Question: Why does the RAP fail to downgrade from ArubaOS 220.127.116.11 to 18.104.22.168 RN code?
Product and Software: This article applies to RAPs that are downgrading from ArubaOS 22.214.171.124 to 126.96.36.199 RN code.
ArubaOS 5.0.2 and 188.8.131.52 RN use a different UDP port for PAPI. UDP 8209 is used in ArubaOS 184.108.40.206, and UDP 8211 is used in 220.127.116.11 RN code.
When the controller is downgraded from 18.104.22.168 to 22.214.171.124 RN code, the RAPs that run 126.96.36.199 code continuously send packets to UDP 8209. The 3.3 controller replies with ICMP destination unreachable, then all the RAPs fail to come up.
The solution is to destination NAT UDP 8209 traffic to UDP 8211, and the RAPs will downgrade eventually.
For example, the RAP role is "authenticated" in the local-userdb:
ip access-list session dst-nat-udp-8209-to-8211
any any udp 8209 dst-nat 8211
ipv6 session-acl v6-allowall