I’ve an issue with RAP in a new deployment with two VMM and 1x 7210 Mobility Controller (for now, then I'll add two controllers).
The problem is when I try to convert an IAP to RAP, the Mobility Controller (MD) is behind a NAT that is configured for the Mobility Controller DMZ IP Address <PUBLIC_IPADDR: 4500> -> <DMZ_IPADDR_MC: 4500>. Firewall can reach the Mobility Controller DMZ IP Address.
I already configured VPN-POOL, enabled NAT-T, configured “Shared Secret”, RAP Whitelist and also created a local user with an AP-ROLE, but it still doesn't work.
I see the 4500 UDP port on the Mobility Controller with the command “show datapath session | include 4500”
But when I run the command “show crypto ipsec sa” I see only Mobility Device session with Virtual Mobility Master.
I think strange the output below when I ran the command “show log security all”.
Feb 23 17:53:39 :103063: <3600> <DBUG> |ike| exchange_start_ikev2 pre-connect check duplicate mapname:default-local-master-ipsecmap
I already have a tunnel established with Virtual Mobility Master, can this be a problem?
Has anyone experienced this problem?
I have some environments working with RAP, the only difference in this new scenario are the VMMs.