Wireless Access

Dear all,

I've tried to configure RAP in a OAW-4604 controller running AOS-W 6.4.3.2 with AP-135. I've provisioned the AP with IKE shared secret and username/password combination. 

But when I connect the AP in the remote network it is not getting detected in the Controller

I've logged into the RAP console and browse into connectivity tab I can see the RAP is able to communicate with its configured default gateway. But it says "Disconnect from Switch"

But I am able to ping to the controller from the Diagnostic tab.

From the "sapd_debug_log" in the RAP console, I can see the following errors when the RAP attempting to connect to the console.

[1055]1999-12-31 16:00:20 Starting PSK RAP rapper 0 to 10.10.200.10:8423 attempt 1
[1055]1999-12-31 16:00:20 start_rapper:1546 rapper_pid is 1198
[1055]1999-12-31 16:00:20 start_rapper:1596 Rapper is running over ethernet interface
[1055]1999-12-31 16:00:20 Populate the PID 1198 in file /tmp/rapper_pid_1
[1055]1999-12-31 16:00:20 start_tunnel_up_timer: sapd_cur_lms=0
[1055]1999-12-31 16:00:20 sapd_bk_init_vap_cfg[343]
[1055]1999-12-31 16:00:20 sapd_bk_init_vap_cfg[365]
[1055]1999-12-31 16:00:20 sapd_bk_init_vap_cfg[365]
[1055]1999-12-31 16:00:20 sapd_bk_init_vap_cfg[384]
[1055]1999-12-31 16:00:20 sapd_bk_radio_init[1483]:radios number is 2
[1055]1999-12-31 16:00:20 sapd_bk_radio_init[1490]: begin init radio
[1055]1999-12-31 16:00:20 sapd_bk_create_radio[1282]: START
[1055]1999-12-31 16:00:20 sapd_bk_create_radio: Radio 0: Programmed
[1055]1999-12-31 16:00:20 sapd_bk_radio_init: Radio 0: interface up
[1055]1999-12-31 16:00:20 sapd_bk_radio_init[1490]: begin init radio
[1055]1999-12-31 16:00:20 sapd_bk_create_radio[1282]: START
[1055]1999-12-31 16:00:20 sapd_bk_create_radio: Radio 1: Programmed
[1055]1999-12-31 16:00:20 sapd_bk_radio_init: Radio 1: interface up
[1055]1999-12-31 16:00:20 sapd_bk_radio_init[1507]:radios init finished
[1055]1999-12-31 16:00:40 Error: Received RC_OPCODE_ERROR lms 10.10.200.10 tunnel 0.0.0.0 RC_ERROR_IKEP1_PKT5
[1055]1999-12-31 16:00:40 State REDUN_STATE_TUNNEL_MASTER Event REDUN_EVENT_TUNNEL_DOWN Next state REDUN_STATE_TUNNEL_MASTER
[1055]1999-12-31 16:00:40 redun_tunnel_down: Call stop_child() for clients[0]
[1055]1999-12-31 16:00:40 stop_child: Kill child->pid=1198.
[1055]1999-12-31 16:00:40 stop_child:Waiting until the child 1198 is killed
[1055]1999-12-31 16:00:40 stop_child:result of wait4 1198 for pid (child->pid) 1198
[1055]1999-12-31 16:00:40 stop_child: child->pid=1198 is reset now
[1055]1999-12-31 16:00:40 redun_tunnel_down: killed the child
[1055]1999-12-31 16:00:40 Tunnel 0 down. data(0|Port)=8423
[1055]1999-12-31 16:00:40 stop_child: child->pid=0 is reset now
[1055]1999-12-31 16:00:40 State REDUN_STATE_TUNNEL_MASTER Event REDUN_EVENT_RETRY Next state REDUN_STATE_TUNNEL_MASTER
[1055]1999-12-31 16:00:40 redun_retry_tunnel: setting up tunnel to 0, retry=1 curr-dhcp-retry:0 total-dhcp-retry:0
[1055]1999-12-31 16:00:40 redun_retry_tunnel: ETHERNET Link state is 1
[1055]1999-12-31 16:00:40 redun_retry_tunnel: Using uplink ETHERNET
[1055]1999-12-31 16:00:40 sapd_check_rap_dhcp_pool: Subnets of LMS:a0ac800 and RAP-DHCP-Server:c0a80b00
[1055]1999-12-31 16:00:40 setup_ipsec: sapd_num_lms=1 sapd_cur_lms=0 ip=10.10.200.10, client=0
[1055]1999-12-31 16:00:40 setup_ipsec: Call stop_child() clients[0]
[1055]1999-12-31 16:00:40 stop_child: child->pid=0 is reset now
[1055]1999-12-31 16:00:40 setup_ipsec: sapd_local_ip 192.168.25.6 netmask 255.255.255.0
[1055]1999-12-31 16:00:40 setup_ipsec: adding route ip 10.10.200.10 mask 255.255.255.255 gw 192.168.25.254 interface br0
[1055]1999-12-31 16:00:40 Starting rapper with lifetime p1 = 28000 p2 = 7200

In the controller I've not enabled the controle plane security

(WLC-01) #show control-plane-security

Control Plane Security Profile
------------------------------
Parameter Value
--------- -----
Control Plane Security Disabled
Auto Cert Provisioning Disabled
Auto Cert Allow All Enabled
Auto Cert Allowed Addresses N/A

(WLC-01) #

output of the "show datapath session table | include 4500" shows the following output but the "Bytes" field doesn't grow significantly with the time

(WLC-01) #show datapath session table | include 4500
10.10.200.10 192.168.25.6 17 4500 61832 0/0 0 0 2 1/3 13 0 0 F
192.168.25.6 10.10.200.10 17 61832 4500 0/0 0 0 1 1/3 13 2 312 FC

(WLC-01) #show datapath session table | include 4500
10.10.200.10 192.168.25.6 17 4500 61832 0/0 0 0 2 1/3 15 0 0 F
10.10.200.10 192.168.25.6 17 4500 61834 0/0 0 0 0 1/3 1 2 536 F
192.168.25.6 10.10.200.10 17 61832 4500 0/0 0 0 1 1/3 15 2 312 FC
192.168.25.6 10.10.200.10 17 61834 4500 1/0 0 0 0 1/3 1 3 991 FC

(WLC-01) #show datapath session table | include 4500
10.10.200.10 192.168.25.6 17 4500 61832 0/0 0 0 2 1/3 16 0 0 F
10.10.200.10 192.168.25.6 17 4500 61834 0/0 0 0 0 1/3 2 2 536 F
192.168.25.6 10.10.200.10 17 61832 4500 0/0 0 0 1 1/3 16 2 312 FC
192.168.25.6 10.10.200.10 17 61834 4500 1/0 0 0 0 1/3 2 3 991 FC

(WLC-01) #show datapath session table | include 4500
10.10.200.10 192.168.25.6 17 4500 61832 0/0 0 0 2 1/3 17 2 536 F
10.10.200.10 192.168.25.6 17 4500 61834 0/0 0 0 0 1/3 3 0 0 F
192.168.25.6 10.10.200.10 17 61832 4500 0/0 0 0 1 1/3 17 4 1147 FC
192.168.25.6 10.10.200.10 17 61834 4500 1/0 0 0 0 1/3 3 0 0 FC

(WLC-01) #show datapath session table | include 4500
10.10.200.10 192.168.25.6 17 4500 61832 0/0 0 0 2 1/3 19 2 536 F
10.10.200.10 192.168.25.6 17 4500 61834 0/0 0 0 0 1/3 5 0 0 F
192.168.25.6 10.10.200.10 17 61832 4500 0/0 0 0 1 1/3 19 4 1147 FC
192.168.25.6 10.10.200.10 17 61834 4500 1/0 0 0 0 1/3 5 1 156 FC

(WLC-01) #show datapath session table | include 4500
10.10.200.10 192.168.25.6 17 4500 61832 0/0 0 0 2 1/3 1c 2 536 F
10.10.200.10 192.168.25.6 17 4500 61834 0/0 0 0 0 1/3 8 0 0 F
192.168.25.6 10.10.200.10 17 61832 4500 0/0 0 0 1 1/3 1c 4 1147 FC
192.168.25.6 10.10.200.10 17 61834 4500 1/0 0 0 0 1/3 8 1 156 FC

console output for "show crypto isakmp sa" aslo returns with empty output

(WLC-01) #show crypto isakmp sa peer 192.168.25.6

% No active ISAKMP SA for 192.168.25.6

(WLC-01) #
(WLC-01) #show crypto isakmp sa

ISAKMP SA Active Session Information
------------------------------------
Initiator IP Responder IP Flags Start Time Private IP
------------ ------------ ----- --------------- ----------

(WLC-01) #

when I check the "ACL white list" tab in "Stateful Firewall" page in the controller, I can see the UDP/Port 4500 is allowed in the controller with about 2400 hits.

There is no firewall between RAP and controller so I'm not sure which portion is blocking the RAP assosication to the controller.

I've also attached "rapper" log from the RAP console and the controller output of the "show crypto isakmp policy" command herewith.

Does any of you have an idea about what went wrong ? . Is there any other setting that I have to allow form the controller firewall ?

Thank You 

Buddhike

Attachment(s)

rapper.txt   5 KB 1 version

show-crypto-isakmp-policy.txt   4 KB 1 version

- Control Plane Security has nothing to do with Raps

- Enable Controller-side debugging:

config t

logging level debugging security subcat ike
logging level debugging security process aaa
logging level debugging security process authmgr
logging level debugging security subcat l2tp
logging level debugging security subcat vpn

- Try Connect your RAP.

- When it fails, type "show log security 50" and post the output

Dear Collins,

Thank you for the fast response, 

I've added the requested configuration and rebooted the RAP and collected the logs once RAP comes up and shows the connection status "Disconnected from switch"

I've attached the console capture herewith

Thank you 

Buddhike

Attachment(s)

console-output.txt   6 KB 1 version

Your logs do not show the problem while it is happening.  Please try to connect the RAP, and when it fails, immediately get the output of "show log security 100".

RC_ERROR_IKEP1_PKT5, means that the 5th ipsec packet was not answered, which could mean that you do not have the mac address in the RAP whitelist  your IKE preshared key is incorrect.

Dear Colin,

I've started rebooting the RAP at "Thu Sep 24 21:09:29" controller time

And the RAP finished booting at "Thu Sep 24 21:10:43" controller time.

I've attached the "show log security 500" output herewith.

I haven't manually added any RAP mac-adderesses to the whitelist 

I remember I used the same IKE key when configuring at the controller and when provisioning the AP 

Thank You

Buddhike

Attachment(s)

console-output2.txt   57 KB 1 version

You should probably open a TAC case.  They can probably go through your configuration and your toplogy and determine what the problem is.  There is nothing obvious about what is happening here.

Dear Colin,

Thank you verymuch for the effort. I will open a TAC case for this issue then.

Regards,

Buddhike

Dear All,

we have done a factory resetting the RAP and configured it from the scatch, now the controller is able to detect the RAP successfuly.

In the previous attempt, when we configure the RAP address pool, we have used the same IP address range as the remote AP subnet ( i.e - Previously we have used 192.168.25.1 - 192.168.25.10  for the RAP Pool). when we configure the RAP in the second time we have used 1.1.1.1 to 1.1.1.100 for the RAP pool. 

Could it be the reason for RAP not being detected in the controller ?

Anyway thank you for the support provided, when we were in need of.

Regards,

Buddhike