Controllerless Networks

Hello,

 

First post here... I would appreciate any help with a problem that has stumped me for over a week now...

 

I have a 5-AP cluster in Manhattan on a 10,000 sf single floor facility (200ft by 50ft) . 3 APs provide adequate coverage, but 5 work better due to difficult materials (concrete columns, wire mesh in some walls etc). Very noisy environment (hundreds of interfering APs and many hundreds of clients), but with 5 APs I get strong signal througout.

 

Simple network setup: Watchguard XTM 330 firewall interfaces to Internet and provides DHCP service for LAN. To keep things simple, no VLANs, everything the default/native VLAN of 1. About 30 wifi clients (10 corporate ipad Airs running iOS 8.1, about 20 guest devices, which includes employee iphones, visitors etc).

 

Mission critical app requires keeping the ipads seamlessly connected to a server on site (same subnet) as they roam around the facility. Guest devices should not be allowed to access any resource in main network. I have two ssids, one for ipads (employee) and one for guest. Design goal is to avoid ipads sticking to distant AP as user roans and thus lose connectivity. Low latency/good connectivity much more important than bandwidth.

 

Employee network is Enterprise Authentication using default VC certificates, guest network has no captive portal and WAP-2 password.

 

Until about a month ago I was running 6.3.1.1-4.0 2 IAP-135s (one as the master), one IAP-105 and two IAP-93s. Clientmatch enabled. Guest network with IPs assigned by VC on a dedicated range (9.9.9.x). Employee network originally with IPs assigned by network, but ipads would occasionally disconnect and fail to reconnect for several minutes, so I switched to IPs assigned by controller in same 9.9.9.x range, and this was working much better. Guest devices prevented from accessing internal network via network-specific rules.

 

Things were running acceptably, but ipads would not always hop and occasionally disconnect, so I decided to upgrade to 6.4.2.0-4.1.1.0. This was a disaster and everything stopped working, so downgraded back. I assumed 6.4.2.0-4.1.1.0 failed because IAP-93s are not supported in VC-based authorization, so I ordered 3 IAP-205s to replace the IAP-93s and the IAP-105. New network is the two IAP-135s and the 3 IAP-205s running 6.4.2.0-4.1.1.0.

 

Things have been very rough with new network. First, I can't downgrade the firmware as anything less won't support the IAP-205s. Second, when the IAP-135s are in Access mode, once a client connects to the 135, it sticks and thus loses signal and gets disconnected. I was forced to use the 135s as spectrum monitors to make things work. I finally disconnected the 135s, figuring that once I get the network working with the 205s, I will find a way to add back the 135s.

 

So now I am running just 3 IAP-205s, but still having a lot of problems. I use network-assigned IPs, as the VC-assigned don't seem to work well. I am using the minimum DHCP configuration on the VC, providing an IP range and the DNS servers. The guest devices are still VC-assigned, and that works reasonably well, but these devices don't roam much. For employee network I have turned on 801.11k/r/v but not OKC as I don't think ipads support OKC.

 

I am having multiple issues with the ipads on the employee network. I will reset all settings on ipad, and then try to connect to network with excellent signal strength. Sometimes I get the user name and password rejected. Usually I get to the "accept certificate" point, but sometimes the ipad will freeze there, and I can see on the top left corner of the ipad rapid flashing between wifi-connected and disconnected states. About half the times the ipad will eventually connect and show checkmark. Other times, the certificate will be accepted immediately. A couple of times something weird happened: after accepting a certificate, when I moved to a different AP, I was asked to accept the certificate again. Also, the ipads with no connectivity usually show on the device list of the VC with the correct IP address, but sometimes with a 0.0.0.0 address and correct MAC.

 

Once connected, things work well, at least as long as the ipad doesn't go back to sleep or the user doesn't roam. Sometimes the pad loses wifi connectivity (and there seem to be locations near edges of facility most prone to that, where you would expect to hop from a distant AP to a nearer one). No wifi icon for minutes, even though signal is good. Sometimes, wifi icon is displayed, but there is no network connectivity, e.g. Safari will say "you are not connected to the Internet" and internal apps won't connect to server. Sometimes there is no DHCP information when connectivity is lost as above, so I tried static assignment of IP and DNS, but that didn't help. When moved back to center of facility, the ipads will eventually reconnect. I scanned for rogue DHCP servers, but that doesn't seem to be a problem.

 

So for now I have to choose between 90% working ipads that naturally disconnect when it is most inconvenient, and going back to my old setup with the 135/105/93 running older firmware. Not a happy choice. I am hoping someone will recognize and help me troubleshoot the above! It shouldn't be that difficult to make the latest ipad, IAP and firmware work together!

