Wireless Access

Reply
Highlighted
Contributor I

Re: RAP not connecting to controller

Thanks! Appreciate you taking the time! Will provide additional information below.

 

No recent change apart from the physical move of controller within infrastructure. The controller retained its IP-address, but is now communicating through a different firewall (MAC).

 

I had a few sample/test RAPs deployed previously, but neither is currently working.

 

The RAP is communicating through a NAT-device at its current location.

 

If by role of controller you mean master/slave. This is the master - no cluster deployment. This is the single controller in production.

 

I believe the RAP is authenticated using cert, but hope to be able to confirm. Perhaps you can judge by output from the aaa auth profile?

 

No TAC case. If this all turns out to be too big a deal I will seek some on-site assistance, but wanted to run it by the forum first :)

 

------------

VPN Authentication Profile "default-rap" (Predefined (changed))
---------------------------------------------------------------
Parameter                                         Value
---------                                         -----
Server Group                                      default
RADIUS Accounting Server Group                    N/A
Max Authentication failures                       0
Check certificate common name against AAA server  Enabled
Export VPN IP address as a route                  Enabled
User idle timeout                                 N/A
PAN Firewall Integration                          Disabled

 

-------

(Aruba3200) #show user-table verbose | include 000b8682ea64

<no output>

 

-------

 

show log security 100 | include <RAP public IP-address>

May 17 08:32:48 :103063:  <DBUG> |ike|  78.70.34.220:34070-> #RECV 423 bytes from 78.70.34.220(34070) at 192.168.1.10 (3629731.765)
May 17 08:32:48 :103063:  <DBUG> |ike|  78.70.34.220:34070->  spi={30ed14eb18ddd12a 0000000000000000} np=SA
May 17 08:32:48 :103063:  <DBUG> |ike|  78.70.34.220:34070->  exchange=IKE_SA_INIT msgid=0 len=419
May 17 08:32:48 :103063:  <DBUG> |ike|  78.70.34.220:34070->   check_aruba_ap_vid: aruba ap eth0 mac address 000b8682ea64 vidLen = 26
May 17 08:32:48 :103063:  <DBUG> |ike|  78.70.34.220:34070-> IKE2_checkCookie notify-cookie ip:78.70.34.220
May 17 08:32:48 :103063:  <DBUG> |ike|  78.70.34.220:34070-> IPSEC_findSaByIP addr:78.70.34.220
May 17 08:32:48 :103063:  <DBUG> |ike|  78.70.34.220:34070-> IPSEC_findSaByIP pxSa:(nil) status:0
May 17 08:32:48 :103063:  <DBUG> |ike|  78.70.34.220:34070-> IPSEC_findSaByIP finished with pxSa:(nil) status:0
May 17 08:32:48 :103063:  <DBUG> |ike|  78.70.34.220:34070-> IKE2_checkCookie finished with ipsecSa:(nil) status:0
May 17 08:32:48 :103063:  <DBUG> |ike|  78.70.34.220:34070-> delete_cp_route entered with ip:78.70.34.220
May 17 08:32:48 :103063:  <DBUG> |ike|  78.70.34.220:34070-> controlplaneRouteModify entered with ip:4e4622dc/ffffffff
May 17 08:32:48 :103063:  <DBUG> |ike|  78.70.34.220:34070-> controlplaneRouteModify after socket:35 with ip:78.70.34.220
May 17 08:32:48 :103063:  <DBUG> |ike|  78.70.34.220:34070-> controlplaneRouteModify socket:35 request:35084 dev:tsgw rtflags:0 with ip:78.70.34.220
May 17 08:32:48 :103060:  <DBUG> |ike|  78.70.34.220:34070-> ipc.c:controlplaneRouteModify:5187 Failed to Delete Route in Kernel: error:No such process
May 17 08:32:48 :103063:  <DBUG> |ike|  78.70.34.220:34070-> controlplaneRouteModify after ioctl sock:35 with ip:78.70.34.220
May 17 08:32:48 :103063:  <DBUG> |ike|  78.70.34.220:34070-> controlplaneRouteModify after close sock:35 with ip:78.70.34.220
May 17 08:32:48 :103063:  <DBUG> |ike|  78.70.34.220:34070-> delete_cp_route finished with ip:78.70.34.220
May 17 08:32:48 :103063:  <DBUG> |ike|  78.70.34.220:34070-> OutInfo notify-cookie
May 17 08:32:48 :103063:  <DBUG> |ike|  78.70.34.220:34070-> OutCp entered
May 17 08:32:48 :103063:  <DBUG> |ike|  78.70.34.220:34070->   <-- R   Notify: COOKIE#SEND 60 bytes to 78.70.34.220(34070) (3629731.772)
May 17 08:32:48 :103063:  <DBUG> |ike|  78.70.34.220:34070-> cleanup_and_free_context delete ctx memory
May 17 08:32:48 :103063:  <DBUG> |ike|  78.70.34.220:34070-> udp_encap_handle_message IKEv2 pkt status:0
May 17 08:32:53 :103063:  <DBUG> |ike|  78.70.34.220:34070-> udp_encap_handle_message ver:2 serverInst:0 pktsize:423
May 17 08:32:53 :103063:  <DBUG> |ike|  78.70.34.220:34070-> IKE_EXAMPLE_IKE_msgRecv: ip:4e4622dc  port:34070  server:0   len:423  numSkts:6
May 17 08:32:53 :103063:  <DBUG> |ike|  78.70.34.220:34070->
May 17 08:32:53 :103063:  <DBUG> |ike|  78.70.34.220:34070-> #RECV 423 bytes from 78.70.34.220(34070) at 192.168.1.10 (3629736.765)
May 17 08:32:53 :103063:  <DBUG> |ike|  78.70.34.220:34070->  spi={30ed14eb18ddd12a 0000000000000000} np=SA
May 17 08:32:53 :103063:  <DBUG> |ike|  78.70.34.220:34070->  exchange=IKE_SA_INIT msgid=0 len=419
May 17 08:32:53 :103063:  <DBUG> |ike|  78.70.34.220:34070->   check_aruba_ap_vid: aruba ap eth0 mac address 000b8682ea64 vidLen = 26
May 17 08:32:53 :103063:  <DBUG> |ike|  78.70.34.220:34070-> IKE2_checkCookie notify-cookie ip:78.70.34.220
May 17 08:32:53 :103063:  <DBUG> |ike|  78.70.34.220:34070-> IPSEC_findSaByIP addr:78.70.34.220
May 17 08:32:53 :103063:  <DBUG> |ike|  78.70.34.220:34070-> IPSEC_findSaByIP pxSa:(nil) status:0
May 17 08:32:53 :103063:  <DBUG> |ike|  78.70.34.220:34070-> IPSEC_findSaByIP finished with pxSa:(nil) status:0
May 17 08:32:53 :103063:  <DBUG> |ike|  78.70.34.220:34070-> IKE2_checkCookie finished with ipsecSa:(nil) status:0
May 17 08:32:53 :103063:  <DBUG> |ike|  78.70.34.220:34070-> delete_cp_route entered with ip:78.70.34.220
May 17 08:32:53 :103063:  <DBUG> |ike|  78.70.34.220:34070-> controlplaneRouteModify entered with ip:4e4622dc/ffffffff
May 17 08:32:53 :103063:  <DBUG> |ike|  78.70.34.220:34070-> controlplaneRouteModify after socket:35 with ip:78.70.34.220
May 17 08:32:53 :103063:  <DBUG> |ike|  78.70.34.220:34070-> controlplaneRouteModify socket:35 request:35084 dev:tsgw rtflags:0 with ip:78.70.34.220
May 17 08:32:53 :103060:  <DBUG> |ike|  78.70.34.220:34070-> ipc.c:controlplaneRouteModify:5187 Failed to Delete Route in Kernel: error:No such process
May 17 08:32:53 :103063:  <DBUG> |ike|  78.70.34.220:34070-> controlplaneRouteModify after ioctl sock:35 with ip:78.70.34.220
May 17 08:32:53 :103063:  <DBUG> |ike|  78.70.34.220:34070-> controlplaneRouteModify after close sock:35 with ip:78.70.34.220
May 17 08:32:53 :103063:  <DBUG> |ike|  78.70.34.220:34070-> delete_cp_route finished with ip:78.70.34.220
May 17 08:32:53 :103063:  <DBUG> |ike|  78.70.34.220:34070-> OutInfo notify-cookie
May 17 08:32:53 :103063:  <DBUG> |ike|  78.70.34.220:34070-> OutCp entered
May 17 08:32:53 :103063:  <DBUG> |ike|  78.70.34.220:34070->   <-- R   Notify: COOKIE#SEND 60 bytes to 78.70.34.220(34070) (3629736.772)
May 17 08:32:53 :103063:  <DBUG> |ike|  78.70.34.220:34070-> cleanup_and_free_context delete ctx memory
May 17 08:32:53 :103063:  <DBUG> |ike|  78.70.34.220:34070-> udp_encap_handle_message IKEv2 pkt status:0
May 17 08:32:58 :103063:  <DBUG> |ike|  78.70.34.220:34070-> udp_encap_handle_message ver:2 serverInst:0 pktsize:423
May 17 08:32:58 :103063:  <DBUG> |ike|  78.70.34.220:34070-> IKE_EXAMPLE_IKE_msgRecv: ip:4e4622dc  port:34070  server:0   len:423  numSkts:6
May 17 08:32:58 :103063:  <DBUG> |ike|  78.70.34.220:34070->
May 17 08:32:58 :103063:  <DBUG> |ike|  78.70.34.220:34070-> #RECV 423 bytes from 78.70.34.220(34070) at 192.168.1.10 (3629741.767)
May 17 08:32:58 :103063:  <DBUG> |ike|  78.70.34.220:34070->  spi={30ed14eb18ddd12a 0000000000000000} np=SA
May 17 08:32:58 :103063:  <DBUG> |ike|  78.70.34.220:34070->  exchange=IKE_SA_INIT msgid=0 len=419
May 17 08:32:58 :103063:  <DBUG> |ike|  78.70.34.220:34070->   check_aruba_ap_vid: aruba ap eth0 mac address 000b8682ea64 vidLen = 26
May 17 08:32:58 :103063:  <DBUG> |ike|  78.70.34.220:34070-> IKE2_checkCookie notify-cookie ip:78.70.34.220
May 17 08:32:58 :103063:  <DBUG> |ike|  78.70.34.220:34070-> IPSEC_findSaByIP addr:78.70.34.220
May 17 08:32:58 :103063:  <DBUG> |ike|  78.70.34.220:34070-> IPSEC_findSaByIP pxSa:(nil) status:0
May 17 08:32:58 :103063:  <DBUG> |ike|  78.70.34.220:34070-> IPSEC_findSaByIP finished with pxSa:(nil) status:0
May 17 08:32:58 :103063:  <DBUG> |ike|  78.70.34.220:34070-> IKE2_checkCookie finished with ipsecSa:(nil) status:0
May 17 08:32:58 :103063:  <DBUG> |ike|  78.70.34.220:34070-> delete_cp_route entered with ip:78.70.34.220
May 17 08:32:58 :103063:  <DBUG> |ike|  78.70.34.220:34070-> controlplaneRouteModify entered with ip:4e4622dc/ffffffff
May 17 08:32:58 :103063:  <DBUG> |ike|  78.70.34.220:34070-> controlplaneRouteModify after socket:35 with ip:78.70.34.220
May 17 08:32:58 :103063:  <DBUG> |ike|  78.70.34.220:34070-> controlplaneRouteModify socket:35 request:35084 dev:tsgw rtflags:0 with ip:78.70.34.220
May 17 08:32:58 :103060:  <DBUG> |ike|  78.70.34.220:34070-> ipc.c:controlplaneRouteModify:5187 Failed to Delete Route in Kernel: error:No such process
May 17 08:32:58 :103063:  <DBUG> |ike|  78.70.34.220:34070-> controlplaneRouteModify after ioctl sock:35 with ip:78.70.34.220
May 17 08:32:58 :103063:  <DBUG> |ike|  78.70.34.220:34070-> controlplaneRouteModify after close sock:35 with ip:78.70.34.220
May 17 08:32:58 :103063:  <DBUG> |ike|  78.70.34.220:34070-> delete_cp_route finished with ip:78.70.34.220
May 17 08:32:58 :103063:  <DBUG> |ike|  78.70.34.220:34070-> OutInfo notify-cookie
May 17 08:32:58 :103063:  <DBUG> |ike|  78.70.34.220:34070-> OutCp entered
May 17 08:32:58 :103063:  <DBUG> |ike|  78.70.34.220:34070->   <-- R   Notify: COOKIE#SEND 60 bytes to 78.70.34.220(34070) (3629741.774)
May 17 08:32:58 :103063:  <DBUG> |ike|  78.70.34.220:34070-> cleanup_and_free_context delete ctx memory
May 17 08:32:58 :103063:  <DBUG> |ike|  78.70.34.220:34070-> udp_encap_handle_message IKEv2 pkt status:0

 

--------

 

(Aruba3200) #show tpm errorlog
Could not find any Error Logs for TPM and Certificates.

 

 

 

Highlighted
Aruba Employee

Re: RAP not connecting to controller

Hi,

From logs, I don't see any auth information.

To verify the issue is not related to firewall, can you bring up the rap from local intranet avoiding any firewall?
Highlighted
Contributor I

Re: RAP not connecting to controller

Hi!

 

Sorry about the delay - had to fetch the RAP in order to try :) You were right in your assertion, bringing the RAP to the office and connecting to intranet made it connect successfully! My quest continues in trying to determine what differs - apart from the obvious a NAT from controllers public to private address when the RAP is local remotely (outside intranet).

 

Best regards,

Fredrik

Highlighted
Aruba Employee

Re: RAP not connecting to controller

Hi,

Is there asymmetric routing?

View solution in original post

Highlighted
Contributor I

Re: RAP not connecting to controller

Took some time to verify, but it turned out to be assymetric routing (of sorts) involved. The response to the RAP from the controller ended up being routed over a secondary Internet connection :( I simplified the NAT configuration (in firewall) and resolved the problem.

 

Best regards,

Fredrik

Highlighted
Aruba Employee

Re: RAP not connecting to controller

Thank you for sharing the solution with community.
Highlighted
New Contributor

Re: RAP not connecting to controller

Hi Keya,

 

How come you can find out it related to asymmetric routing?

 

I had the same issue and similar log output, did you found out it from any suspect log?

 

Thank you,

Manal

Highlighted
Occasional Contributor II

Re: RAP not connecting to controller

hi,

 

I have two 7205.

I migrated one of them to 8.5.0 with MM.

MM is connected to 7205 (UP).

 

When I want to reconnect my RAP from 7205 (6.5) to migrated one RAP is not getting UP. Logs below:

Mar 16 06:47:57 :399838:  <5787> <WARN> |fpapps|  Received non LOAD_BALANCE MAP_ADD from IKE for default-local-master-ipsecmap213.241.33.26 mapid 4621 vlanid 0 flags 0x0; ignored

Mar 16 06:47:57 :399838:  <5787> <WARN> |fpapps|  Received TUN_UP from IKE for default-local-master-ipsecmap213.241.33.26 mapid 17953, vlanid 0, ip 213.241.33.26, src_ip 62.244.133.33, peer_ip 213.241.33.26, gw 213.241.33.26, flags 0x0 uplink_prio 0

Mar 16 08:45:28 :399838:  <5787> <WARN> |fpapps|  Received MAP_ADD from IKE for default-local-master-ipsecmap213.241.33.26 (gw 213.241.33.26) mapid 4621 vlanid 0 ip 213.241.33.26 mask 255.255.255.255 src_ip 62.244.133.33 peer_ip 213.241.33.26 uplink_ip 0.0.0.0 flags 0x0

Mar 16 08:45:28 :399838:  <5787> <WARN> |fpapps|  Received non LOAD_BALANCE MAP_ADD from IKE for default-local-master-ipsecmap213.241.33.26 mapid 4621 vlanid 0 flags 0x0; ignored

Mar 16 08:45:28 :399838:  <5787> <WARN> |fpapps|  Received MAP_ADD from IKE for default-local-master-ipsecmap213.241.33.26 (gw 213.241.33.26) mapid 4621 vlanid 0 ip 213.241.33.26 mask 255.255.255.255 src_ip 62.244.133.33 peer_ip 213.241.33.26 uplink_ip 0.0.0.0 flags 0x0

Mar 16 08:45:28 :399838:  <5787> <WARN> |fpapps|  Received non LOAD_BALANCE MAP_ADD from IKE for default-local-master-ipsecmap213.241.33.26 mapid 4621 vlanid 0 flags 0x0; ig

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: