Wireless Access

Reply
Highlighted
Regular Contributor II

RAP does not connect to the controller

Hello community,

 

we have an Aruba 651 controller (6.2.1.3) with some APs in our company.

Now we want to use some RAPs.

At the moment we´ve 3 RAPs 2wg and 1 RAP 3WN.

 

We have a company internet connection and an extra internet connection for the RAPs (controller makes pppoe).(bouth static ip adress)

 

In the LAN the RAP can connect to the conroller, from outside it does not work.

I think the RAP connect to the controller over the company internet connection to the controllers internet connection.

 

Why does it noch work from outside?

I configured it like the example IAW RAP 6.1 configuration guide...

 


datapath.JPG

 

LMS.JPG

 

RAP-pr.JPG

 

 

I put the conroller config in the attachment.

 

Maybe anyboy can help me...

 

 

Thanks a lot.

 

 


Accepted Solutions
Highlighted
Aruba

Re: RAP does not connect to the controller

The output still shows "Gateway of last resort is 10.10.1.x" and 192.168.x.x listed.

 

Can you share the routing section of your config file:

show run | begin "ip default-gateway"

 


Also, for your clients, what is their default gateway, the controller?  If so, they'd route out the default route of the controller (PPOE in this case).  If you don't want that, then I suggest you use something on your LAN to be the default route for the clients; which will then pass them through your Corporate Internet connection based on the routing policies of that device.

 

 

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

View solution in original post

Highlighted
Aruba

Re: RAP does not connect to the controller

  • If the default gateway of clients is the core, then the default gateway of the controller, should not affect their ability to access the Internet (assuming you are not NAT'ing that VLAN).
  • If you have a controller that has a direct connection to the Internet and another to the LAN and you need RAPs to connect to it, you need the default-gateway of the the controller to be that network interface
  • You then need to add static routes to any internal networks that the controller needs to route to; wired VLANs, AP VLANs, etc.

 

Remove old gateways:

no ip default-gateway 10.10.10.254
no ip default-gateway 192.168.25.254

 

Add PPOE as gateway:

ip default-gateway import

 

Add static routes to internal networks:

ip route <IP network> <mask> <next hop>

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

View solution in original post


All Replies
Highlighted

Re: RAP does not connect to the controller

Hey Leon,

 

Is there a firewall between the controller and the internet connection used for the RAPs?

 

If so you'll need to NAT UDP port 4500 from the firewall to the controller.

 

Also when you're testing the RAP you could try the following commands in addition to the datapath session one you used:

 

#show crypto isakmp sa

This will show you any IKE security associations. This is IKE Phase 1 or you might have heard this as just Phase 1 of the VPN connection.

 

#show crypto ipsec sa

This will show you any IPSEC security associations. This is the VPN tunnel that's created by IKE Phase1. Once this is established you're usually good to go.

 

Also it's worth checking the security log as many IKE errors will pop up there. 

 

Another thing to do is ennable debugging then try to connect the RA|P and see what turns up.

 

#conf t

#logging level debugging ap-debug <macaddress of AP>

#show log ap-debug 30

 

or you could debug IKE, but usually I find this isn't necessary

 

#logging level debugging security subcat ike

#show log security 30

 

I hope this has given you something to go on.


Post back with any finding. :smileyhappy:

 

Cheers

James


Cheers
James
----------------------------------------------------------------------
--------------------------@whereisjrw--------------------------
---------------------------------blog-------------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
----------------------------------------------------------------------
----------------------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Highlighted
Regular Contributor II

Re: RAP does not connect to the controller

Hello jrwhitehead,

 

there is no firewall between the controller and the inernet.

There is a extra internet connection for the RAPs wehre the contriller makes pppoe.

 

 

In the local Lan the RAP works and send its ssids ...

 

At the moment the RAP is on the local LAN:

#show crypto isakmp sa

Capture.JPG

 

#show crypto ipsec sa

 

2.JPG

 

Ok I set up logging and later i test it outside the LAN.

 

Thanks

 

 

Highlighted
Regular Contributor II

Re: RAP does not connect to the controller

Hello,

 

when I put the RAP outside the LAN, there is nothing in the log.

 

Shows like there is no connection to the controller.

 

3.JPG

 

And in the log is nothing too.

 

The controllers interface with the pppoe connection is up, the ip address the this interface get is the right public ip.

4.JPG

 

I don´t know whats wrong, maybe a policy?

But this I must see in the log right?

 

 

Highlighted

Re: RAP does not connect to the controller

Hi Leon,

 

I would have a look at the datapath session table for the external IP of where the RAP is coming from to see if any traffic is getting to the controller from the RAP.

 

Can you confirm that UDP port 4500 is allowed outbound from where the RAP is?

 

Cheers

James


Cheers
James
----------------------------------------------------------------------
--------------------------@whereisjrw--------------------------
---------------------------------blog-------------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
----------------------------------------------------------------------
----------------------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Highlighted
Regular Contributor II

Re: RAP does not connect to the controller

Ok,

 

here is the

show datapath session table | include 4500:

1.JPG

 

Can you confirm that UDP port 4500 is allowed outbound from where the RAP is? yes!

 

 

Highlighted

Re: RAP does not connect to the controller

 

 


@Leon123 wrote:

Ok,

 

here is the

show datapath session table | include 4500:

1.JPG

 

Can you confirm that UDP port 4500 is allowed outbound from where the RAP is? yes!

 

 



Is there anything in the security log?


Cheers
James
----------------------------------------------------------------------
--------------------------@whereisjrw--------------------------
---------------------------------blog-------------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
----------------------------------------------------------------------
----------------------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Highlighted
Regular Contributor II

Re: RAP does not connect to the controller

there is nothing in the log

Highlighted

Re: RAP does not connect to the controller

You could try the following:

 

#conf t

#logging level debugging ap-debug <macaddress of AP>

#show log ap-debug 30

 

or you could debug IKE

 

#logging level debugging security subcat ike

#show log security 30

 

 


Cheers
James
----------------------------------------------------------------------
--------------------------@whereisjrw--------------------------
---------------------------------blog-------------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
----------------------------------------------------------------------
----------------------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Highlighted
Regular Contributor II

Re: RAP does not connect to the controller

Ok,  there is nothing in:

 

#show log ap-debug 30

 

2.JPG

 

#show log security 30

 

3.JPG

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: