Wireless Access

Reply
Highlighted
Frequent Contributor II

Trouble converting RAP tp CAP

I have a RAP-155.

I have a 7210 controller with an internal ip address (in this case, 10.1.1.38)

I have a fortigate firewall that has a VIP forward of an external IP (say, w.x.y.z) to 10.1.1.38

If I web browse to w.x.y.z, I can login to the contoller.

Now, I just got my first RAP. I fire it up, connect to instant, go through the conversion process. If I just say the contoller is w.x.y.z then it says VPN failed and it says to save the log in the popup. There is no log in a popup.

I then tried https://w.x.y.z:4343 and it comes back "status unavailable"

Do I need to give an interface on the 7210 the public IP and not forward from my firewall?

 

Thanks!

Highlighted
Moderator

Re: Trouble converting RAP tp CAP

Are you allowing UDP 4500 through your firewall?


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Frequent Contributor II

Re: Trouble converting RAP tp CAP

No, I hadn't been - just All TCP. I just set it to allow ALL UDP as well.

Conversion... same error "VPN setup failed, please save the log in the popup window" and I don't see a popup or log anywhere

Highlighted
Moderator

Re: Trouble converting RAP tp CAP

I misread. You're trying to convert an IAP/RAP to a Campus AP? You should point it to the inside address then. CAPs don't use an IPSec tunnel.



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Frequent Contributor II

Re: Trouble converting RAP tp CAP

Thanks. But then, when I take it home or some other offiste location, it won't be able to find 10.1.1.38, so I'm confused how that would work

 

Oh - I guess I mispoke, I want to convert the RAP from Instant to "Remote AP managed by Mobility controller"

 

Sorry for the confusion 

Highlighted
Moderator

Re: Trouble converting RAP tp CAP

Oh ok.

 

Take a look at the RAP VRD which will show you how to configure the controller side.

http://community.arubanetworks.com/t5/Validated-Reference-Design/Remote-AP-Networks/ta-p/155140



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Frequent Contributor II

Re: Trouble converting RAP tp CAP

Thanks Tim.

 

Sigh - 213 pages. I should have figured it wouldn't be easy!

Highlighted
Guru Elite

Re: Trouble converting RAP tp CAP

Kevets,

 

You would only have to setup your controller to accept remote AP traffic and put the mac address of the IAP into the RAP whitelist on the controller and assign it to an ap-group:

 

setup the RAP pool:

 

 

config t
ip local pool "rap-pool" 172.16.1.150 172.16.1.200

 

  • Add the RAP to the controller’s whitelist since it is using certificates for authentication:

Configuration-> WIRELESS->AP Installation->RAP Whitelist.  Add the wired mac address of your AP, name it and assign it an ap-group.

 

On the IAP, go to Maintenence and Convert.  Put in the public or private address of your controller to convert:

convert.png

While you are doing the convert, on the controller, type "show datapath session table <source ip address of your RAP" to see if traffic is flowing.  If you don't see any sessions, you need to check to make sure your firewall is (1) Doing a static 1:1 nat from your outside public address to the internal private address of your controller and (2) Allowing UDP 4500 inbounds to that device.

 

If you do see the traffic flowing, type "show crypto ipsec sa peer <public ip address of your rap>" to see if it does have an SA, or security association.  If it does, it should upgrade the code on your IAP and you can take it from there.

 

 

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Frequent Contributor II

Re: Trouble converting RAP tp CAP

Ah, thanks Colin! I'll give that a go later today.

Highlighted
Frequent Contributor II

Re: Trouble converting RAP tp CAP

So, I tried this:

the ip local pool rap-pool in the controller with a write mem

adding the MAC of my test RAP into the whitelist.

 

Same results, whether I use the public (NATted) or the internal IP of the controller.

I am confused about the recommended monitoring command - I don't know what the RAP's IP address is.

 

I am wondering if I need to do something further for VPN configuration on the 7210?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: