Wireless Access

Aruba RAP detected
IKE Fragmentation
message_recv enabling early NATT since peer initiates on 4500
ike_phase_1.c:ike_phase_1_responder_recv_SA:905 Recvd VPN IKE Phase 1 SA transform negotiation (1st packet) from IP 10.10.20.33.
ike_phase_1.c:ike_phase_1_responder_recv_SA:934 Found our AP vendor ID from external IP 10.10.20.33
ike_phase_1.c:attribute_unacceptable:2929 Proposal match failed in key length, configured=32, peer using=16
ike_phase_1.c:attribute_unacceptable:2900 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG
ike_phase_1.c:attribute_unacceptable:2889 Proposal match failed in hash algo, configured=SHA, peer using=MD5
ike_phase_1.c:attribute_unacceptable:2929 Proposal match failed in key length, configured=32, peer using=24
ike_phase_1.c:attribute_unacceptable:2900 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG
ike_phase_1.c:attribute_unacceptable:2889 Proposal match failed in hash algo, configured=SHA, peer using=MD5
ike_phase_1.c:ike_phase_1_responder_recv_SA:1049 Ike Phase 1 received SA
ike_phase_1_responder_send_SA_NAT_T Accepted 1 of the Proposals, sending Response for exchange:10.10.20.33
nat_t_exchange_check_nat_d_has_us src-port:500 dst-port:49159
nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 10.10.20.4 Port 500
nat_traversal.c:nat_t_exchange_check_nat_d_has_us:561 Did not find our matching NAT-D payload for Port:500 in their packet
nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 10.10.20.4 Port 4500
nat_traversal.c:nat_t_exchange_check_nat_d_has_us:571 Found our matching NAT-D payload for Port:4500 in their packet
ike_phase_1_send_KE_NONCE : this is Certs
exchange_find_serverCert: found Device Server-Cert for RAP
exchange_find_serverCert(cert): Server Cert is invalid for client/cap/rap
nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 10.10.20.33 Port 49159
nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 10.10.20.4 Port 4500
nat_traversal.c:nat_t_exchange_add_nat_d:377 NAT-T added hashes for src=10.10.20.4:4500, dst=10.10.20.33:4500
ike_phase_1_send_KE_NONCE 10.10.20.33
ike_phase_1_post_exchange_KE_NONCE done 10.10.20.33
message_fragment_reassemble insert fragment ID:1 Num:1 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:2 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:3 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:4 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:5 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:6 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:7 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:8 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:9 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:10 DataLen:226 fragSize:530
exchange_free_reassemblyList: reset exchange reassembly state
message_recv: Reassembly complete
ike_phase_1_recv_ID_AUTH for peer:10.10.20.33
ike_phase_1.c:ike_phase_1_recv_ID:2300 received IKE ID Type 9 exchange:10.10.20.33
exchange_find_serverCert: found Device Server-Cert for RAP
exchange_find_serverCert(cert): Server Cert is invalid for client/cap/rap
ike_recv_id: recvd ID : asn1_dn//CN=AH0016410::00:24:6c:c2:14:ce
rsa_sig_validate_cert_id: cert-ID matches with phase-1 ID len 49
rsa_sig_validate_cert_id: cert-ID length 103 mismatched with phase-1 ID length 49
rsa_sig_validate_cert_id: cert-ID length 149 mismatched with phase-1 ID length 49
rsa_sig_decode_hash: numcerts:3 stackedcerts:2
rsa_sig_validate_cert: validating CERT againstCa /tmp/tempCertKey/ArubaTrustedCerts.pem
x509_stack_validate_with_ca: succeeded validation with CA-cert /tmp/tempCertKey/ArubaTrustedCerts.pem
rsa_sig_validate_cert: Factory Cert
rsa_sig_decode_hash: get username from Certificate
x509_cert_get_username: subjAltname type: 4
x509_cert_get_username after GENERAL_NAMES_free
x509_cert_get_username: AP MAC CN 00:24:6c:c2:14:ce
rsa_sig_decode_hash: succeeded
IKE Main Mode Phase 1 succeeded for peer 10.10.20.33
ipsec_handle_leftover_payload: received INITIAL-CONTACT
ike_phase_1_send_ID(cert): find Server Cert
exchange_find_serverCert: found Device Server-Cert for RAP
exchange_find_serverCert(cert): Server Cert is invalid for client/cap/rap
ike_phase_1_send_ID(cert): Server Cert is invalid
ike_main_mode.c:responder_send_ID_AUTH:203 Phase 1 failed in sending ID.
exchange_run: doi->responder (0x102effac) failed retval:-1
message_fragment_reassemble insert fragment ID:1 Num:1 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:2 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:3 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:4 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:5 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:6 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:7 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:8 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:9 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:10 DataLen:226 fragSize:530
exchange_free_reassemblyList: reset exchange reassembly state
message_recv: Reassembly complete
message_fragment_reassemble insert fragment ID:1 Num:1 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:2 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:3 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:4 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:5 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:6 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:7 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:8 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:9 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:10 DataLen:226 fragSize:530
exchange_free_reassemblyList: reset exchange reassembly state
message_recv: Reassembly complete
message_fragment_reassemble insert fragment ID:1 Num:1 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:2 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:3 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:4 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:5 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:6 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:7 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:8 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:9 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:10 DataLen:226 fragSize:530
exchange_free_reassemblyList: reset exchange reassembly state
message_recv: Reassembly complete
exchange_setup_p1: ID is IPv4
exchange_setup_p1: USING exchange type ID_PROT
Aruba RAP detected
IKE Fragmentation
message_recv enabling early NATT since peer initiates on 4500
ike_phase_1.c:ike_phase_1_responder_recv_SA:905 Recvd VPN IKE Phase 1 SA transform negotiation (1st packet) from IP 10.10.20.33.
ike_phase_1.c:ike_phase_1_responder_recv_SA:934 Found our AP vendor ID from external IP 10.10.20.33
ike_phase_1.c:attribute_unacceptable:2929 Proposal match failed in key length, configured=32, peer using=16
ike_phase_1.c:attribute_unacceptable:2900 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG
ike_phase_1.c:attribute_unacceptable:2889 Proposal match failed in hash algo, configured=SHA, peer using=MD5
ike_phase_1.c:attribute_unacceptable:2929 Proposal match failed in key length, configured=32, peer using=24
ike_phase_1.c:attribute_unacceptable:2900 Proposal match failed in auth algo, configured=PRE_SHARED, peer using=IKE_AUTH_XAUTHINIT_RSA_SIG
ike_phase_1.c:attribute_unacceptable:2889 Proposal match failed in hash algo, configured=SHA, peer using=MD5
ike_phase_1.c:ike_phase_1_responder_recv_SA:1049 Ike Phase 1 received SA
ike_phase_1_responder_send_SA_NAT_T Accepted 1 of the Proposals, sending Response for exchange:10.10.20.33
nat_t_exchange_check_nat_d_has_us src-port:500 dst-port:49153
nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 10.10.20.4 Port 500
nat_traversal.c:nat_t_exchange_check_nat_d_has_us:561 Did not find our matching NAT-D payload for Port:500 in their packet
nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 10.10.20.4 Port 4500
nat_traversal.c:nat_t_exchange_check_nat_d_has_us:571 Found our matching NAT-D payload for Port:4500 in their packet
ike_phase_1_send_KE_NONCE : this is Certs
exchange_find_serverCert: found Device Server-Cert for RAP
exchange_find_serverCert(cert): Server Cert is invalid for client/cap/rap
nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 10.10.20.33 Port 49153
nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 10.10.20.4 Port 4500
nat_traversal.c:nat_t_exchange_add_nat_d:377 NAT-T added hashes for src=10.10.20.4:4500, dst=10.10.20.33:4500
ike_phase_1_send_KE_NONCE 10.10.20.33
ike_phase_1_post_exchange_KE_NONCE done 10.10.20.33
message_fragment_reassemble insert fragment ID:1 Num:1 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:2 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:3 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:4 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:5 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:6 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:7 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:8 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:9 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:10 DataLen:226 fragSize:530
exchange_free_reassemblyList: reset exchange reassembly state
message_recv: Reassembly complete
ike_phase_1_recv_ID_AUTH for peer:10.10.20.33
ike_phase_1.c:ike_phase_1_recv_ID:2300 received IKE ID Type 9 exchange:10.10.20.33
exchange_find_serverCert: found Device Server-Cert for RAP
exchange_find_serverCert(cert): Server Cert is invalid for client/cap/rap
ike_recv_id: recvd ID : asn1_dn//CN=AH0016410::00:24:6c:c2:14:ce
rsa_sig_validate_cert_id: cert-ID matches with phase-1 ID len 49
rsa_sig_validate_cert_id: cert-ID length 103 mismatched with phase-1 ID length 49
rsa_sig_validate_cert_id: cert-ID length 149 mismatched with phase-1 ID length 49
rsa_sig_decode_hash: numcerts:3 stackedcerts:2
rsa_sig_validate_cert: validating CERT againstCa /tmp/tempCertKey/ArubaTrustedCerts.pem
x509_stack_validate_with_ca: succeeded validation with CA-cert /tmp/tempCertKey/ArubaTrustedCerts.pem
rsa_sig_validate_cert: Factory Cert
rsa_sig_decode_hash: get username from Certificate
x509_cert_get_username: subjAltname type: 4
x509_cert_get_username after GENERAL_NAMES_free
x509_cert_get_username: AP MAC CN 00:24:6c:c2:14:ce
rsa_sig_decode_hash: succeeded
IKE Main Mode Phase 1 succeeded for peer 10.10.20.33
ipsec_handle_leftover_payload: received INITIAL-CONTACT
ike_phase_1_send_ID(cert): find Server Cert
exchange_find_serverCert: found Device Server-Cert for RAP
exchange_find_serverCert(cert): Server Cert is invalid for client/cap/rap
ike_phase_1_send_ID(cert): Server Cert is invalid
ike_main_mode.c:responder_send_ID_AUTH:203 Phase 1 failed in sending ID.
exchange_run: doi->responder (0x102effac) failed retval:-1
message_fragment_reassemble insert fragment ID:1 Num:1 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:2 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:3 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:4 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:5 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:6 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:7 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:8 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:9 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:10 DataLen:226 fragSize:530
exchange_free_reassemblyList: reset exchange reassembly state
message_recv: Reassembly complete
message_fragment_reassemble insert fragment ID:1 Num:1 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:2 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:3 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:4 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:5 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:6 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:7 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:8 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:9 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:10 DataLen:226 fragSize:530
exchange_free_reassemblyList: reset exchange reassembly state
message_recv: Reassembly complete
message_fragment_reassemble insert fragment ID:1 Num:1 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:2 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:3 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:4 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:5 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:6 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:7 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:8 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:9 DataLen:494 fragSize:530
message_fragment_reassemble insert fragment ID:1 Num:10 DataLen:226 fragSize:530
exchange_free_reassemblyList: reset exchange reassembly state
message_recv: Reassembly complete

Keep getting rc_error_ikep1_PKT5.

Controller has an interface in the same lan. The RAP is not whitelisted. The MAC is in the InternalDB and VPN service is active with a DHCP pool configured. There is also configured a ike shared secret for subnet 0.0.0.0

VLAN is routable and interface trusted.

I know the A200 dont got a TPM.

Software version: 5.0.4.7

To make this work, you would have to:

- Configure an IKE preshared key on the A200

- Configure a username and password in the internal database on the A200

- Provision the RAP with the shared key, username and password and point it to the A200.

This is done, but still did not work so i did the only "logical" solution, downgrade. :smileyfrustrated:

The rap came back up. So this is an AOS bug.

Watch out. A200_5.0.4.7_34135 No rap-2 support

Downgraded to what version of code?

Like hthakker said, RAPs are not supposed to be able to connect to a controller when they are on the same subnet.  It is an ipsec limitation.

Downgraded to 5.0.4.3

Think some one has messed up something.

Yepp i changed subnet. Tried everything.

Going to upgrade controller again to replicate the error.

Also the RAP was version 3.3 something. Wrote new firmware to backup on one of the RAP to see if that works when i boot the controller on the new firmware.

Also i got a second rap on the same firmware rev. that was messed.

il post back in 10.

OHH SNAP! Bug is back :smileylol:

RAP with 5.0.4.3 Did not upgrade, but still the same error.

Did not bother trying the 3.3.x.x rap.

Downgrading to firmware 5.0.4.6 to see if thats not broken too.