Aruba RAP detected
IKE Fragmentation
message_recv enabling early NATT since peer initiates on 4500
ike_phase_1.c:ike_phase_1_responder_recv_SA:905 Recvd VPN IKE Phase 1 SA transform negotiation (1st packet) from IP 10.10.20.33.
ike_phase_1.c:ike_phase_1_responder_recv_SA:934 Found our AP vendor ID from external IP 10.10.20.33
ike_phase_1.c:attribute_unacceptable:2929 Proposal match failed in key length, configured=32, peer using=16
ike_phase_1.c:attribute_unacceptable:2900 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG
ike_phase_1.c:attribute_unacceptable:2889 Proposal match failed in hash algo, configured=SHA, peer using=MD5
ike_phase_1.c:attribute_unacceptable:2929 Proposal match failed in key length, configured=32, peer using=24
ike_phase_1.c:attribute_unacceptable:2900 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG
ike_phase_1.c:attribute_unacceptable:2889 Proposal match failed in hash algo, configured=SHA, peer using=MD5
ike_phase_1.c:ike_phase_1_responder_recv_SA:1049 Ike Phase 1 received SA
ike_phase_1_responder_send_SA_NAT_T Accepted 1 of the Proposals, sending Response for exchange:10.10.20.33
nat_t_exchange_check_nat_d_has_us src-port:500 dst-port:49159
nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 10.10.20.4 Port 500
nat_traversal.c:nat_t_exchange_check_nat_d_has_us:561 Did not find our matching NAT-D payload for Port:500 in their packet
nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 10.10.20.4 Port 4500
nat_traversal.c:nat_t_exchange_check_nat_d_has_us:571 Found our matching NAT-D payload for Port:4500 in their packet
ike_phase_1_send_KE_NONCE : this is Certs
exchange_find_serverCert: found Device Server-Cert for RAP
exchange_find_serverCert(cert): Server Cert is invalid for client/cap/rap
nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 10.10.20.33 Port 49159
nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 10.10.20.4 Port 4500
nat_traversal.c:nat_t_exchange_add_nat_d:377 NAT-T added hashes for src=10.10.20.4:4500, dst=10.10.20.33:4500
ike_phase_1_send_KE_NONCE 10.10.20.33
ike_phase_1_post_exchange_KE_NONCE done 10.10.20.33
message_fragment_reassemble insert fragment ID:1 Num:1 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:2 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:3 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:4 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:5 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:6 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:7 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:8 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:9 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:10 DataLen:226 fragSize:530
exchange_free_reassemblyList: reset exchange reassembly state
message_recv: Reassembly complete
ike_phase_1_recv_ID_AUTH for peer:10.10.20.33
ike_phase_1.c:ike_phase_1_recv_ID:2300 received IKE ID Type 9 exchange:10.10.20.33
exchange_find_serverCert: found Device Server-Cert for RAP
exchange_find_serverCert(cert): Server Cert is invalid for client/cap/rap
ike_recv_id: recvd ID : asn1_dn//CN=AH0016410::00:24:6c:c2:14:ce
rsa_sig_validate_cert_id: cert-ID matches with phase-1 ID len 49
rsa_sig_validate_cert_id: cert-ID length 103 mismatched with phase-1 ID length 49
rsa_sig_validate_cert_id: cert-ID length 149 mismatched with phase-1 ID length 49
rsa_sig_decode_hash: numcerts:3 stackedcerts:2
rsa_sig_validate_cert: validating CERT againstCa /tmp/tempCertKey/ArubaTrustedCerts.pem
x509_stack_validate_with_ca: succeeded validation with CA-cert /tmp/tempCertKey/ArubaTrustedCerts.pem
rsa_sig_validate_cert: Factory Cert
rsa_sig_decode_hash: get username from Certificate
x509_cert_get_username: subjAltname type: 4
x509_cert_get_username after GENERAL_NAMES_free
x509_cert_get_username: AP MAC CN 00:24:6c:c2:14:ce
rsa_sig_decode_hash: succeeded
IKE Main Mode Phase 1 succeeded for peer 10.10.20.33
ipsec_handle_leftover_payload: received INITIAL-CONTACT
ike_phase_1_send_ID(cert): find Server Cert
exchange_find_serverCert: found Device Server-Cert for RAP
exchange_find_serverCert(cert): Server Cert is invalid for client/cap/rap
ike_phase_1_send_ID(cert): Server Cert is invalid
ike_main_mode.c:responder_send_ID_AUTH:203 Phase 1 failed in sending ID.
exchange_run: doi->responder (0x102effac) failed retval:-1
message_fragment_reassemble insert fragment ID:1 Num:1 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:2 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:3 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:4 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:5 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:6 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:7 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:8 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:9 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:10 DataLen:226 fragSize:530
exchange_free_reassemblyList: reset exchange reassembly state
message_recv: Reassembly complete
message_fragment_reassemble insert fragment ID:1 Num:1 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:2 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:3 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:4 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:5 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:6 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:7 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:8 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:9 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:10 DataLen:226 fragSize:530
exchange_free_reassemblyList: reset exchange reassembly state
message_recv: Reassembly complete
message_fragment_reassemble insert fragment ID:1 Num:1 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:2 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:3 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:4 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:5 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:6 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:7 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:8 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:9 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:10 DataLen:226 fragSize:530
exchange_free_reassemblyList: reset exchange reassembly state
message_recv: Reassembly complete
exchange_setup_p1: ID is IPv4
exchange_setup_p1: USING exchange type ID_PROT
Aruba RAP detected
IKE Fragmentation
message_recv enabling early NATT since peer initiates on 4500
ike_phase_1.c:ike_phase_1_responder_recv_SA:905 Recvd VPN IKE Phase 1 SA transform negotiation (1st packet) from IP 10.10.20.33.
