Wireless Access

Reply
Highlighted
Contributor I

Re: RAP not connecting to cluster after provisioning

Thanks for all the replies.

 

show aaa authentication-server internal

Internal Server
---------------
Host IP addr Retries Timeout Status
---- ------- ------- ------- ------
Internal 10.11.101.11 3 5 Enabled

 

10.11.101.11 is the MM so that part looks ok.

 

LMB/BLMS is not set, my understanding is once provisioned (pointing at either public IP or private IP), the RAP should pull down the node list and be able to work out how it connects, is this not correct? I don't have them set in the ap-group i was using for then in CAP mode and they connect ok to both controllers and fail over.

 

show profile-errors shows nothing invalid on the mm or mc's.

 

Cheers

---------------------------
ACCP, ACMA, ACMP, ACDX
Highlighted
Moderator

Re: RAP not connecting to cluster after provisioning

yes you're correct, lms/blms should not be configured for this to work and the AP will learn about the RAP public IPs as it comes up on the cluster.

 

Please enable "logging security level debugging" for the MD in question, try to connect your RAP and either compare it to what I posted before, or, post it here.

 

In essence, the RAP connects to the public IP configured as its master IP (via dns or whatever), gets port forwarded to one of the MDs, starts processing, is not found in the MD whitelist DB, the MD then queries the MM, it should return success together with the internal IP, and then the MD will add it to its local whitelist DB and proceeds to do normal RAP bring up.

 

The security debug on the MD that the master IP maps to should tell us 95% of what is wrong.

Highlighted
Contributor I

Re: RAP not connecting to cluster after provisioning

1000 lines attached, this is with the RAP connecting via the internal private ip.

 

Inner IP doesn't appear to be making it down to the MD:

Apr 5 21:30:18 :103063:  <3593> <DBUG> |ike|   ipc_ikev2_auth_recv_vpn_packet cookie:2236370049 innerip 0.0.0.0 inneripv6
Apr 5 21:30:18 :103063:  <3593> <DBUG> |ike|   ipc_ikev2_auth_recv_vpn_packet removing ctx 206bbe4 from auth-list. auth-cookie 2236370049
Apr 5 21:30:18 :103063:  <3593> <DBUG> |ike|   *** ipc_auth_recv_packet user=xx:xx:xx:xx:xx:xx, pass=******, result=0   ctx:0x206bbe4, ctx-innerip::: l2tp_pool:default-l2tp-pool
Apr 5 21:30:18 :103063:  <3593> <DBUG> |ike|   ipc_ikev2_auth_recv_vpn_packet rsp.cluster_rap_innerip 0.0.0.0 rsp.inner_ip 0.0.0.0
Apr 5 21:30:18 :103063:  <3593> <DBUG> |ike|    Peer:AUTH_HMAC_SHA1_96 Peer:ESN_0  <-- R   Notify: INTERNAL_ADDRESS_FAILURE (ESP spi=2fe2a400)#
Apr 5 21:30:18 :103063:  <3593> <DBUG> |ike|   SEND 80 bytes to 192.168.15.131(57906) (427784.469)
---------------------------
ACCP, ACMA, ACMP, ACDX
Highlighted
Moderator

Re: RAP not connecting to cluster after provisioning

it is not that the inner IP is not making it, it is that the MD is authenticating the RAP in an odd way, such that it never tries to query the MM

 

The clue appears to be the log about skipping the cert CN check

 

Apr 5 21:30:11 :124004:  <3650> <DBUG> |authmgr|  RX (sock) message of type 66, len 1036
Apr 5 21:30:11 :124454:  <3650> <DBUG> |authmgr|  auth_user_query_raw: recvd request user:xx:xx:xx:xx:xx:xx ip:192.168.15.131 cookie:-2058597249
Apr 5 21:30:11 :132218:  <3650> <INFO> |authmgr|  Skipping certificate common name check for username= MAC=00:00:00:00:00:00
Apr 5 21:30:11 :124453:  <3650> <DBUG> |authmgr|  auth_user_query_resp: response user:xx:xx:xx:xx:xx:xx ip:192.168.15.131 cookie:-2058597249
Apr 5 21:30:11 :124198:  <3650> <ERRS> |authmgr|  {00:00:00:00:00:00-??} Missing server in attribute list, auth=VPN, utype=L3.
Apr 5 21:30:11 :124441:  <3650> <DBUG> |authmgr|  auth_user_query_resp: vpnflags:2
Apr 5 21:30:11 :124004:  <3650> <DBUG> |authmgr|  ip=192.168.15.131, sg=internal

 

which you can see is not in the working debug I posted before. I checked into the auth code and it would appear that if the VPN profile has "Check certificate common name against AAA server" disabled, then it circumvents this whole process of querying the local DB (and then the MM).

 

I also see that your RAP has picked up "aaa server-group internal" ( (sg=internal) which is also different from the default setting, which would have been "aaa server-group default"

 

So... please check if any of the following have been modified from their defaults, and/or add them here for discussion.

> show aaa server-group internal
> show aaa server-group default
> show aaa authentication vpn default-rap
> show aaa authentication vpn default


If you find that "Check certificate common name against AAA server" has been set to "disabled", especially in "aaa authentication vpn default-rap", please try changing it back to enabled.

View solution in original post

Highlighted
Aruba Employee

Re: RAP not connecting to cluster after provisioning

In the case of a cluster, the RAP pool should be configured on the Mobility Master. In AOS 8.6.x.x, the RAP pool can only be configured under the 'Mobility Master' in the hierarchy, which is equivalent to /mm in the CLI.

Leave the LMS/BKUP-LMS empty.

 

Please validate in the WebUI that the RAP pool is configured as per the above. From the CLI, validate it by running the command:

'show configuration committed /mm | include lc-rap-pool'

 

Highlighted
Contributor I

Re: RAP not connecting to cluster after provisioning

Commands below. I should note, these were all factory default and have been setup from scratch with fairly minimal setup, just what was required to get them clustered and a few ssid's setup. CAP mode, works fine.

 

show aaa server-group internal

Fail Through:No
Load Balance:No

Auth Servers
------------
Name      Server-Type  trim-FQDN  Match-Type  Match-Op  Match-Str
----      -----------  ---------  ----------  --------  ---------
Internal  Internal     No

Role/VLAN derivation rules
---------------------------
Priority  Attribute  Operation  Operand  Type    Action    Value  Validated
--------  ---------  ---------  -------  ----    ------    -----  ---------
1         Role       value-of            String  set role         No

 

show aaa server-group default

Fail Through:No
Load Balance:No

Auth Servers
------------
Name      Server-Type  trim-FQDN  Match-Type  Match-Op  Match-Str
----      -----------  ---------  ----------  --------  ---------
Internal  Internal     No

Role/VLAN derivation rules
---------------------------
Priority  Attribute  Operation  Operand  Type    Action    Value  Validated
--------  ---------  ---------  -------  ----    ------    -----  -------

 

show aaa authentication vpn default-rap

VPN Authentication Profile "default-rap" (Predefined (changed))
---------------------------------------------------------------
Parameter                                         Value
---------                                         -----
Default Role                                      default-vpn-role
Server Group                                      internal
RADIUS Accounting Server Group                    N/A
Max Authentication failures                       0
Check certificate common name against AAA server  Disabled
Export VPN IP address as a route                  Enabled
User idle timeout                                 N/A
PAN Firewall Integration                          Disabled
show aaa authentication vpn default

VPN Authentication Profile "default"
------------------------------------
Parameter                                         Value
---------                                         -----
Default Role                                      default-vpn-role
Server Group                                      default
RADIUS Accounting Server Group                    N/A
Max Authentication failures                       0
Check certificate common name against AAA server  Enabled
Export VPN IP address as a route                  Enabled
User idle timeout                                 N/A
PAN Firewall Integration                          Disabled
---------------------------
ACCP, ACMA, ACMP, ACDX
Highlighted
Contributor I

Re: RAP not connecting to cluster after provisioning

Re enabling "Check certificate common name against AAA server" seems to have fixed the issue (i don't recall disabling....)

 

Will re provision to talk to public IP and continue testing.

Thanks for your help!
 

---------------------------
ACCP, ACMA, ACMP, ACDX
Highlighted
Moderator

Re: RAP not connecting to cluster after provisioning

that's good news, if anything else crops up let us know here.

 

Highlighted
Occasional Contributor I

Re: RAP not connecting to cluster after provisioning

@jgoff
Thank you for the detailed explanation. After recreating my cluster with public IPs I ran into some headaches with RAP provisioning. The "RAP solution Guide with Clusters" PDF that has been making its way around SE circles is a great document but it fails to mention most of what you posted and more or less assumes one is creating things like a cluster for the first time. I was able to resolve my issues by making sure the the internal db was referenced and that certificate checking against AAA server was enabled.

Highlighted
Moderator

Re: RAP not connecting to cluster after provisioning

@FPU_RB
Glad to know it was helpful - couple of things:

Can you send me a copy of the exact document you're referring to, either a link to it, or, DM me a dropbox link or some such ?

I thought it a bit of a rare case that someone would have changed these defaults, I can potentially look to chase up the authors (if possible) of the doc you're referring to, but can you elaborate a bit how it came to be that your system had non default values here ?

 

thanks. -jeff

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: