How do we troubleshoot a RAP which is stuck during an upgrade?

Aruba Employee

Whenever you upgrade a controller with a newer version of code it will push out a file to each RAP and CAP, This file is approx about 3 - 4 MB in size depending on the model of the AP and if there are too many APs deployed it may take a while for all the APs to get upgraded over a slower uplink

But if we see a RAP struck in upgrading state for a long time although connectivity to the controller is good, it could be due to the fact that the FTP & TFTP is not allowed on the role "ap-role". The "ap-role" is the default role in which a RAP falls in.

Note: - If CPsec enabled, RAP's will come up in sys-ap-role

 

Environment:

This article applies to Aruba Mobility Controllers running ArubaOS version 5.0.0.0 and Above.
The configuration and verification steps mentioned in this article are tested on Aruba 3200XM Mobility Controller running AOS version 6.3.0.0.

 

 

Symptoms of this issue are as follows:


Aruba(3200XM) # show ap database | include RAP3
RAP3           RAP_ap_group      RAP-5WN  192.168.10.15  Upgrading       Rc2I   172.24.205.106

 

 

Check the Datapath Session for the Flags:

Aruba (3200XM) # show datapath session | include 192.168.250.175
192.168.10.15   172.24.205.106    6    54598 21     0/0     0 0   0   tunnel   228   b    FDYC


If you see D Flag, it may be due to blocked FTP in the AP role ACL

The RAPs eventually use TFTP to upgrade if FTP is not allowed but TFTP is the slowest transfer method, and is not very resilient over WAN links.



Verify the role "ap-role"  for FTP and TFTP :

(Aruba3200XM) # show rights ap-role

Derived Role = 'ap-role'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 4/0
 Max Sessions = 65535


access-list List
----------------
Position  Name        Type     Location
--------  ----        ----     --------
1         ra-guard    session
2         control     session
3         ap-acl      session
4         v6-control  session
5         v6-ap-acl   session

ra-guard
--------
Priority  Source  Destination  Service           Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------           ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    any          icmpv6 rtr-adv    deny                             Low                                                           6
control
-------
Priority  Source  Destination  Service       Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------       ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    any          udp 68        deny                             Low                                                           4
2         any     any          svc-icmp      permit                           Low                                                           4
3         any     any          svc-dns       permit                           Low                                                           4
4         any     any          svc-papi      permit                           Low                                                           4
5         any     any          svc-sec-papi  permit                           Low                                                           4
6         any     any          svc-cfgm-tcp  permit                           Low                                                           4
7         any     any          svc-adp       permit                           Low                                                           4
8         any     any          svc-tftp      permit                           Low                                                           4
9         any     any          svc-dhcp      permit                           Low                                                           4
10        any     any          svc-natt      permit                           Low                                                           4

ap-acl
------
Priority  Source  Destination  Service        Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------        ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     any          svc-gre        permit                           Low                                                           4
2         any     any          svc-syslog     permit                           Low                                                           4
3         any     user         svc-snmp       permit                           Low                                                           4
4         user    any          svc-snmp-trap  permit                           Low                                                           4
5         user    any          svc-ntp        permit                           Low                                                           4
6         user    any          svc-ftp        permit                           Low                                                           4



If the ACL for FTP is present, then ensure that connectivity from the Controller to the RAP is solid and verify if the Controller uplink bandwidth can handle all the traffic when all RAPs upgrade at a time and Its worth to mention that starting from AOS 6.3 a new feature called " ap image preload" is introduced in order to minimize the load on the controller while the RAP upgrades, only a certain number of APs will be allowed to download the new image at a time (this value is configurable).

But if you dont find an ACL for FTP then add an ACL for FTP on the role "ap-role"


To open ACL for FTP on role "ap-role" :

(Aruba3200XM) # config term
(Aruba3200XM) (config) #ip access-list session ap-acl
(Aruba3200XM) (config-sess-ap-acl)#any any svc-ftp permit position 8 queue low
 (Aruba3200XM) # show rights ap-role     -----------------> To verify the above ACL appears on the list
(Aruba3200XM)  # write memory


Note: - user-role "ap-role" is an internal role used by RAP’s and should be edited with caution.

Version history
Revision #:
1 of 1
Last update:
‎07-11-2014 01:55 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: