernet Aborted: HELLO-TIMEOUT. Bringing tunnel down
Highlighted
Contributor II

Re: [RAP] Troubleshooting

Our problem sounds a bit similar to this issue:

https://community.arubanetworks.com/t5/Wireless-Access/IPSEC-tunnel-flapping/td-p/69200

 

The weird thing is that before switching to FIPS we were not having these issues, non of the underlying network design has changed only the firmware type.

Highlighted
MVP Guru

Re: [RAP] Troubleshooting

Do you have the logs from the controller when the issue is occurring? If you check the datapath session do you see the IPSEC traffic?

 

 

#show datapath session table | include 4500
#show crypto isakmp sa
#show crypto ipsec sa
#show user ip x.x.x.x (ip address of rap user)

 

*EDIT* - I might be asking the obvious, but you have created an RAP IP Pool and whitelisted the RAP accordingly?

 


ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
Highlighted
Contributor II

Re: [RAP] Troubleshooting

At the moment I switched the AP to campus mode (by allowing our AP vlan to run over the p2p link to the other location, not an ideal situation) so that the people at the office can work.

 

I'll try to run these commands a bit later.

 

We have an RAP IP pool under VPN (in the PIPA range) and the RAP is whitelisted under Remote APs (as far as I understand it would not be able to switch from instant to remote if it was not whitelisted).

Highlighted
Contributor II

Re: [RAP] Troubleshooting

 

#show datapath session table | include 4500
[ap-ip]        [controller-ip]      17   59744 4500   0/0     0    0   0   pc1         6a   103        44624      FC              6
#show crypto isakmp sa
Initiator IP   Responder IP   Flags     Start Time   Private IP   Peer ID
------------   ------------   -----     ----------   ----------   -------------
[ap-ip]       [controller-ip] r-v2-c-R  Oct  7 18:06:16   169.254.1.23                            CN=[serial]::[mac]
IPSEC SA (V2) Active Session Information
-----------------------------------
Initiator IP   Responder IP   SPI(IN/OUT)   Flags Start Time   Inner IP   Ipsec-map
------------   ------------   ----------------   ----- ---------------   --------   ---------
[ap-ip]   [controller-ip]   [hex]/[hex]  UT2   Oct  7 18:10:12   169.254.1.24
#show user ip [ap-ip]
This operation can take a while depending on number of users. Please be patient ....


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       u - Upstream Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       r - Route Nexthop, h - High Value
       A - Application Firewall Inspect
       J - SDWAN Default Probe stats used as fallback
       B - Permanent, O - Openflow
       L - Log, o - Openflow config revision mismatched

Source IP or MAC  Destination IP  Prot SPort DPort Cntr     Prio ToS Age Destination TAge Packets    Bytes      Flags           CPU ID
----------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------- ---------- --------------- -------


Name: , IP: [ap-ip], MAC: 00:00:00:00:00:00, Age: 00:00:14
Role: logon (how: ROLE_DERIVATION_NONE), ACL: 2/0
Authentication: No, status: not started, method: , protocol: , server:
Role Derivation: ROLE_DERIVATION_NONE
VLAN Derivation: Unknown
Idle timeout (global): 300 seconds, Age: 00:00:00
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=1, trusted_ap=0, l3auth=0, mba=0, vpnflags=2, u_stm_ageout=0
Flags: innerip=0, outerip=1, vpn_outer_ind:0, download=1, wispr=0
IP User termcause: 0
phy_type: b-, l3 reauth: 0, BW Contract: up:0 down:0, user-how: 4
Vlan default: 0, Assigned: 0, Current: 0 vlan-how: 0 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, Flags=0x0
SlotPort=0x0, Port=0x0 (vlan 0)
Essid: , Bssid: 00:00:00:00:00:00 AP name/group: N/A/default Phy-type: b- Forward Mode: tunnel
RadAcct sessionID:n/a
RadAcct Traffic In 604/291680 Out 40/27045 (0:604/0:0:4:29536,0:40/0:0:0:27045)
Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )
Profiles AAA:, dot1x:, mac: CP:n/a def-role:'logon' via-auth-profile:''
ncfg flags udr 0, mac 0, dot1x 0, RADIUS interim accounting 0
IP Born: 1602082930 (Wed Oct  7 18:02:10 2020)
Core User Born: 1602082930 (Wed Oct  7 18:02:10 2020)
Upstream AP ID: 0, Downstream AP ID: 0
User Agent String:
L3-Auth Session Timeout from RADIUS: 0
Mac-Auth Session Timeout Value from RADIUS: 0
Dot1x Session Timeout Value from RADIUS: 0
Dot1x Session Term-Action Value from RADIUS: N/A
CaptivePortal Login-Page URL from RADIUS: N/A
Reauth-interval from role: 0
Number of reauthentication attempts: mac reauth 0, dot1x reauth 0
mac auth server: N/A, dot1x auth server: N/A
Address is from DHCP: no
ipuser_notify_action:NoAction/NoAction
Per-user-log pointer 0x23e19bc (id 3722), num logs 0
RTTS disabled: rtts_throughput 0 rtts_discard 0 rtts_reest 0 rtts_keepalive 0
User added to cluster bucket-map: No

The phy column shows client's operational capabilities for current association

Flags: A: Active, B: Band Steerable, H: Hotspot(802.11u) client, K: 802.11K client, M: Mu beam formee, R: 802.11R client, W: WMM client, w: 802.11w client, V: 802.11v BSS trans capable, P: Punctured preamble, U: HE UL Mu-mimo, O: OWE client, S: SAE client, E: Enterprise client, m: Agile Multiband client, C: Cellular Data Capable - network available, c: Cellular Data Capable - network unavailable, p: Pending GSM activation, T: Individual TWT client, t: Broadcast TWT client

PHY Details: HT   : High throughput;      20: 20MHz;  40: 40MHz; t: turbo-rates (256-QAM)
             VHT  : Very High throughput; 80: 80MHz; 160: 160MHz; 80p80: 80MHz + 80MHz
             HE   : High Efficiency;       80: 80MHz; 160: 160MHz; 80p80: 80MHz + 80MHz
             <n>ss: <n> spatial streams

Association Table
-----------------
Name  bssid  mac  auth  assoc  aid  l-int  essid  vlan-id  tunnel-id  phy  assoc. time  num assoc  Flags  Band steer moves (T/S)  phy_cap
----  -----  ---  ----  -----  ---  -----  -----  -------  ---------  ---  -----------  ---------  -----  ----------------------  -------

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: