Wireless Access

Reply
Highlighted
Contributor I

RAP not connecting to cluster after provisioning

Hi Airheads,

 

I am standing up a PoC for a client and am having trouble getting the RAP to connect. Environment is below:

 

Hardware MM

2 x 7210 MC, clustered

1 x 505 CAP

1 x 305 CAP

1 x 305 that i flick between CAP and RAP to test

Software is 8.6.0.3

 

MC's are behind a firewall, bi directional nat'd. Cluster is formed and each MC knows its public IP address:

 

lc-cluster group-profile "MC-CLUSTER"
controller 10.11.101.12 priority 128 mcast-vlan 0 vrrp-ip 10.11.101.112 vrrp-vlan 101 group 1 rap-public-ip x.x.x.x
controller 10.11.101.13 priority 128 mcast-vlan 0 vrrp-ip 10.11.101.113 vrrp-vlan 101 group 1 rap-public-ip x.x.x.y
active-client-rebalance-threshold 50
standby-client-rebalance-threshold 75
heartbeat-threshold 0

 

RAP Cluster pool is defined at the MM level:

(MM-01) [mynode] #show running-config | include lc-rap
lc-rap-pool rap-pool 172.17.0.1 172.17.2.254

 

(MM-01) [mynode] #show lc-rap-pool

IP addresses used in pool rap-pool
172.17.0.1

Total:-
1 IPs used - 765 IPs free - 766 IPs configured
LC RAP Pool Total Allocs/Deallocs/Reserves : 5/1/0
LC RAP Pool Allocs/Deallocs/Reserves(succ/fail) : 3/1/(0/0)

 

 

When provisioned as a cap all works fine, SSIDs broadcast, can connect. When reprovisioning as a rap pointed at either the public IP or private ip i can see errors on the controller such as:

 

Peer:AUTH_HMAC_SHA1_96 Peer:ESN_0 <-- R Notify: INTERNAL_ADDRESS_FAILURE

 

Doing some searching i came across this link which had the same error: https://www.booches.nl/2019/05/migrate-rap-from-aos-6-x-to-aos-8-x/

 

Cluster pool is definitely set and looks to be allocating an IP by the looks of it. I cant seem to find the rap pool command in the config making its way from the MM to the MC's (maybe by design???).

 

AP is showing as whitelisted on the MM but not on the MC's

 

I am working with a local SE on the issue but hoping others have had something similar and have a solution.

 

Cheers

 

---------------------------
ACCP, ACMA, ACMP, ACDX

Accepted Solutions
Highlighted
Moderator

Re: RAP not connecting to cluster after provisioning

it is not that the inner IP is not making it, it is that the MD is authenticating the RAP in an odd way, such that it never tries to query the MM

 

The clue appears to be the log about skipping the cert CN check

 

Apr 5 21:30:11 :124004:  <3650> <DBUG> |authmgr|  RX (sock) message of type 66, len 1036
Apr 5 21:30:11 :124454:  <3650> <DBUG> |authmgr|  auth_user_query_raw: recvd request user:xx:xx:xx:xx:xx:xx ip:192.168.15.131 cookie:-2058597249
Apr 5 21:30:11 :132218:  <3650> <INFO> |authmgr|  Skipping certificate common name check for username= MAC=00:00:00:00:00:00
Apr 5 21:30:11 :124453:  <3650> <DBUG> |authmgr|  auth_user_query_resp: response user:xx:xx:xx:xx:xx:xx ip:192.168.15.131 cookie:-2058597249
Apr 5 21:30:11 :124198:  <3650> <ERRS> |authmgr|  {00:00:00:00:00:00-??} Missing server in attribute list, auth=VPN, utype=L3.
Apr 5 21:30:11 :124441:  <3650> <DBUG> |authmgr|  auth_user_query_resp: vpnflags:2
Apr 5 21:30:11 :124004:  <3650> <DBUG> |authmgr|  ip=192.168.15.131, sg=internal

 

which you can see is not in the working debug I posted before. I checked into the auth code and it would appear that if the VPN profile has "Check certificate common name against AAA server" disabled, then it circumvents this whole process of querying the local DB (and then the MM).

 

I also see that your RAP has picked up "aaa server-group internal" ( (sg=internal) which is also different from the default setting, which would have been "aaa server-group default"

 

So... please check if any of the following have been modified from their defaults, and/or add them here for discussion.

> show aaa server-group internal
> show aaa server-group default
> show aaa authentication vpn default-rap
> show aaa authentication vpn default


If you find that "Check certificate common name against AAA server" has been set to "disabled", especially in "aaa authentication vpn default-rap", please try changing it back to enabled.

View solution in original post


All Replies
Highlighted
Super Contributor I

Re: RAP not connecting to cluster after provisioning

In your cluster configuration, have you defined a RAP public IP for each member? See attached screenshot. When terminating RAPs to a cluster you should define this IP.

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX#509 | ACCP | ACSA | ACDA | ACEA | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!
Highlighted
Super Contributor I

Re: RAP not connecting to cluster after provisioning

Also your RAP pool should be configured under your Managed Network level, not the MM Level.

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX#509 | ACCP | ACSA | ACDA | ACEA | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!
Highlighted
Contributor I

Re: RAP not connecting to cluster after provisioning

Yep, public IP's are defined (see original post config snippet).

 

All documentation 8.4 onwards also says to define the RAP pool at the MM level under "Cluster RAP Pool" settings so that is what has been done. SE also confirmed this to be accurate.

 

Cheers

---------------------------
ACCP, ACMA, ACMP, ACDX
Highlighted
Super Contributor I

Re: RAP not connecting to cluster after provisioning

That never worked for me. MD is where I got it to work.

 

 

 

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX#509 | ACCP | ACSA | ACDA | ACEA | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!
Highlighted
Guru Elite

Re: RAP not connecting to cluster after provisioning

See if your RAP mac is whitelisted on the MD:

Show crypto isakmp clusterMac

 

See if your RAP was assigned an ip address from the pool on the MD:

Show crypto isakmp clusterIP

 

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Contributor I

Re: RAP not connecting to cluster after provisioning

show crypto isakmp clusterMAC

Cluster RAPMAC Table Entries:

Total RAPMAC Entries: 0

 

show crypto isakmp clusterIP

Cluster RAPIP Table Entries:

Total RAPIP Entries: 0

 

Same on both controllers

 

on the MM show whitelist-db rap shows:


AP-entry Details
----------------
Name AP-Group AP-Name Full-Name Authen-Username Revoke-Text AP_Authenticated Description Date-Added Enabled Remote-IP Remote-IPv6 Cluster-InnerIP Cert-type
---- -------- ------- --------- --------------- ----------- ---------------- ----------- ---------- ------- --------- ----------- --------------- ---------
xxxxxxxxxxxx RAP-TEST xxxx-305 Provisioned Thu Apr 2 11:43:39 2020 Yes 0.0.0.0 :: 172.17.0.1 NA

---------------------------
ACCP, ACMA, ACMP, ACDX
Highlighted
Guru Elite

Re: RAP not connecting to cluster after provisioning

When you go to configuration> access points> whitelist> Remote AP whitelist do you see your whitelisted RAPs at the highest /MD level?  What about if you navigate down to the MD level?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Moderator

Re: RAP not connecting to cluster after provisioning


@brettbrown wrote:

Cluster pool is definitely set and looks to be allocating an IP by the looks of it. I cant seem to find the rap pool command in the config making its way from the MM to the MC's (maybe by design???).


 

With cluster RAP, the pool itself does not get pushed to MDs, as opposed to the way things work when not using cluster with RAPs. The pool is used (by the MM) to assign an IP (from the pool) to the RAP when it's put into the whitelist database; which essentially becomes a static IP. That IP is then consistent across the MDs within the cluster that it terminates in (indeed across all clusters of the MM).

 

When the RAP arrives in the MD, it will use the auth-server "internal" to try to authenticate, in a cluster this should be pointing to the MM virtual IP, please confirm it using "show aaa authentication-server internal", it should show the IP of the MM VIP (or MM primary if you don't have a backup MM). 

 

If someone has previously set the MD internal auth server to "use-local-switch" then this could easily cause the problem you're seeing.

 

Here is how the security debug should look (warning: don't run log level debugging security in a live RAP network for any extended amount of time). In the below debug, a RAP (9c:8c:d8:09:05:0c) connects to MD (192.168.1.144) from NAT source IP 172.35.0.10, via a RAP cluster public IP (does not appear in debug).


The RAP whitelist entry is not found on the MD so the MD will query the MM VIP (192.168.1.142) and finds a result which has internal IP

168430082 (0xa0a0a02 == 10.10.10.2).

 

 

Apr 5 15:40:30 :124004:  <3368> <DBUG> |authmgr|  RX (sock) message of type 66, len 1028 
Apr 5 15:40:30 :124454:  <3368> <DBUG> |authmgr|  auth_user_query_raw: recvd request user:9c:8c:d8:09:50:0c ip:172.35.0.10 cookie:-2145524411 
Apr 5 15:40:30 :124098:  <3368> <DBUG> |authmgr|  Setting authstate 'started' for user 172.35.0.10, client VPN.
Apr 5 15:40:30 :124099:  <3368> <DBUG> |authmgr|  Setting auth type 'VPN' for user 172.35.0.10, client VPN.
Apr 5 15:40:30 :124004:  <3368> <DBUG> |authmgr|  ncfg_auth_server_group_authtype ip=172.35.0.10, method=VPN vpnflags:2
Apr 5 15:40:30 :124004:  <3368> <DBUG> |authmgr|  ncfg_auth_server_group_authtype vpnflags:2 vpn-profile:default-rap
Apr 5 15:40:30 :124004:  <3368> <DBUG> |authmgr|  ip=172.35.0.10, sg=default
Apr 5 15:40:30 :124004:  <3368> <DBUG> |authmgr|  aal_authenticate aal 0x2b9cc94 username 9c:8c:d8:09:05:0c
Apr 5 15:40:30 :124547:  <3368> <DBUG> |authmgr|  aal_authenticate server_group:default.
Apr 5 15:40:30 :124004:  <3368> <DBUG> |authmgr|  Select server for method=VPN, user=9c:8c:d8:09:05:0c, essid=<>, server-group=default, last_srv <>
Apr 5 15:40:30 :124038:  <3368> <INFO> |authmgr|  Reused server Internal for method=VPN; user=9c:8c:d8:09:05:0c,  essid=<>, domain=<>, server-group=default
Apr 5 15:40:30 :133028:  <3426> <DBUG> |localdb|  executeUSERDBMethod(127.0.0.1:8214 ==> 127.0.0.1:8344 PktType:0x402 SeqNum:37117 MsgCode:62): Received udb_msg with msgtype:62 id:178 reqtype:6 dbtype:13
Apr 5 15:40:30 :133108:  <3426> <DBUG> |localdb|  executeUSERDBMethod: Query for mac:9c:8c:d8:09:05:0c not successful locally with msgtype:62 id:178 reqtype:6 dbtype:13
Apr 5 15:40:30 :133032:  <3426> <DBUG> |localdb|  localdb_send_db_fetch_req: Sending Fetch-Req on WL-entry for mac 9c:8c:d8:09:05:0c to 192.168.1.142:8344 with msgtype:62 id:178 reqtype:9 dbtype:13
Apr 5 15:40:30 :133028:  <3426> <DBUG> |localdb|  executeUSERDBMethod(192.168.1.142:8344 ==> 192.168.1.144:8344 PktType:0x2002 SeqNum:8267 MsgCode:62): Received udb_msg with msgtype:79 id:178 reqtype:10 dbtype:13
Apr 5 15:40:30 :133108:  <3426> <DBUG> |localdb|  executeUSERDBMethod: Received FETCH-RSP for mac:9c:8c:d8:09:05:0c with msgtype:79 id:178 reqtype:10 dbtype:13
Apr 5 15:40:30 :133005:  <3426> <INFO> |localdb|  User 9c:8c:d8:09:05:0c  Successfully Authenticated
Apr 5 15:40:30 :124004:  <3368> <DBUG> |authmgr|  udb_gen_whitelist_avpairs: Added avpair name Remote-IP value 0 
Apr 5 15:40:30 :124004:  <3368> <DBUG> |authmgr|  udb_gen_whitelist_avpairs: Added avpair name Remote-IPv6 value :: 
Apr 5 15:40:30 :124004:  <3368> <DBUG> |authmgr|  udb_gen_whitelist_avpairs: Added avpair name Inner-IP value 168430082  (0xa0a0a02 == 10.10.10.2)
Apr 5 15:40:30 :124004:  <3368> <DBUG> |authmgr|  udb_gen_whitelist_avpairs: Added avpair name Cert_type value 1 
Apr 5 15:40:30 :124003:  <3368> <INFO> |authmgr|  Authentication result=Authentication Successful(0), method=VPN, server=Internal, user=9c:8c:d8:09:05:0c 

 

 

Highlighted
MVP Guru

Re: RAP not connecting to cluster after provisioning

Can you post the output of 'show ap database' ? Is there any associated flags next to the AP? What about any errors in your config 'show profile-errors'? Do you also have LMS/BLMS in the AP System Profile?


ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: