Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Remote AP fails to connect to ArubaOS 8.2 Cluster

This thread has been viewed 0 times

  • 1.  Remote AP fails to connect to ArubaOS 8.2 Cluster

    Posted May 29, 2018 11:26 AM

    Hey Guys,

     

    I'm having a problem to connect an AP203RP as a remote ap to my AOS 8.2 cluster. I provisioned it as a rap with the cluster-ip as master, also with the cluster-ip as the lms-ip in the ap-profile. When I provisioned the AP I choose "Deployment: Remote", "Authentication Methode: Certificate" and "Trust anchor: none".

     

    On the rapconsole-webpage I can find the Error "RC_ERROR_IKEP2_PKT1", but the last days of searching didn't lead to an answear.

     

    This is the Output from sapd_debug log (xxx.xx.xx.xx is the cluster IP). Right now the ap is connected to our local network, so I can be sure there are absolutly _no_ firewall-rules in place.

    [1979]1969-12-31 16:05:38 State REDUN_STATE_TUNNEL_MASTER Event REDUN_EVENT_RETRY Next state REDUN_STATE_TUNNEL_MASTER
[1979]1969-12-31 16:05:38 redun_retry_tunnel: setting up tunnel to 0, retry=36 curr-dhcp-retry:0 total-dhcp-retry:0
[1979]1969-12-31 16:05:38 sapd_setup_uplink: ETHERNET Link state is 1
[1979]1969-12-31 16:05:38 sapd_setup_uplink: Using uplink ETHERNET
[1979]1969-12-31 16:05:38 sapd_check_eth_connectivity: syscmd is ping -c 2 172.21.200.1
[1979]1969-12-31 16:05:39 sapd_check_rap_dhcp_pool: Subnets of LMS:430d81 and RAP-DHCP-Server:ba8c0
[1979]1969-12-31 16:05:39 sapd_redun_config_dnsmasq: Rewrite dnsmasq config file
[1979]1969-12-31 16:05:39 setup_ipsec: sapd_num_lms=1 sapd_cur_lms=0 ip=xxx.xx.xx.xx, client=0
[1979]1969-12-31 16:05:39 setup_ipsec: sapd_local_ip 172.21.203.178 netmask 255.255.248.0 
[1979]1969-12-31 16:05:39 setup_ipsec: adding route ip xxx.xx.xx.xx mask 255.255.255.255 gw 172.21.200.1 interface br0
[1979]1969-12-31 16:05:39 setup_ipsec: deleting route to ip xxx.xx.xx.xx interface tun0
[1979]1969-12-31 16:05:39 setup_ipsec: deleting route to ip xxx.xx.xx.xx interface tun1
[1979]1969-12-31 16:05:39 setup_ipsec: deleting route to ip xxx.xx.xx.xx interface tun2
[1979]1969-12-31 16:05:42 R>> Received RC_OPCODE_ERROR lms xxx.xx.xx.xx tunnel 0.0.0.0 srcdev br0RC_ERROR_IKEP2_PKT1 debug-error:-8947
[1979]1969-12-31 16:05:42 State REDUN_STATE_TUNNEL_MASTER Event REDUN_EVENT_TUNNEL_DOWN Next state REDUN_STATE_TUNNEL_MASTER
[1979]1969-12-31 16:05:42 redun_tunnel_down: Call stop_child() for clients[0]
[1979]1969-12-31 16:05:42 redun_tunnel_down: killed the child
[1979]1969-12-31 16:05:42 Tunnel 0 down. data(0|lms)=xxx.xx.xx.xx
[1979]1969-12-31 16:05:42 State REDUN_STATE_TUNNEL_MASTER Event REDUN_EVENT_RETRY Next state REDUN_STATE_TUNNEL_MASTER
[1979]1969-12-31 16:05:42 redun_retry_tunnel: setting up tunnel to 0, retry=37 curr-dhcp-retry:0 total-dhcp-retry:0
[1979]1969-12-31 16:05:42 sapd_setup_uplink: ETHERNET Link state is 1
[1979]1969-12-31 16:05:42 sapd_setup_uplink: Using uplink ETHERNET
[1979]1969-12-31 16:05:42 sapd_check_eth_connectivity: syscmd is ping -c 2 172.21.200.1
[1979]1969-12-31 16:05:43 sapd_check_rap_dhcp_pool: Subnets of LMS:430d81 and RAP-DHCP-Server:ba8c0
[1979]1969-12-31 16:05:43 sapd_redun_config_dnsmasq: Rewrite dnsmasq config file
[1979]1969-12-31 16:05:43 setup_ipsec: sapd_num_lms=1 sapd_cur_lms=0 ip=xxx.xx.xx.xx, client=0
[1979]1969-12-31 16:05:43 setup_ipsec: sapd_local_ip 172.21.203.178 netmask 255.255.248.0 
[1979]1969-12-31 16:05:43 setup_ipsec: adding route ip xxx.xx.xx.xx mask 255.255.255.255 gw 172.21.200.1 interface br0
[1979]1969-12-31 16:05:43 setup_ipsec: deleting route to ip xxx.xx.xx.xx interface tun0
[1979]1969-12-31 16:05:43 setup_ipsec: deleting route to ip xxx.xx.xx.xx interface tun1
[1979]1969-12-31 16:05:43 setup_ipsec: deleting route to ip xxx.xx.xx.xx interface tun2
[1979]1969-12-31 16:05:47 R>> Received RC_OPCODE_ERROR lms xxx.xx.xx.xx tunnel 0.0.0.0 srcdev br0RC_ERROR_IKEP2_PKT1 debug-error:-8947
[1979]1969-12-31 16:05:47 State REDUN_STATE_TUNNEL_MASTER Event REDUN_EVENT_TUNNEL_DOWN Next state REDUN_STATE_TUNNEL_MASTER
[1979]1969-12-31 16:05:47 redun_tunnel_down: Call stop_child() for clients[0]
[1979]1969-12-31 16:05:47 redun_tunnel_down: killed the child
[1979]1969-12-31 16:05:47 Tunnel 0 down. data(0|lms)=xxx.xx.xx.xx 

    this is some debug output from one of the controllers in the cluster:

    (wlc-cs-1) [MDC] #show vpdn l2tp local pool
IP addresses used in pool rap-address-pool
	none
L2TP Pool statistics for all pools:

IPv4/IPv6 Pool  Configured  Used    Free  
--------------  ----------  ------  ------
IPv4            253         0       253   
IPv6            0           0       0     

IP pool allocation/de-allocation statistics:
IPv4/IPv6  L2TP          IKE         
---------  ------------  ------------
IPv4       0/0           0/0             
IPv6       N/A           0/0             

(wlc-cs-1) [MDC] #show vpdn l2tp configuration 
Enabled
Hello timeout: 60 seconds
DNS primary server: 0.0.0.0
DNS secondary server: 0.0.0.0
WINS primary server: 0.0.0.0
WINS secondary server: 0.0.0.0
PPP client authentication methods:
	 PAP
IP LOCAL POOLS:
	 rap-address-pool: 10.23.42.2 - 10.23.42.254
IPv6 LOCAL POOLS:

    the command "show crypto ipsec sa" doesn't show any sign of an ipsec-session with the at any time on any node of the cluster. The only thing I found was:

    (wlc-cs-2) [MDC] *#show datapath session table 172.21.203.178

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       u - Upstream Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       r - Route Nexthop, h - High Value
       A - Application Firewall Inspect
       B - Permanent, O - Openflow
       L - Log

Source IP       Destination IP  Prot SPort DPort Cntr     Prio ToS Age Destination TAge Packets    Bytes      Flags           
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- --------------- 
172.21.203.178  xxx.xx.xx.xy    17   58668 4500   0/0     0    0   0   pc0         3e   91         44108      FC              
                                                   
xxx.xx.xx.xy    172.21.203.178  17   4500  58668  0/0     0    0   0   pc0         3e   39         9737       F

    Where xxx.xx.xx.xy is the IP-Adress of the controller I ran this command on.

     

    Does anyone have a clue for further debugging and maybe a solution to my problem?

     

    Greetings,

    Hendrik



  • 2.  RE: Remote AP fails to connect to ArubaOS 8.2 Cluster

    EMPLOYEE
    Posted May 29, 2018 01:08 PM

    RAPs and clusters with private IPs do not work. You would need to have public IP addresses on the controllers rather than utilize NAT. It appears that your controllers are currently using 172.21.x.x addresses, correct?



  • 3.  RE: Remote AP fails to connect to ArubaOS 8.2 Cluster

    Posted May 29, 2018 01:12 PM

    No, the Controller-IPs and their VRRP-IP is defintly a public IP-Adress. The only thing not involved is a NAT, as the 172.21.x.x are routed internaly. The AP has an IP from within 172.21.x.x.

     

    [[I will try to hook it up to one of our VPN-test networks, which involve a home-router with NAT.]]

    ***UPDATE***

    I just tested it behind a Fritzbox NAT, I still get the same errors. The IP is definetly NATed and even in another ISPs Network. Any suggestions on further debugging?



  • 4.  RE: Remote AP fails to connect to ArubaOS 8.2 Cluster

    Posted Mar 19, 2020 12:49 PM

    Hi, did you ever get this resolved, was it a bug in 8.2, do you find if 8.3  8.4 or 8.5 releases solved the issue?



  • 5.  RE: Remote AP fails to connect to ArubaOS 8.2 Cluster

    EMPLOYEE
    Posted Mar 19, 2020 05:39 PM

    Versions of AOS prior to 8.4 did not support controller clusters for RAP connectivity when the cluster was behind a NAT. This was not a bug, but a limitation called out in AOS documentation at the time.

     

    If you are running a controller cluster terminating RAPs and the cluster is behind a NAT firewall/router, there are still measures that need to be taken to ensure operation. Please open a new thread if that's the case, as that would not fall under the original 8.2 issue described here.



  • 6.  RE: Remote AP fails to connect to ArubaOS 8.2 Cluster

    Posted Mar 20, 2020 10:41 AM

    Hi

     

    As you haven't shared any config etc, i will just blurt out the first issues that comes to mind.

    While running RAP on 8.2 and cluster, you need to have the public IP on the controller, this because the node-list that will be shared to the RAP will be the internal IP's unless they have a public IP.

    The second part is that the rap pool for cluster has to be defined on the MM rather the MD.

    I would recommend upgrading to 8.4 or newer.

    After 8.4 you can run RAP thru a firewall using NAT-T (udp/4500) as in the 6.5 software. 

    You just need to have a public IP for each controller pointing to the internal IP of each.

    In the cluster profil you specify those public IP's and they will be handed out to the RAP as a node-list.

     

    Roar