Reply
Occasional Contributor II

AP125 issue

After upgrading the OS from 3.3.2.15 to 3.4.0.2 and provision and reprovision AP125's I have had a couple of working AP125's go defunct. One of these AP125's is constantly rebooting, but it does show up on the AP provision table in between reboots. This is what I see in when I am connected to the console port:

eth0: Link down
secure_jack_link_state_change: Error finding device eth0
bonding: bond0: link status definitely down for interface eth0, disabling it
bonding: bond0: now running without any active interface !
eth0: 100Mbs Full duplex, port 1, queue 1
bonding: bond0: link status definitely up for interface eth0.
bonding: bond0: making interface eth0 the new active one.
asap_gre_err: Received ICMP (DEST_UNREACH, PROT_UNREACH) from xxx.xxx.xxx.xxx <60
asap_gre_err: Received ICMP (DEST_UNREACH, PROT_UNREACH) from xxx.xxx.xxx.xxx <60
Shutting down eth1 due to insufficient POE voltage

I purged this AP and set the environments. Any ideas to the cause? The AP role and acl hasn't changed .....

Also, how are your access points connected to your controller - via trunk port or via separate access port on controller? or what is best practice?

LP
Guru Elite

Config


After upgrading the OS from 3.3.2.15 to 3.4.0.2 and provision and reprovision AP125's I have had a couple of working AP125's go defunct. One of these AP125's is constantly rebooting, but it does show up on the AP provision table in between reboots. This is what I see in when I am connected to the console port:

eth0: Link down
secure_jack_link_state_change: Error finding device eth0
bonding: bond0: link status definitely down for interface eth0, disabling it
bonding: bond0: now running without any active interface !
eth0: 100Mbs Full duplex, port 1, queue 1
bonding: bond0: link status definitely up for interface eth0.
bonding: bond0: making interface eth0 the new active one.
asap_gre_err: Received ICMP (DEST_UNREACH, PROT_UNREACH) from <>
asap_gre_err: Received ICMP (DEST_UNREACH, PROT_UNREACH) from <>
Shutting down eth1 due to insufficient POE voltage

I purged this AP and set the environments. Any ideas to the cause? The AP role and acl hasn't changed .....

Also, how are your access points connected to your controller - via trunk port or via separate access port on controller? or what is best practice?

LP




Luca,


It looks like you have a reachability issue with your controller. If there a firewall between your APs and your controller? APs should be on an access port. What you might want to do is console into the AP and interupt the boot during the countdown until you get to the "apboot>" prompt. Type "DHCP" so it can get an IP address and then type "ping " to make sure it can get to the controller properly. It looks like the AP is being redirected to a public ip address...is that the IP address that the AP needs to connect to? If you need APS to connect to the private IP address, use the Controller IP function in 3.4.0.2 http://airheads.arubanetworks.com/vBulletin/showthread.php?t=1407 to make the controller IP something else. The controller ip in the controller is special, because, no matter what IP address an AP contacts a controller on initialy, it will redirect the AP to the controller or switchip for the initial contact.

Let us know how you do.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: AP125 issue

Collin - can you remove my public ip from your post. It was an oversight on my part. Thanks for the heads up.

LP
Occasional Contributor II

Re: AP125 issue

I configured an access port on my controller for the access point network. Other than sniffing, how can I determine if the AP's are now passing traffic and GRE tunnels are being created through this port?
Guru Elite

traffic

Luca,

You can do a "show datapath session table " on the controller to see if there is any traffic coming to the controller from that AP. http://airheads.arubanetworks.com/vBulletin/showthread.php?t=942&highlight=datapath

Did you try to ping the controller from the AP?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Icmp

Yes, I can ping the controller ip. I also made a few configuration changes on the controller adding the private network vlan and creating its interface ip then assigning the vlan to the trunk port. Had problems creating the access port on controller and getting the gre tunnel to pass through.

The AP125 in question is back on the network and is stable, but still getting the ICMP unreachable at times.

Protocol 47 is gre and what is protocol 17? I pasted a datapath session below:

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- -----
xxx.xxx.xxx.xxx 192.168.14.91 17 514 49152 0 0 0 2 0/0 20 FY
0 0 0 2 0/0 FY
192.168.14.91 xxx.xxx.xxx.xxx 17 49152 514 0 0 0 2 0/0 20 FYC
0 0 0 2 0/0 FYC
192.168.14.91 xxx.xxx.xxx.xxx 47 0 0 0 0 0 15 0/0 61f FC
0 0 0 0 0/0 FC
192.168.14.91 xxx.xxx.xxx.xxx 17 19591 2 0 0 0 14 0/0 d9 FC
0 0 0 15 0/0 FC
192.168.14.91 xxx.xxx.xxx.xxx 17 19644 2 0 0 0 2 0/0 20 FC
0 0 0 2 0/0 FYC
192.168.14.91 xxx.xxx.xxx.xxx 17 19628 2 0 0 0 6 0/0 63 FC
0 0 0 7 0/0 FYC
192.168.14.91 xxx.xxx.xxx.xxx 17 8211 8211 0 0 0 13 0/0 cf FYC
0 0 0 0 0/0 FC
192.168.14.91 192.168.14.6 17 8211 8211 0 0 0 9 local 4f2 F
0 0 0 7 local F
192.168.14.6 192.168.14.91 17 8211 8211 0 0 0 1 local 4f2 FC
0 0 0 86 local FYC
xxx.xxx.xxx.xxx 192.168.14.91 47 0 0 0 0 0 0 0/0 61f F
0 0 0 106 0/0 F
xxx.xxx.xxx.xxx 192.168.14.91 17 8211 8211 0 0 0 12 0/0 cf FY
0 0 0 14 0/0 FY

What is the best practice to connect AP's to the controller via network?
Guru Elite

Protocol 17


Yes, I can ping the controller ip. I also made a few configuration changes on the controller adding the private network vlan and creating its interface ip then assigning the vlan to the trunk port. Had problems creating the access port on controller and getting the gre tunnel to pass through.

The AP125 in question is back on the network and is stable, but still getting the ICMP unreachable at times.

Protocol 47 is gre and what is protocol 17? I pasted a datapath session below:

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- -----
xxx.xxx.xxx.xxx 192.168.14.91 17 514 49152 0 0 0 2 0/0 20 FY
0 0 0 2 0/0 FY
192.168.14.91 xxx.xxx.xxx.xxx 17 49152 514 0 0 0 2 0/0 20 FYC
0 0 0 2 0/0 FYC
192.168.14.91 xxx.xxx.xxx.xxx 47 0 0 0 0 0 15 0/0 61f FC
0 0 0 0 0/0 FC
192.168.14.91 xxx.xxx.xxx.xxx 17 19591 2 0 0 0 14 0/0 d9 FC
0 0 0 15 0/0 FC
192.168.14.91 xxx.xxx.xxx.xxx 17 19644 2 0 0 0 2 0/0 20 FC
0 0 0 2 0/0 FYC
192.168.14.91 xxx.xxx.xxx.xxx 17 19628 2 0 0 0 6 0/0 63 FC
0 0 0 7 0/0 FYC
192.168.14.91 xxx.xxx.xxx.xxx 17 8211 8211 0 0 0 13 0/0 cf FYC
0 0 0 0 0/0 FC
192.168.14.91 192.168.14.6 17 8211 8211 0 0 0 9 local 4f2 F
0 0 0 7 local F
192.168.14.6 192.168.14.91 17 8211 8211 0 0 0 1 local 4f2 FC
0 0 0 86 local FYC
xxx.xxx.xxx.xxx 192.168.14.91 47 0 0 0 0 0 0 0/0 61f F
0 0 0 106 0/0 F
xxx.xxx.xxx.xxx 192.168.14.91 17 8211 8211 0 0 0 12 0/0 cf FY
0 0 0 14 0/0 FY

What is the best practice to connect AP's to the controller via network?




Luca,

Protocol 17 is UDP traffic. Protocol 17 with UDP port 8211 is PAPI, or the AP's control channel. 514 is syslog that the AP sends back to the controller. 47 of course is GRE, that the user traffic is tunneled over.

APs should connect to the controller, but should NOT cross a NAT boundary. Is there a firewall separating the 192.168.14.x network and the IP address that the AP is connecting to the controller? Is it doing some sort of NAT?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: AP125 issue

No nat'ing and there is an Cisco acl between the two networks, but I have rules allowing any traffic in and out these networks. I think the problem lies within my controller and how the controller is routing and/or possibly blocking this traffic. Any suggestions on what to check.....???
Occasional Contributor II

Re: AP125 issue

Collin - did you configure the vlan the AP's reside in on the controller as a vlan interface with an ip?
Guru Elite

AP configuration

Luca,

You could configure your AP on the same VLAN as the controller to troubleshoot your issue. it is a best practice to have APs on the same side of the firewall as the controller. If your controller has interfaces on the private and public network, put your APs on the private network so you can eliminate any issues that NATting or ACLs would cause. The APs do NOT have to be on the same subnet as the controller, you just need to make sure that is nothing that would block any traffic between the AP and the controller.

Do a "show switch ip" to see what the controller IP address is. No matter how APs contact the controller, they will then redirect to the switch ip to contact it. If the output of this command is the public address, you might want to change the "switch ip" by using the command here: http://airheads.arubanetworks.com/vBulletin/showthread.php?t=1407 to change it to a private VLAN on the controller that the AP can reach. That way, the AP will not try to contact the controller on the public side, and will not be forced to go through the ACLs.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: