Network Management

Reply
Occasional Contributor II
Posts: 17
Registered: ‎02-13-2017

Issues with ZTP and Airwave

We're investigating the possibility of using Airwave to partially provision (or fully manage) new switches that we bring into the network. We came across Zero Touch Provisioning (ZTP) and followed this KB16.01 manual but have been struggling to get things to work. (Please keep in mind that I have not been fully trained on Airwave.)

 

I'm performing the ZTP tests on a factory-reset (`erase all`) 5406R with Airwave 8.2.2.1. Airwave has both a group and a folder called "AutoprovisionSwitches" for temporary placement. We're using VitalQIP as our DNS/DHCP servers. In a testing VLAN/subnet I have a Manual DHCP address set up and a testing DHCP Template assigned. Following the "Configure AirWave details in DHCP (preferred method)" section of the manual (pg. 270), the template has the following fields:

 

 

  • Domain Name (15,dn): ourdomain.com
  • Domain Name Server (6,ds): ourdns1.com; ourdns2.com
  • Router (3,gw): 10.3.35.1
  • Subnet Mask (1,sm): 255.255.255.0
  • Vendor Specific Information (43,vs): AutoprovisionSwitches:AutoprovisionSwitches,<IP of Airwave>,<blank>
  • Vendor Class Identifier (60,ck): ArubaInstantAP

The switch will boot, accept the DHCP address, but then will display the following in the logs:

 

I 02/13/17 16:41:48 05103 amp-server: AM1: received invalid AMP server details :
            STAKFREESTAKFREESTAKFREESTAKFREESTAKAutoprovisionSwitches:Autoprovis
            ionSwitches
0(admin, STAKFREESTAKFREESTAKFREESTAKFREESTAKFR

I'm not sure what to make of this. My first thought is that I had mispelled the folder and group, however I directly copy-pasted each value from Airwave. The IP matches what is shown in the "AMP Setup --> Network" configuration menu. ACLs are all correct (we use this VLAN for setup of new APs or troubleshooting any problematic ones), the switch can ping Airwave, and manually adding the switch displays the correct information. I wasn't sure what the shared secret was (since we don't have a whitelist set up) and tried both "admin" and leaving the section blank, however the error message persists.

 

I can't seem to find anything through the Search bar and Google is telling me that 'aruba FREESTAK' doesn't return any results. Any thoughts or suggestions?

MVP
Posts: 510
Registered: ‎11-04-2011

Re: Issues with ZTP and Airwave

Kent,

It took me some time in lab to find out that the Airwave provisioning string should not be send out as Attribute 43, but as Attribute 43 with vendor-suboption 146. After I read the documentation again, I found that I forgot to configure the suboption and in that case the switch will ignore the provisioning.

 

In my case I used DNSMasq as the DNS server, and there the config will look like:

 

dhcp-option=net:arubaswitch,set:vlan10,encap:43,146,"Team1:Team1,10.1.254.25,password"

.. where the relevant part is starting: encap:43, which does an encapsulated option 43 with vendor suboption 146.

 

Here are some screenshots from Windows DHCP for this option:

dhcp-ztp-win3.pngdhcp-ztp-win2.png

In the end, this part of the documentation got me on the right track:

http://h22208.www2.hpe.com/eginfolib/networking/docs/switches/K-KA-KB/16-01/5200-0137_MCG/content/ch11s07.html

 

Let me know if you could make it to work...

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
Occasional Contributor II
Posts: 17
Registered: ‎02-13-2017

Re: Issues with ZTP and Airwave

Ok, at first I didn't understand what was meant by "encapsulated DHCP option" but I found a few documents and links that helped clarify it. From the document (4-8), it appears that VitalQIP expects this as a hex stream without a colon-delimiter in option 43. I've changed the value to 

92254175746F70726F766973696F6E53776974636865733A4175746F70726F766973696F6E53776974636865732C31302E34382E34302E322C

I'm currently waiting to upgrade all of our chassis to 16.03 (currently 15.17). Until they're ready, could you explain what the "shared secret" is, or where on Airwave I would find it? (Or what the default value should be.)

MVP
Posts: 510
Registered: ‎11-04-2011

Re: Issues with ZTP and Airwave

That hex string looks like what I found in my packet captures when I found out about the vendor suboption. The first byte 92(hex) equals 146(decimal); and the second byte is probably the length of the attribute.

 

For the shared secret: http://www.arubanetworks.com/techdocs/InstantWenger_Mobile/Advanced/Content/About%20Shared%20Key.htm

 

The Shared Secret key is used by the administrator to manually authorize the first Virtual Controller for an organization. Any string is acceptable.

 

So it is that you can see and verify the secret in Airwave before you accept a new device. You need to put something in, in you current string it ends with a comma; so put abc, password, secret or anything in if you don't care. Also your Group/Folder name AutoprovisionSwitches is quite long; in my experience, you keep better overview if you keep folder and group names short; it should work though..

 

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
Occasional Contributor II
Posts: 17
Registered: ‎02-13-2017

Re: Issues with ZTP and Airwave

[ Edited ]

Thanks for the help and clarification! I assumed that the "secret" key was something universally set when the controllers were installed. I chose an arbitrary string for the time being. After a few more configuration tweaks, the device successfully registered with AMP. A huge relief!

 

It looks like the problem was almost completely with VitalQIP. (Another reason to avoid it.) I missed one step in the instructions where the hex stream needs to be enclosed in brackets for the server to correctly interpret the sub-options.

 


 Should anyone also end up here, these are the steps we took:

 

  • VitalQIP
    • DHCP Option Template
      • Vendor Specific Information (43,vs): [922C4E65775377697463683A4E65775377697463682C31302E31302E31302E322C6175746F70726F766973696F6E]
      • (’,NewSwitch:NewSwitch,10.10.10.2,autoprovision)
      • (Note: your hex stream will differ. Use an online editor or HxD for ease)
    • Assign template to IP space/address
    • Generate Addresses (DHCP -> IPv4 -> DHCP Servers -> [Select one] -> Actions -> DHCP Generation
  • Airwave
    • Once registered, the device shows under AP/Devices -> New
    • Adding the device will send it to the Group and Folder assigned to it under the DHCP option. You cannot change this from Airwave unless you add it with Read/Write management.

Thanks again Herman! This brings us one step closer to automating our workflow :D

MVP
Posts: 510
Registered: ‎11-04-2011

Re: Issues with ZTP and Airwave

Thanks for that feedback.

 

For the 'Airwave: Ensure that your Group and Folder exist'; that is not needed. The Group and Folder are created automatically when the switch connects first time to Airwave. Though, you will not have templates in there if it is autocreated, which makes the automatic provisioning difficult. How I typically do it, is have one switch create the folder and group, then configure the switch, pull the template from that switch, customize, and use that for ZTP-ing the other switches.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
Search Airheads
Showing results for 
Search instead for 
Did you mean: