Question: Why does the RAP5 not come up after the controller has upgraded to ArubaOS 5.0?
Product and Software: This article applies to all Aruba controllers and RAP5 when they are upgrade to ArubaOS 5.0 or later.
- RAP5 got factory defaulted and is able to terminate to the controller.
- If RAP5 is rebooted and power cycled later, it is not be able to terminate on the controller. This means that all RAPs will be down forever.
- No UDP 4500 is observed on the controller from the RAP.
- No rapconsole is available from the RAP5.
- RAP5 can be recovered only if the RAP5 is returned to factory defaults and is reprovisioned.
- RAP5 works fine with static IP addressing.
- The port mirror of the AP uplink sees that the RAP5 keep sending DHCP requests with the same transaction ID even though the DHCP server has sent the DHCP ACK.
The root cause of this problem is that the ap-uplink-acl is empty and the effect is "any any any deny". The support of backup/always-on VAP means that the AP saves all the ACLs to the flash memory. This ap-uplink-acl is available to AP during booting up and before the DHCP operation is complete. The DHCP ACK/OFFER frames from DHCP server are subjected to ap-uplink-acl processing. Therefore, the RAP is not able to obtain any IP with repeating DHCP requests and rapconsole is not available.
If you upgrade a RAP controller from earlier version to ArubaOS 5.0, make sure ap-uplink-acl is not empty. At minimum it must contain the following line in the top of the policy:
"any any udp 68 permit"
Otherwise, you have to reset all the RAPs and reprovision them one by one. Why it works with fresh provision is because the AP flash memory for ACL and VAP are ignored after factory default. Therefore, the AP is not able to pull the ap-uplink-acl until it establishes IPsec with controller and completes the image upgrade.