ike_phase_1.c:ike_phase_1_responder_recv_SA:934 Found our AP vendor ID from external IP 10.10.20.33
ike_phase_1.c:attribute_unacceptable:2929 Proposal match failed in key length, configured=32, peer using=16
ike_phase_1.c:attribute_unacceptable:2900 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG
ike_phase_1.c:attribute_unacceptable:2889 Proposal match failed in hash algo, configured=SHA, peer using=MD5
ike_phase_1.c:attribute_unacceptable:2929 Proposal match failed in key length, configured=32, peer using=24
ike_phase_1.c:attribute_unacceptable:2900 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG
ike_phase_1.c:attribute_unacceptable:2889 Proposal match failed in hash algo, configured=SHA, peer using=MD5
ike_phase_1.c:ike_phase_1_responder_recv_SA:1049 Ike Phase 1 received SA
ike_phase_1_responder_send_SA_NAT_T Accepted 1 of the Proposals, sending Response for exchange:10.10.20.33
nat_t_exchange_check_nat_d_has_us src-port:500 dst-port:49153
nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 10.10.20.4 Port 500
nat_traversal.c:nat_t_exchange_check_nat_d_has_us:561 Did not find our matching NAT-D payload for Port:500 in their packet
nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 10.10.20.4 Port 4500
nat_traversal.c:nat_t_exchange_check_nat_d_has_us:571 Found our matching NAT-D payload for Port:4500 in their packet
ike_phase_1_send_KE_NONCE : this is Certs
exchange_find_serverCert: found Device Server-Cert for RAP
exchange_find_serverCert(cert): Server Cert is invalid for client/cap/rap
nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 10.10.20.33 Port 49153
nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 10.10.20.4 Port 4500
nat_traversal.c:nat_t_exchange_add_nat_d:377 NAT-T added hashes for src=10.10.20.4:4500, dst=10.10.20.33:4500
ike_phase_1_send_KE_NONCE 10.10.20.33
ike_phase_1_post_exchange_KE_NONCE done 10.10.20.33
message_fragment_reassemble insert fragment ID:1 Num:1 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:2 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:3 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:4 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:5 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:6 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:7 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:8 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:9 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:10 DataLen:226 fragSize:530
exchange_free_reassemblyList: reset exchange reassembly state
message_recv: Reassembly complete
ike_phase_1_recv_ID_AUTH for peer:10.10.20.33
ike_phase_1.c:ike_phase_1_recv_ID:2300 received IKE ID Type 9 exchange:10.10.20.33
exchange_find_serverCert: found Device Server-Cert for RAP
exchange_find_serverCert(cert): Server Cert is invalid for client/cap/rap
ike_recv_id: recvd ID : asn1_dn//CN=AH0016410::00:24:6c:c2:14:ce
rsa_sig_validate_cert_id: cert-ID matches with phase-1 ID len 49
rsa_sig_validate_cert_id: cert-ID length 103 mismatched with phase-1 ID length 49
rsa_sig_validate_cert_id: cert-ID length 149 mismatched with phase-1 ID length 49
rsa_sig_decode_hash: numcerts:3 stackedcerts:2
rsa_sig_validate_cert: validating CERT againstCa /tmp/tempCertKey/ArubaTrustedCerts.pem
x509_stack_validate_with_ca: succeeded validation with CA-cert /tmp/tempCertKey/ArubaTrustedCerts.pem
rsa_sig_validate_cert: Factory Cert
rsa_sig_decode_hash: get username from Certificate
x509_cert_get_username: subjAltname type: 4
x509_cert_get_username after GENERAL_NAMES_free
x509_cert_get_username: AP MAC CN 00:24:6c:c2:14:ce
rsa_sig_decode_hash: succeeded
IKE Main Mode Phase 1 succeeded for peer 10.10.20.33
ipsec_handle_leftover_payload: received INITIAL-CONTACT
ike_phase_1_send_ID(cert): find Server Cert
exchange_find_serverCert: found Device Server-Cert for RAP
exchange_find_serverCert(cert): Server Cert is invalid for client/cap/rap
ike_phase_1_send_ID(cert): Server Cert is invalid
ike_main_mode.c:responder_send_ID_AUTH:203 Phase 1 failed in sending ID.
exchange_run: doi->responder (0x102effac) failed retval:-1
message_fragment_reassemble insert fragment ID:1 Num:1 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:2 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:3 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:4 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:5 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:6 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:7 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:8 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:9 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:10 DataLen:226 fragSize:530
exchange_free_reassemblyList: reset exchange reassembly state
message_recv: Reassembly complete
message_fragment_reassemble insert fragment ID:1 Num:1 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:2 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:3 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:4 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:5 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:6 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:7 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:8 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:9 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:10 DataLen:226 fragSize:530
exchange_free_reassemblyList: reset exchange reassembly state
message_recv: Reassembly complete
message_fragment_reassemble insert fragment ID:1 Num:1 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:2 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:3 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:4 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:5 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:6 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:7 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:8 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:9 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:10 DataLen:226 fragSize:530
exchange_free_reassemblyList: reset exchange reassembly state
message_recv: Reassembly complete
Keep getting rc_error_ikep1_PKT5.
Controller has an interface in the same lan. The RAP is not whitelisted. The MAC is in the InternalDB and VPN service is active with a DHCP pool configured. There is also configured a ike shared secret for subnet 0.0.0.0
VLAN is routable and interface trusted.
I know the A200 dont got a TPM.
Software version: 5.0.4.7
#AP103