Wireless Access

hi,

when i am in hotels my aurba RAP connection via vpn gets blocked ,this is because  the hotels block the ports that are required to establish VPN connection.

so i need to know how i know that the required ports(e.g UDP 4500) are blocked by the hotels.

1.is there any tool / website to check whether the port is blocking.

2,any workaround to this before raising request to hotel IT team.

how this can be avoided any methos to avoid this? please assit me.Thanks

The best way is to check on  the controller to see if they can see any of your traffic from the Hotel.  There is very little if any diagnostic information on the RAP itself, because it is made for end users...

thanks for your reply ,but as i do not have much expereince in this can you tell me in detail to clear me.Thanks

KarthickKumar,

Do you know who setup the controller?  They might be able to give you an idea of how to troubleshoot their specific setup...

The tool "ike-scan" can be used as a standalone RAP test tool. Get it from www.nta-monitor.com/tools/ike-scan

Example when host does not respond - here we see Google DNS 8.8.8.8 is up but doesn't talk IPSEC

C:\aruba\tools\ike-scan-win32-1.9>ike-scan.exe --nat-t --ikev2 --sport=4501 --dport=4500 --verbose 8.8.8.8
DEBUG: pkt len=296 bytes, bandwidth=56000 bps, int=46285 us
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
---     Pass 1 of 3 completed
---     Pass 2 of 3 completed
---     Pass 3 of 3 completed

Ending ike-scan 1.9: 1 hosts scanned in 2.437 seconds (0.41 hosts/sec).  0 returned handshake; 0 returned notify

C:\aruba\tools\ike-scan-win32-1.9>

Example of DNS resolution error

C:\aruba\tools\ike-scan-win32-1.9>ike-scan.exe --nat-t --ikev2 --sport=4501 --dport=4500 --verbose via3.somewhere.com
WARNING: gethostbyname failed for "via3.somewhere.com" - target ignored: Operation not permitted
ERROR: No hosts to process.

Example when host does respond (in this case i have hidden the IP, but via.somewhere.com needs to be either a controller on the internet, or, a firewall doing 4500/udp port NAT.

C:\aruba\tools\ike-scan-win32-1.9>ike-scan.exe --nat-t --ikev2 --sport=4501 --dport=4500 --verbose via.somewhere.com
DEBUG: pkt len=296 bytes, bandwidth=56000 bps, int=46285 us
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
104.YY.XXX.ZZ   Notify message 16390 (COOKIE) HDR=(CKY-R=0000000000000000, IKEv2)

Ending ike-scan 1.9: 1 hosts scanned in 0.346 seconds (2.89 hosts/sec).  0 returned handshake; 1 returned notify

C:\aruba\tools\ike-scan-win32-1.9>

 If you see the last example above, where it says it got a NOTIFY, then you can assume there is a working IPSEC path on port 4500 from your machine to the controller.

Note the src port is specified to be 4501 to avoid any conflict with VPN software that may be on your PC, the RAP can also use 4501 as a source IP too. You can try with --sport=4500 as a test too, but it's very rare to see someone enforcing srcip in a firewall rule for UDP.

regards

jeff

Hi,

If your RAP traffic is getting blocked and you need access back to your office and you have a controller why not setup Via?

The Via client will utilise SSL which is much more likely to be allowed than UDP 4500 traffic. :)

The controller will need the PEFV license and a little configuration but I'd recommend this solution over a RAP if you spend a lot of time in hotels...

Via Configuration Doc : http://community.arubanetworks.com/aruba/attachments/aruba/108/947/1/VIA-configuration-detail.pdf

Cheers

James

---

@jgoff wrote:

The tool "ike-scan" can be used as a standalone RAP test tool. Get it from www.nta-monitor.com/tools/ike-scan

 

---

that is a useful tool, going into my toolbox. thanks jgoff.