How does RemoteAPs upgrade its image if image got clear?

Aruba Employee

Symptoms : For Remote AP to work we need below ports to be allowed.

1. TFTP udp port 69 (when the AP has corrupted image or we do "Clear OS" under RAP console)
2. NAT-T udp port 4500. (A
fter the RAP IPSsec connection is formed, all PAPI/GRE are tunneled through this IPsec nat-t session.)


NOTE: If we disable TFTP after RAP is UP then we might face issues if RAP image gets corrupted and it will not come up because its unable to download new image from controller.

 

Cause : rtaImage.png

 

As above we can see from RAP boot process.
1. RAP is checking it's Image file.
which is invalid image format
2. Eth0 "Uplink" port comes UP
3. RAP gets IP address and discover controller IP address.
4. initiate TFTP to server address.
5. Boot from correct image.


We can confirm same from Controller CLI

rtaImage.png

User-added image

User-added image

Above are three different ways to checking "show datapath session table" command output to check if AP is doing TFTP (Port 69)

Also we can check same with RAP uplink or controller uplink packet captures.

User-added image

Above screen shot we can see RAP is sending TFTP traffic first before initiating ISAKMPD/ESP traffic as it's doesn't have image.

 

Resolution : If we have allowed only port 4500 between RAP and Controller then RAP might not come up after "Image corrupted" or "clear OS" as tftp is not inside IPSec.

 

Answer : If APs doesn't have image file/ correct image file; it will first try tftp to download image from controller before any other traffic i.e. ISAKMPD/ESP to form IPSec.

Version history
Revision #:
1 of 1
Last update:
‎07-14-2014 11:54 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: