Hey Guys,
I'm having a problem to connect an AP203RP as a remote ap to my AOS 8.2 cluster. I provisioned it as a rap with the cluster-ip as master, also with the cluster-ip as the lms-ip in the ap-profile. When I provisioned the AP I choose "Deployment: Remote", "Authentication Methode: Certificate" and "Trust anchor: none".
On the rapconsole-webpage I can find the Error "RC_ERROR_IKEP2_PKT1", but the last days of searching didn't lead to an answear.
This is the Output from sapd_debug log (xxx.xx.xx.xx is the cluster IP). Right now the ap is connected to our local network, so I can be sure there are absolutly _no_ firewall-rules in place.
[1979]1969-12-31 16:05:38 State REDUN_STATE_TUNNEL_MASTER Event REDUN_EVENT_RETRY Next state REDUN_STATE_TUNNEL_MASTER
[1979]1969-12-31 16:05:38 redun_retry_tunnel: setting up tunnel to 0, retry=36 curr-dhcp-retry:0 total-dhcp-retry:0
[1979]1969-12-31 16:05:38 sapd_setup_uplink: ETHERNET Link state is 1
[1979]1969-12-31 16:05:38 sapd_setup_uplink: Using uplink ETHERNET
[1979]1969-12-31 16:05:38 sapd_check_eth_connectivity: syscmd is ping -c 2 172.21.200.1
[1979]1969-12-31 16:05:39 sapd_check_rap_dhcp_pool: Subnets of LMS:430d81 and RAP-DHCP-Server:ba8c0
[1979]1969-12-31 16:05:39 sapd_redun_config_dnsmasq: Rewrite dnsmasq config file
[1979]1969-12-31 16:05:39 setup_ipsec: sapd_num_lms=1 sapd_cur_lms=0 ip=xxx.xx.xx.xx, client=0
[1979]1969-12-31 16:05:39 setup_ipsec: sapd_local_ip 172.21.203.178 netmask 255.255.248.0
[1979]1969-12-31 16:05:39 setup_ipsec: adding route ip xxx.xx.xx.xx mask 255.255.255.255 gw 172.21.200.1 interface br0
[1979]1969-12-31 16:05:39 setup_ipsec: deleting route to ip xxx.xx.xx.xx interface tun0
[1979]1969-12-31 16:05:39 setup_ipsec: deleting route to ip xxx.xx.xx.xx interface tun1
[1979]1969-12-31 16:05:39 setup_ipsec: deleting route to ip xxx.xx.xx.xx interface tun2
[1979]1969-12-31 16:05:42 R>> Received RC_OPCODE_ERROR lms xxx.xx.xx.xx tunnel 0.0.0.0 srcdev br0RC_ERROR_IKEP2_PKT1 debug-error:-8947
[1979]1969-12-31 16:05:42 State REDUN_STATE_TUNNEL_MASTER Event REDUN_EVENT_TUNNEL_DOWN Next state REDUN_STATE_TUNNEL_MASTER
[1979]1969-12-31 16:05:42 redun_tunnel_down: Call stop_child() for clients[0]
[1979]1969-12-31 16:05:42 redun_tunnel_down: killed the child
[1979]1969-12-31 16:05:42 Tunnel 0 down. data(0|lms)=xxx.xx.xx.xx
[1979]1969-12-31 16:05:42 State REDUN_STATE_TUNNEL_MASTER Event REDUN_EVENT_RETRY Next state REDUN_STATE_TUNNEL_MASTER
[1979]1969-12-31 16:05:42 redun_retry_tunnel: setting up tunnel to 0, retry=37 curr-dhcp-retry:0 total-dhcp-retry:0
[1979]1969-12-31 16:05:42 sapd_setup_uplink: ETHERNET Link state is 1
[1979]1969-12-31 16:05:42 sapd_setup_uplink: Using uplink ETHERNET
[1979]1969-12-31 16:05:42 sapd_check_eth_connectivity: syscmd is ping -c 2 172.21.200.1
[1979]1969-12-31 16:05:43 sapd_check_rap_dhcp_pool: Subnets of LMS:430d81 and RAP-DHCP-Server:ba8c0
[1979]1969-12-31 16:05:43 sapd_redun_config_dnsmasq: Rewrite dnsmasq config file
[1979]1969-12-31 16:05:43 setup_ipsec: sapd_num_lms=1 sapd_cur_lms=0 ip=xxx.xx.xx.xx, client=0
[1979]1969-12-31 16:05:43 setup_ipsec: sapd_local_ip 172.21.203.178 netmask 255.255.248.0
[1979]1969-12-31 16:05:43 setup_ipsec: adding route ip xxx.xx.xx.xx mask 255.255.255.255 gw 172.21.200.1 interface br0
[1979]1969-12-31 16:05:43 setup_ipsec: deleting route to ip xxx.xx.xx.xx interface tun0
[1979]1969-12-31 16:05:43 setup_ipsec: deleting route to ip xxx.xx.xx.xx interface tun1
[1979]1969-12-31 16:05:43 setup_ipsec: deleting route to ip xxx.xx.xx.xx interface tun2
[1979]1969-12-31 16:05:47 R>> Received RC_OPCODE_ERROR lms xxx.xx.xx.xx tunnel 0.0.0.0 srcdev br0RC_ERROR_IKEP2_PKT1 debug-error:-8947
[1979]1969-12-31 16:05:47 State REDUN_STATE_TUNNEL_MASTER Event REDUN_EVENT_TUNNEL_DOWN Next state REDUN_STATE_TUNNEL_MASTER
[1979]1969-12-31 16:05:47 redun_tunnel_down: Call stop_child() for clients[0]
[1979]1969-12-31 16:05:47 redun_tunnel_down: killed the child
[1979]1969-12-31 16:05:47 Tunnel 0 down. data(0|lms)=xxx.xx.xx.xx
this is some debug output from one of the controllers in the cluster:
(wlc-cs-1) [MDC] #show vpdn l2tp local pool
IP addresses used in pool rap-address-pool
none
L2TP Pool statistics for all pools:
IPv4/IPv6 Pool Configured Used Free
-------------- ---------- ------ ------
IPv4 253 0 253
IPv6 0 0 0
IP pool allocation/de-allocation statistics:
IPv4/IPv6 L2TP IKE
--------- ------------ ------------
IPv4 0/0 0/0
IPv6 N/A 0/0
(wlc-cs-1) [MDC] #show vpdn l2tp configuration
Enabled
Hello timeout: 60 seconds
DNS primary server: 0.0.0.0
DNS secondary server: 0.0.0.0
WINS primary server: 0.0.0.0
WINS secondary server: 0.0.0.0
PPP client authentication methods:
PAP
IP LOCAL POOLS:
rap-address-pool: 10.23.42.2 - 10.23.42.254
IPv6 LOCAL POOLS:
the command "show crypto ipsec sa" doesn't show any sign of an ipsec-session with the at any time on any node of the cluster. The only thing I found was:
(wlc-cs-2) [MDC] *#show datapath session table 172.21.203.178
Datapath Session Table Entries
------------------------------
Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
u - Upstream Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal
r - Route Nexthop, h - High Value
A - Application Firewall Inspect
B - Permanent, O - Openflow
L - Log
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- --------- --------- ---------------
172.21.203.178 xxx.xx.xx.xy 17 58668 4500 0/0 0 0 0 pc0 3e 91 44108 FC
xxx.xx.xx.xy 172.21.203.178 17 4500 58668 0/0 0 0 0 pc0 3e 39 9737 F
Where xxx.xx.xx.xy is the IP-Adress of the controller I ran this command on.
Does anyone have a clue for further debugging and maybe a solution to my problem?
Greetings,
Hendrik