Wireless Access

im trying to add a local to a master, same ArubaOS is used and my basic trouble shooting seems to point so some issue i don't fully understand. i have set the roles correctly and PSK has been copy pasted from test file for being certain it matches.

(master) #show datapath session | include 4500

  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge Flags
--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- -----

192.168.20.189  192.168.20.190  17   4500  4500   0/0     0 0   0   1/8         16d  F
192.168.20.190  192.168.20.189  17   4500  4500   0/0     0 0   0   1/8         16d  FC
192.168.20.189  172.16.16.254   17   4500  4500   0/0     0 0   0   1/3         b    FY
172.16.16.254   192.168.20.189  17   4500  4500   0/0     0 0   1   1/3         b    FC

(local) # show datapath session | include 4500

  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge Flags
--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- -----

192.168.20.189  192.168.20.190  17   4500  4500   0/0     0 0   0   local       14e  F
192.168.20.190  192.168.20.189  17   4500  4500   0/0     0 0   0   local       14e  FC

log on local:

Mar 24 16:18:52  isakmpd[2001]: <103060> <DBUG> |ike|  ipc.c:ipc_rcvcb:1018  pubsub msg
Mar 24 16:18:52  isakmpd[2001]: <103060> <DBUG> |ike|  ipc.c:ipc_rcvcb:1191  cfgm msg
Mar 24 16:18:52  isakmpd[2001]: <103061> <ERRS> |ike|  vlan 1 is not configured yet
Mar 24 16:18:52  isakmpd[2001]: <103061> <ERRS> |ike|  vlan 1 is not configured yet
Mar 24 16:18:52  isakmpd[2001]: <103062> <INFO> |ike|   Cluster IKE Initialisation: change from None->None
Mar 24 16:18:52  isakmpd[2001]: <103063> <DBUG> |ike|  handleMasterRoleCfg: ip 192.168.20.189 role 3
Mar 24 16:18:52  isakmpd[2001]: <103066> <INFO> |ike|  Sending Cluster role change code 1 at time 622.830000
Mar 24 16:18:52  isakmpd[2001]: <399816> <ERRS> |ike|  Vlan 1 is not configured yet
Mar 24 16:18:52  isakmpd[2001]: <399816> <ERRS> |ike|  Vlan 1 is not configured yet
Mar 24 16:18:53  isakmpd[2001]: <103060> <DBUG> |ike|  ipc.c:insert_vlan_ip:5070 initialize the vlanid:1 entry ip:c0a814be
Mar 24 16:18:53  isakmpd[2001]: <103060> <DBUG> |ike|  ipc.c:ipc_rcvcb:1018  pubsub msg
Mar 24 16:18:53  isakmpd[2001]: <103060> <DBUG> |ike|  ipc.c:ipc_rcvcb:1070 Recvd SWITCH IP =192.168.20.190
Mar 24 16:18:53  isakmpd[2001]: <103060> <DBUG> |ike|  ipc.c:ipc_register_for_switch_ip:4182 Sending REQUEST for SWITCH IP
Mar 24 16:18:53  isakmpd[2001]: <103060> <DBUG> |ike|  message.c:message_drop:2707 Message drop from 192.168.20.189 port 4500 due to notification type INVALID_COOKIE
Mar 24 16:18:53  isakmpd[2001]: <103063> <DBUG> |ike|  message_recv: invalid cookie(s) 0a7789ce3ac2c081 d4af019b7db8fd2d
Mar 24 16:18:53  isakmpd[2001]: <103063> <DBUG> |ike|  virtual_bind_ipv4: 192.168.20.190 already bound
Mar 24 16:18:53  isakmpd[2001]: <103070> <INFO> |ike|  Sending Cluster role change code 1 at time 623.520000 to subscriber 8344
Mar 24 16:18:54  isakmpd[2001]: <103060> <DBUG> |ike|  ipc.c:ipc_get_cpsec_state:4226 Sending REQUEST for CPSEC STATE
Mar 24 16:18:54  isakmpd[2001]: <103060> <DBUG> |ike|  ipc.c:ipc_rcvcb:1018  pubsub msg
Mar 24 16:18:54  isakmpd[2001]: <103063> <DBUG> |ike|  ipc_rcvcb : CPSEC not ready
Mar 24 16:18:54  isakmpd[2001]: <103063> <DBUG> |ike|  ipc_rcvcb : Recvd msg 3 from CPSECd
Mar 24 16:18:54  isakmpd[2001]: <103070> <INFO> |ike|  Sending Cluster role change code 1 at time 624.520000 to subscriber 8345
Mar 24 16:18:57  isakmpd[2001]: <103060> <DBUG> |ike|  ipc.c:ipc_rcvcb:1018  pubsub msg
Mar 24 16:18:57  isakmpd[2001]: <103070> <INFO> |ike|  Sending Cluster role change code 1 at time 627.420000 to subscriber 8453
Mar 24 16:19:00  isakmpd[2001]: <103063> <DBUG> |ike|  ipc_rcvcb : CPSEC not ready
Mar 24 16:19:00  isakmpd[2001]: <103063> <DBUG> |ike|  ipc_rcvcb : Recvd msg 3 from CPSECd
Mar 24 16:19:07  isakmpd[2001]: <103018> <INFO> |ike| IKE Phase 1 hash mismatch. Most likely because IKE pre-shared key or certificate mismatch.
Mar 24 16:19:07  isakmpd[2001]: <103051> <INFO> |ike| IKE module gets local-master configuration
Mar 24 16:19:07  isakmpd[2001]: <103054> <INFO> |ike|  Dropping IKE message drop from 192.168.20.189 4500 due to notification type:INVALID_ID_INFORMATION
Mar 24 16:19:07  isakmpd[2001]: <103060> <DBUG> |ike|  exchange.c:exchange_ike_negotiate:3057 Found policy for dest-net 192.168.20.189/255.255.255.255 with peer gw 192.168.20.189
Mar 24 16:19:07  isakmpd[2001]: <103060> <DBUG> |ike|  exchange.c:exchange_negotiation_state_done:2647 Ipsec map default-local-master-ipsecmap is marked negotiation-done
Mar 24 16:19:07  isakmpd[2001]: <103060> <DBUG> |ike|  exchange.c:exchange_negotiation_state_inprog:2631 Ipsec map default-local-master-ipsecmap is marked negotiation-inprogress
Mar 24 16:19:07  isakmpd[2001]: <103060> <DBUG> |ike|  if.c:GetIPAddrByVlanId:209 vlan 0 ip 192.168.20.190
Mar 24 16:19:07  isakmpd[2001]: <103060> <DBUG> |ike|  if.c:GetIPAddrByVlanId:209 vlan 1 ip 192.168.20.190
Mar 24 16:19:07  isakmpd[2001]: <103060> <DBUG> |ike|  if.c:GetIPAddrByVlanId:209 vlan 1 ip 192.168.20.190

What version of code is this?

ArubaOS Version 6.0.1.1 build 27738 between a 620 and 3600. pretty much basic config, just some minor stuff to see how it will work, if it works.

Symptoms and error messages point to issue with inter-controller communication; i.e. key mismatch.

Mar 24 16:19:07  isakmpd[2001]: <103018> <INFO> |ike| IKE Phase 1 hash mismatch. Most likely because IKE pre-shared key or certificate mismatch.

Message drop from 192.168.20.189 port 4500 due to notification type INVALID_COOKIE

OP states he cut and pasted but the above would make me keep looking in that area.

Everytime I've had this issue, it was the key as well.

Just my $.02

tried several things, disabled control plane security, setup ntp and redid the whole key part and guess what, it works now.

im guessing it was something with the key indeed, though im 100%+ sure i did nothing different the first times then the later times.

folks,

please help with

Jul 30 13:37:08 :103018:  <INFO> |ike| IKE Phase 1 hash mismatch. Most likely because IKE pre-shared key or certificate mismatch.
Jul 30 13:37:08 :103054:  <INFO> |ike|  Dropping IKE message drop from 10.9.0.6 4500 due to notification type:INVALID_ID_INFORMATION
Jul 30 13:37:08 :103063:  <DBUG> |ike|  exchange_run: step 1 done:0 handler failed
Jul 30 13:37:08 :103060:  <DBUG> |ike|  exchange.c:exchange_negotiation_state_done:2620 Ipsec map default-local-master-ipsecmap is marked negotiation-done
Jul 30 13:37:15 :103063:  <DBUG> |ike|  message_recv: invalid cookie(s) f8f0bed97a592d94 48371524fc559546
Jul 30 13:37:15 :103060:  <DBUG> |ike|  message.c:message_drop:2691 Message drop from 10.9.0.6 port 4500 due to notification type INVALID_COOKIE
Jul 30 13:37:24 :103063:  <DBUG> |ike|  message_recv: invalid cookie(s) f8f0bed97a592d94 48371524fc559546
Jul 30 13:37:24 :103060:  <DBUG> |ike|  message.c:message_drop:2691 Message drop from 10.9.0.6 port 4500 due to notification type INVALID_COOKIE
Jul 30 13:37:29 :103060:  <DBUG> |ike|  if.c:GetIPAddrByVlanId:209 vlan 4095 ip 10.4.6.129
Jul 30 13:37:29 :103060:  <DBUG> |ike|  ipc.c:controlplaneArpModify:3592 Failed to Delete ARP  10.9.0.8 error Network is unreachable
Jul 30 13:37:29 :103060:  <DBUG> |ike|  ike_phase_1.c:ike_phase_1_initiator_send_SA:385  peer:10.9.0.6
Jul 30 13:37:29 :103063:  <DBUG> |ike|  ike_phase_1_send_KE_NONCE 10.9.0.6
Jul 30 13:37:29 :103060:  <DBUG> |ike|  if.c:GetIPAddrByVlanId:209 vlan 0 ip 10.4.6.129
Jul 30 13:37:29 :103060:  <DBUG> |ike|  ike_phase_1.c:ike_phase_1_send_ID:1975 with SwitchIP 10.4.6.129
Jul 30 13:37:29 :103063:  <DBUG> |ike|  ike_phase_1_send_ID 10.9.0.6
Jul 30 13:37:29 :103060:  <DBUG> |ike|  exchange.c:exchange_negotiation_state_inprog:2605 Ipsec map default-local-master-ipsecmap is marked negotiation-inprogress
Jul 30 13:37:29 :103060:  <DBUG> |ike|  ike_phase_1.c:ike_phase_1_initiator_recv_SA:750 ike_phase_1_initiator_recv_SA
Jul 30 13:37:29 :103060:  <DBUG> |ike|  ike_phase_1.c:ike_phase_1_recv_ID:2300 received IKE ID Type 11 exchange:10.9.0.6
Jul 30 13:37:29 :103060:  <DBUG> |ike|  ike_phase_1.c:ike_phase_1_recv_ID:2315 got IKE KEY-ID, got remote-switch-ip:10.9.0.8-mask:255.255.255.255
Jul 30 13:37:29 :103060:  <DBUG> |ike|  ike_phase_1.c:ike_phase_1_recv_ID:2364 Master-Local
Jul 30 13:37:29 :103060:  <DBUG> |ike|  ike_phase_1.c:ike_phase_1_recv_ID:2383 updating IPSec map with Master's switch-ip
Jul 30 13:37:29 :103063:  <DBUG> |ike|  ike_phase_1_post_exchange_KE_NONCE done 10.9.0.6

does it means, that there is pre-shared key mismatch between master and local controllers?

it does indicate that indeed, just try setting them again.

Thank you! I already do) But thank you very much )

Can you post the pertinent areas of your running-config? What is the VLAN they are supposed to communicate on? Is that VLAN configured in both controllers?

I mean that this advice helped me. Now i have not issue =)