 

Thanks,

John B.

 

----------------

P.S. I just tried to run just the two AP-135s, and things work fine under 6.3.1.1-4.0 but I get the same disconnect problems with 6.4.2.0-4.1.1.0. Thus the problem seems to be with the 6.4.x VC and the ipads when 135s are used in the network.

Can you provide the output of "show tech-support" from the VC of your network? Have you opened a TAC case with Aruba?

Thanks,

Yan

I tried opening a case, but the IAP-205 is not an option yet!

 

Reply deleted

 

Could we try the following as a first step while I try to get you some additional assistance from TAC?

1. Can we remove the spectrum monitor setting completely from both a and g radios?
2. Can we remove the 802.11r, 802.11k, and 802.11v settings from the usld2 SSID?
3. Can we remove the blacklist setting from both SSIDs?
4. How is the connection quality on the SSID union-derm? Does it work better than usld2 or about the same?

---

@Yan Liu wrote:
Could we try the following as a first step while I try to get you some additional assistance from TAC?

1. Can we remove the spectrum monitor setting completely from both a and g radios?
2. Can we remove the 802.11r, 802.11k, and 802.11v settings from the usld2 SSID?
3. Can we remove the blacklist setting from both SSIDs?
4. How is the connection quality on the SSID union-derm? Does it work better than usld2 or about the same?

---

This helped. See updated response below.

---

Yan Liu wrote:
Could we try the following as a first step while I try to get you some additional assistance from TAC?

1. Can we remove the spectrum monitor setting completely from both a and g radios?
2. Can we remove the 802.11r, 802.11k, and 802.11v settings from the usld2 SSID?
3. Can we remove the blacklist setting from both SSIDs?

---

The network is now working, but still I get occasional disconnects of the ipads when they are supposed to hop to a new AP, and also the switching is not rapid...

 

Here is about an hour of syslogs. Can anyone help by telling me whether the errors are normal or something seems amiss? Also, should I try to go back to 802.11k and r? ipads are supposed to support this.

 

192.168.2.[1,4,5] are the IAP-205s. 192.168.2.[2,3] are the IAP-135s that are in spectrum monitor mode (things still get disastrous if I put them in access mode). 5.5.5.x are guest clients, 192.168.2.x are employee clients.

 

Thanks!

 

 

Final update:

 

I never was able to mix the IAP-135s amd IAP-205s without making the ipads sticky to the IAP-135s once they connected to them. Non-ios clients (Android or laptops) would not stick, so at least in my environment, IAP-1xx, IAP-2xx and ipads don't mix well.

 

The solution was to replace the IAP-135s with IAP-215, having no 1xx IAPs, and this has been working for a couple of days with no issues. I just couldn't spend any more time on this.

 

Incidentally, I tried to enable 802.11k/r, but this made everything worse for the ipads--Android and laptops were happy with k/r. So back to no k/r, just Client Match.

 

Time to declare victory and move on...

---

@Yan Liu wrote:
Could we try the following as a first step while I try to get you some additional assistance from TAC?

1. Can we remove the spectrum monitor setting completely from both a and g radios?
2. Can we remove the 802.11r, 802.11k, and 802.11v settings from the usld2 SSID?
3. Can we remove the blacklist setting from both SSIDs?

---

This helped. I was finally able to get a wrking network by implementing 1-3 above, as long as the IAP-135s are either turned off or are in spectrum monitor mode (i.e., don't allow any clients to connect to the 135s, and use only the 205s in access mode).

 

The two remaining issues are:

1. When ipads are sleeping it takes almost 30 seconds to reconnect to network when they wake up

2. Hopping APs takes a few seconds during which connection to the server may be dropped.

 

Any suggestions about how to address these issues? Should I try to turn back on 802.11r/k/v?

 

Also, it would be nice to be able to use the 135s, as they would provide full coverage. Shouldn't I be able to mix 135s and 205s? However when the 135s join the network as active APs, ipads that associate with a 135 disconnect for minutes or until I forget and rejoin the network, when time comes to hop to a different AP.

 

Thanks,

John B.

What is your ARM power range?

---

@tsd25108 wrote:
What is your ARM power range?

---

I have tried many combinations via the instant UI but no luck. Default is 18 to max. I have tried 9-15, 12-18, 18-18 etc. Power reported varies and doesn't seem to follow what I put in (e.g., I tried range 12-18, but still some APs were showing to transmit at 22.