Controllerless Networks

 View Only
last person joined: 20 hours ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

Via to 7010 note establish

This thread has been viewed 28 times

  • 1.  Via to 7010 note establish

    Posted Dec 12, 2022 11:40 AM
    Hi 

    I am new to the AOS and have 7010 for evaluation for VPN GW
    I am trying to config basic setup of Windows 10 VIA 4.4 to connect to standalone controller  7010 with AOS 8.9.3 with local user and interface 

    I used the Aruba SD-Branch from scratch - Part 6 - and the user manual in order to configure the required configuration but the VIA not able to complete the connection 
    the VIA download the profile but not able to establish  


    The log I can see in the Diagnostic log that IKESA_EXPIRED  without explain why
    isakmpd[3809]: <103103> <3809> <WARN> |ike| IKE SA Deletion: IKE2_delSa peer:10.201.162.101:50277 id:3957132487 errcode:ERR_IKESA_EXPIRED saflags:0xa00051 arflags:0x1 

    I enabled the debug for the security and see a lot of messages and cannot  understand what is the issue 

    Hope if someone can help with that  


    isakmpd[3809]: <103063> <3809> <DBUG> |ike| modp_free entered
    isakmpd[3809]: <103060> <3809> <DBUG> |ike| xlp_lib.c:process_xlp_dh2_response_ikev2:585 DH2 completed successfully
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| OutTfm_R
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| OutKe Responder grp:ike 2
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| <-- R NAT_D (us): ce 40 77 f9 d1 7b 57 6b 40 5f 84 a2 0d cf 99 b4 a9 a0 7e 27
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| NAT_D (peer): 59 e8 64 c7 3f 0a d4 bf 9b fd ee d6 8b 14 15 22 3f 48 30 3e
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| OutVid: added Fragmentation vendor-id
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| #SEND 345 bytes to 10.201.162.101(64616) (259033.332)
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| IKE_SAMPLE_ikeXchgSend: server instance 1 sktDescr 3
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| cleanup_and_free_context delete ctx memory
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| initR_in_Continued: IKE2_msgRecv_resume status:0
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| xlp_rcv_response: Nothing to be read from cryptolib fd
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> udp_encap_handle_message ver:2 serverInst:1 pktsize:496
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> IKE_EXAMPLE_IKE_msgRecv: ip:10.201.162.101 port:64616 server:1 len:496 numSkts:8
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> IKE_EXAMPLE_IKE_msgRecv:1533: IKE2_msgRecv Called
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> IKE2_msgRecv: dwPeerAddr: ac9a265 wPeerPort: fc68
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616->
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> #RECV 496 bytes from 10.201.162.101(64616) at 10.201.161.222 (259033.439)
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> spi={bd89a25d388ad654 832fcc3f921f1381} np=E{IDi}
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> exchange=IKE_AUTH msgid=1 len=492
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> IKE2_xchgIn:1409
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> IKE2_newXchg oExchange:35 bReq:0 dwMsgId:1
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> IKE2_newXchg before delXchg
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> IKE2_delXchg Deleting exchange
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> authR_in
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> InSa0: calling IKE2_newIPsecSa
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> InVid
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> --> R Notify: INITIAL_CONTACT VID: 88 f0 e3 14 9b 3f a4 8b 05 aa 7f 68 5f 0b 76 6b e1 86 cc
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> b8
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> Setting CLIENT flag for VIA Client
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> Aruba VIA detected
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> InVid
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> VID: 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> Aruba Fragmentation request is received
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> Enabling Fragmentation for this SA
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> InVid
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> VID: ac 4a 8e 30 60 4a 34 c8 d5 82 78 8c dd a7 d4 85 64 cd 38 fc
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> Aruba VIA UDID detected
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> InVid
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> VID: 56 49 41 20 41 75 74 68 20 50 72 6f 66 69 6c 65 20 3a 20 76 69 61 61 75 74 68
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> check_aruba_vid: VIA Auth Profile : viaauth
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> InVid
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> VID: 56 49 41 20 53 79 73 20 49 6e 66 6f 20 3a 20 3c 4f 53 3a 20 4d 69 63 72 6f 73 6f 66 74 20
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> 57 69
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> 6e 64 6f 77 73 20 38 20 42 75 73 69 6e 65 73 73 20 45 64 69 74 69 6f 6e 2c 20 36 34 2d 62 69 74
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> 20 3e 3c 48 6f 73 74 3a 20 44 45 53 4b 54 4f 50 2d 38 4f 4c 43 4e 42 4e 3e 00
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> Aruba VIA OS detected
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> InCp
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> CFG_REQUEST
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> CheckCfgAttr type:1
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> CheckCfgAttr type:2
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> CheckCfgAttr type:3
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> CheckCfgAttr type:4
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> CheckCfgAttr type:6
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> CheckCfgAttr type:13
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> CheckCfgAttr type:7
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> IP4_ADDRESS IP4_NETMASK IP4_DNS IP4_NBNS IP4_DHCP IP4_SUBNET APP_VER("Aruba V
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> InCp : detected VPN client
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> InTs entered
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> InTs # of TS:1
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> InTs no:0 IPV4 addr:0.0.0.0 end:255.255.255.255
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> PN Client Version = 1.0") TSi: 0.0.0.0~255.255.255.255
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> InTs responder: the remote switch ip is :: pxIPsecSa->dwIP 0.0.0.0 pxIPsecSa->dwIPEnd 255.255.255.255
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> InTs entered
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> InTs # of TS:1
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> InTs no:1 IPV4 addr:0.0.0.0 end:255.255.255.255
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> TSr: 0.0.0.0~255.255.255.255
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> InTs responder: the remote switch ip is :: pxIPsecSa->dwIP 0.0.0.0 pxIPsecSa->dwIPEnd 255.255.255.255
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> Notify: MOBIKE_SUPPORTEDEAP_authStateTransition: Transition Session 1:NULL from State NoState
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> to AuthDisabled
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> EAP_sessionCreate: Created EAP Session = 1
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> EAP_sessionRestart: Restart EAP sessionId = 1
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> EAP_sessionRestart: Full restart EAP sessionId = 1
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> EAP_passthruProcessULTransmit: Session 1:NULL Transmit Code 1 Type 1 Method State
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> EAP_METHOD_STATE_CONTINUE
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> EAP_authStateTransition: Transition Session 1:NULL from State AuthDisabled to AuthSendRequest
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> EAP_authStateTransition: Transition Session 1:NULL from State AuthSendRequest to AuthIdle
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> DoSa2_R : detected VPN client
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> authR_out
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> IKE_useCert certchain:(nil)
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> IKE_CUSTOM_useCert group ca-cert: bits: rsa:0 ec:0
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> IKE_CUSTOM_useCert: found valid Server-Cert:Server2
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> IKE_CUSTOM_useCert: got 2 certs
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> UseCustomCert: certNum:2
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> IKE_certSetChain num:2
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> IKE_certSetChain index:0 cert-len:1023 cert:0xab4134 key:0xa26f8c keylen:2018
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> IKE_certSetChain index:1 cert-len:974 cert:0xa3c6bc key:(nil) keylen:0
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> IKE_certSetChain status:0
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> OutId: status:0 authmtd:0
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> <-- R HASH_r f1 a1 a6 c7 af ee a0 e2 fd c6 fd 00 33 08 f1 ff 6d b3 a2 3f 74 e0 e5 14 72 c6 a6
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> 71 b8 bd da 87
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> #SEND 2480 bytes to 10.201.162.101(64616) (259033.532)
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> Sending no:1 fragment out of 3 fragments size = 900
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> IKE_SAMPLE_ikeXchgSend: server instance 1 sktDescr 3
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> Sending no:2 fragment out of 3 fragments size = 900
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> IKE_SAMPLE_ikeXchgSend: server instance 1 sktDescr 3
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> Sending last fragment size = 768
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> IKE_SAMPLE_ikeXchgSend: server instance 1 sktDescr 3
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> cleanup_and_free_context delete ctx memory
    isakmpd[3809]: <103063> <3809> <DBUG> |ike| 10.201.162.101:64616-> udp_encap_handle_message IKEv2 pkt status:0


    Thanks 


  • 2.  RE: Via to 7010 note establish

    EMPLOYEE
    Posted Dec 12, 2022 04:45 PM
    are you using Aruba Central to configure the VPNC?

    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------

    Original Message


  • 3.  RE: Via to 7010 note establish

    Posted Dec 13, 2022 03:38 AM
    Hi 

    I am using the web GUI to configure the standalone 7010 

      Thanks
    Original Message


  • 4.  RE: Via to 7010 note establish

    EMPLOYEE
    Posted Dec 13, 2022 03:41 AM
    ok then you should use a non SD-Branch firmware image.
    also note that "Aruba SD-Branch from scratch - Part 6" uses a SD-branch firmware that requires Aruba Central.

    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------

    Original Message


  • 5.  RE: Via to 7010 note establish

    EMPLOYEE
    Posted Dec 13, 2022 03:45 AM
    check this guide
    https://www.hpe.com/psnow/doc/a00098858en_us

    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------

    Original Message


  • 6.  RE: Via to 7010 note establish

    Posted Dec 13, 2022 06:03 AM

    Tanks you for the guide 

    I will update with the result

    Regards 


    Original Message


  • 7.  RE: Via to 7010 note establish

    EMPLOYEE
    Posted Dec 13, 2022 08:00 AM
    When I see 'IKESA_EXPIRED', double-check that the clock on the controller and VIA client are synchronized. For the controller/gateway configure NTP would be recommended.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message