Wireless Access

Hey guys,

 

I've reprovisioned a RAP to change its ap group, I've just changed the group and ignore the FQLN parameters. So I guess that the only parameters that were changed was those.

 

Anyway the RAP (AP-105) is now offline so it can't pass ipsec sa, so I think this is like an authentication issue.

 

Here's the reprovisioned log.

 

Mar  6 14:08:56  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<clear provisioning-ap-list > -- command executed successfully
Mar  6 14:08:56  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<provision-ap read-bootinfo ap-name "AP-QRO-01" > -- command executed successfully
Mar  6 14:09:04  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<provision-ap copy-provisioning-params ap-name "AP-QRO-01" > -- command executed successfully
Mar  6 14:09:04  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<provision-ap installation default > -- command executed successfully
Mar  6 14:09:04  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<provision-ap no external-antenna > -- command executed successfully
Mar  6 14:09:04  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<provision-ap no master > -- command executed successfully
Mar  6 14:09:04  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<provision-ap ap-group "APG-AP-FORANEA" > -- command executed successfully
Mar  6 14:09:04  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<provision-ap ap-name "AP-QRO-01" > -- command executed successfully
Mar  6 14:09:04  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<provision-ap no syslocation > -- command executed successfully
Mar  6 14:09:04  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<provision-ap remote-ap > -- command executed successfully
Mar  6 14:09:04  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<provision-ap no fqln > -- command executed successfully
Mar  6 14:09:04  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<provision-ap reprovision ap-name "AP-QRO-01" > -- command executed successfully
Mar  6 14:09:04  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<clear provisioning-ap-list > -- command executed successfully
Mar  6 14:09:04  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<clear provisioning-params > -- command executed successfully

 

 

And here is the log of SAs

 

(MXMEXWLANMASTER01) #show crypto isakmp sa

ISAKMP SA Active Session Information
------------------------------------
Initiator IP     Responder IP   Flags       Start Time      Private IP      
------------     ------------   -----     ---------------   ----------      
10.49.164.127    10.49.124.1    r-m-p-x-R Mar  6 09:23:24   192.168.69.4     
10.49.124.3      10.49.124.2    r-a-p     Mar  6 11:57:22          -         

Flags: i = Initiator; r = Responder
       m = Main Mode; a = Agressive Mode v2 = IKEv2
       p = Pre-shared key; c = Certificate/RSA Signature; e =  ECDSA Signature
       x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled
       3 = 3rd party AP; C = Campus AP; R = RAP
       V = VIA; S = VIA over TCP

Total ISAKMP SAs: 2

(MXMEXWLANMASTER01) #show crypto ipsec sa

IPSEC SA Active Session Information
-----------------------------------
Initiator IP     Responder IP     InitiatorID         ResponderID         Flags    Start Time      Inner IP      
------------     ------------     -----------         -----------         -----  ---------------   --------
10.49.124.3      10.49.124.2      10.49.124.3/32      10.49.124.2/32      T      Mar  6 14:23:08     -              

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
       L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2

Total IPSEC SAs: 1

 

IP address 10.49.164.127 is the outer IP of the AP

 

Is there a way to ensure the AP has all the correct parameters?

 

Regards,

I'm pretty sure the only way to know is when it comes back up and connects to its controller.

Yeah, I guess that it hasn't the right parameters as it is not coming up.

Is there a way to reprovision it remotely?


I mean this is a RAP and there is nobody on site who can unmount the AP and connect a console cable to reset it.

Unfortunately, if it's not coming up after you changed those parameters, it's going to have to be set back to factory defaults and reprovisioned from scratch.

You can try power cycling the RAP to see if it is able to recover and connect successfully. The RAP could be stuck in a wierd state which should be cleared when you power cycle the RAP.

Great! I'll try it

 

Thanks bpudugramam.

 

"Mar  6 14:09:04  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<provision-ap no master > -- command executed successfully"

 

Just curious, why did you pull the master config off the AP?

 

Honestly I don't know, what I did is to enter to the provisioning page, changed the AP group, check the remove FQLN option, and leave everything else unchanged, as I thought it would be transparent for the AP and what I really needed is to change the AP group only.

 

And the AP was working fine previously with the old AP group:

 

(MXMEXWLANMASTER01) #show ap active

Active AP Table
---------------
Name            Group               IP Address     11g Clients  11g Ch/EIRP/MaxEIRP  11a Clients  11a Ch/EIRP/MaxEIRP  AP Type  Flags  Uptime       Outer IP
----            -----               ----------     -----------  -------------------  -----------  -------------------  -------  -----  ------       --------
AP-QRO-01       APG-RAP             192.168.69.4   0            AP:HT:11/20/20       0            AP:HT:149+/24/24     105      R      21h:18m:3s   10.49.164.127

 

Oh, ok, I see, this was from the provisioning page.  It looks like when you did that there was no master controller specified so there was a "no" issued on the master and that AP most likely doesn't know how to get to its master at this point.

 

Any luck on the reboot?

That's right, I checked AP's config and see that there was no master and server IP. What I don't understand is why the isakmp sa could be stablished and the ipsec sa don't.

 

I guess that in order that this won't happen again I ask the customer to add the controller in their DNS server.

 

Anyway, I had to ask somebody to reprovison the AP, and now it is working fine.

 

Thank you very much for your help Mike

 

If you look at the timestamp of the phase 1 SA, it does not look to be current compared to the timestamp of the second SA of the other RAP. The best way to check to see if the RAP has made contact with the master is to see if you can see 4500 traffic coming

from the Outer IP of the RAP. You can do a "show datapath session table | include <RAP's outer IP> " to check if you see 4500 traffic to/from the controller to this IP.

Erik - Just an FYI, if you want to just change something like an AP group in the future, you can do so by the CLI and leave nothing to chance.  Those commands you see in the log are what you use to do it.  Also, if you're using RAPs or APs that have a TPM chip, you can change an AP group from the RAP whitelist really easy.

 

From the CLI:

 

(Controller) # configure t
Enter Configuration commands, one per line. End with CNTL/Z

(Controller) (config) # provision-ap

####Specify the AP you want to change####

(Controller) (AP provisioning) # read-bootinfo ap-name AP-QRO-01
(Controller) (AP provisioning) # copy-provisioning-params ap-name AP-QRO-01

####Now make your changes####

(Controller) (AP provisioning) # ap-group APG-AP-FORANEA
(Controller) (AP provisioning) # no fqln

####Now commit the changes by reprovisining the AP####

(Controller) (AP provisioning) # reprovision ap-name AP-QRO-01