Wireless

 View Only
last person joined: 22 hours ago 

Back to discussions
Expand all | Collapse all

RAP AP Ports

This thread has been viewed 23 times

  • 1.  RAP AP Ports

    Posted Aug 06, 2023 11:02 AM

    Please I need  support as RAP AP working will and joined to MC if I configured the policy any to any  in MC publishing policy on FW (Palo-Alto) but when I opened only 4500 port, AP dropped and can't join to MC.so is there any other ports must be opened from FW side or any configuration from MC side related to 4500 port?



  • 2.  RE: RAP AP Ports

    EMPLOYEE
    Posted Aug 07, 2023 04:23 AM

    RAP operations are covered in the AOS User Guide chapter "Remote AP support". 

    The list of firewall ports required between a RAP and an MD are covered under "Communication Between Remote APs and the Managed Device", around page 876

    NAT-T (UDP port 4500)
    TFTP (UDP port 69)

    "TFTP is not needed for normal operation. If the remote AP loses its local image for any reason, it will use TFTP to download the latest image."

    The best diagnostic information from the MD (If a Mobility Conductor is used, the allowlist authorization occurs between the MD and the MC).

    show ap database long

    show allowlist rap | inc < AP MAC>

    show log all | inc <AP MAC>

    show user all | inc <AP MAC>

    show datapath session | inc <AP public IP>

    show user-table verbose | inc <AP MAC>    (or AP public ip>



    ------------------------------
    Shawn Adams
    ------------------------------

    Original Message


  • 3.  RE: RAP AP Ports

    Posted Aug 07, 2023 04:50 AM

    Thanks for your feedback.

    when I allowed port 4500 only in the policy RAP AP can't join connect to MC throgh MC public IP but when I make the policy on firewall (PALO-ALTO) any to any RAP join to MC.should i check FW policy?


    Original Message


  • 4.  RE: RAP AP Ports

    EMPLOYEE
    Posted Aug 07, 2023 05:44 AM

    Let me clarify one point:

    MC = Mobility Conductor

    MD = Managed Device/Controller/Branch Gateway

    The RAP will connect using IPSEC over port 4500 to the MD, it requires no direct communication to the MC.

    If the firewall allows the RAPs to reach the MD over port 4500, and the MD shows this traffic arriving and being answered, the RAP should connect and work.

    Perhaps you can elaborate on the "policy RAP AP can't join" - where exactly is this policy configured ?

    Basic RAP configuration steps:

    1. PEFNG license installed as necessary.
    2. If Control-plane security will be used - allowlist entry for RAP MAC  address present and correct ? 
    3. If PSK to be used, appropriately configured on MD and MC ?
    4. MD configured with IPSEC inner IP DHCP pool ? (if an MC is deployed - lc-rap-pool configured on the MC ?)
    5. ap-group with correct provisioning profile to configure Remote AP and direct the RAPs to the correct MD public IP address ?

    A few very useful public sources, in addition to the AOS User Guide: 

    https://community.arubanetworks.com/discussion/arubaos-8-setting-up-remote-access-point-rap

    https://higherlogicdownload.s3-external-1.amazonaws.com/HPE/102f4c22-7f93-44cf-b5a2-400828ccd32e_file.pdf?AWSAccessKeyId=AKIAVRDO7IEREB57R7MT&Expires=1691403496&Signature=19KRnrD3q6EDATGg0FP5oZCiS3I%3D

    https://www.flomain.de/2019/05/basic-rap-setup-with-arubaos-8/



    ------------------------------
    Shawn Adams
    ------------------------------

    Original Message


  • 5.  RE: RAP AP Ports

    EMPLOYEE
    Posted Aug 07, 2023 05:46 AM

    There are no other ports required than from the RAP to the controller on udp/4500. Note that you probably perform NAT/port forwarding on your firewall, and depending on the firewall you would need to allow traffic to the internal IP, the external (interface) IP of the firewall, or even both. If it works with allow any->any udp/4500, but not any->controller udp/4500, you probably have the wrong IP in the controller object for your firewall (before/after NAT).



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 6.  RE: RAP AP Ports

    EMPLOYEE
    Posted Aug 07, 2023 07:44 AM

    I hesitate to add more than others have done already here.  When you put the more restrictive firewall policy in place, I would filter on the source IP address and see what type of traffic is being dropped and to what destination. 



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------

    Original Message