Network Management

Reply
Occasional Contributor II
Posts: 13
Registered: ‎03-11-2014

Trouble applying configuration to mobility controller using Airwave

On our Airwave server, I made a number of changes to the configuration of a group of 3 mobility controllers (model 7210 running firmware 6.3.1.2), and applied the changes to the group. The changes included creation of a new campus WLAN and associated settings such as AAA and SSID profiles, as well as a user role, and a firewall policy.

 

All the settings got pushed out correctly, except that the firewall policy has not been applied to the user role. Both the role and the policy were applied to the controllers, though. Airwave reports that the 3 controllers have mismatched configurations, and show the following when clicking on the "mismatched" link:

   

                                                                   Current Device Configuration                              Desired Configuration

 
 User Role 'FC-RESIDENTIAL-GUEST_role' Policy '1' Aruba AP Group(not set)default
 User Role 'FC-RESIDENTIAL-GUEST_role' Policy '1' Policy(not set)FC-RESIDENTIAL-GUEST_ACL_POLICY
 User Role 'FC-RESIDENTIAL-GUEST_role' Policy '1' Position(not set)1
 User Role 'FC-RESIDENTIAL-GUEST_role' Policy '1' Status(not set)Create

 

Repairing the configuration does not change the result. I cannot see any errors logged in relation to applying the configuration.

 

I have not tried changing this directly in the controller GUI and would prefer not to as our policy is to use Airwave. Please advise steps I need to take to get the Airwave to apply the firewall policy.

 

I have one other (hopefully) simple question: under the virtual AP for the WLAN in question, I have set a VLAN ID. In the AAA profile under the virtual AP profile, the role is the "FC-RESIDENTIAL-GUEST_role" from the table above. However the role itself does not have a VLAN ID assigned. The WLAN is working fine (except that the firewall policy is not applied) and the traffic is on the right VLAN once it hits the wired network, so I'm assuming that the VLAN ID doen't need to be applied at the role level too? Or could this be related to the issue above, or be likely to cause any other complications?

 

Thanks in advance!

MVP
Posts: 4,178
Registered: ‎07-20-2011

Re: Trouble applying configuration to mobility controller using Airwave

 

Do you have a PEF licenses installed on your controller ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 20,583
Registered: ‎03-29-2007

Re: Trouble applying configuration to mobility controller using Airwave

Login to one of the controllers (must be the master) and type "show audit-trail) to see exactly what was pushed and when.  You might have to go back some to find out what happened.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 13
Registered: ‎03-11-2014

Re: Trouble applying configuration to mobility controller using Airwave

Thanks for the replies.

 

Victor, the PEF licences are installed and I have previously applied firewall policies without issue.

 

Colin, checking the audit trail, all I see is the commands being executed successfully (no errors). I can see that the user role command is executed, followed by the access list policy being created and the rules added. I am not sure if there is supposed to be another command that specifically applies the policy to the role or not...?

 

When I attempt to repair the configuration from the Airwave, the following is logged:

Jun 3 09:19:19 fpcli: USER:admin@10.100.100.42 COMMAND:<no paging > -- command executed successfully
Jun 3 09:19:19 fpcli: USER:admin@10.100.100.42 COMMAND:<encrypt disable > -- command executed successfully
Jun 3 09:19:58 fpcli: USER:admin@10.100.100.42 COMMAND:<user-role "FC-RESIDENTIAL-GUEST_role" > -- command executed successfully
Jun 3 09:19:59 fpcli: USER:admin@10.100.100.42 COMMAND:<write memory > -- command executed successfully
Jun 3 09:20:12 fpcli: USER:admin@10.100.100.42 COMMAND:<no paging > -- command executed successfully
Jun 3 09:20:12 fpcli: USER:admin@10.100.100.42 COMMAND:<encrypt disable > -- command executed successfully

 

Something else I've noticed and don't understand is the first line under the mismatched config: "User Role 'FC-RESIDENTIAL-GUEST_role' Policy '1' Aruba AP Group". Current config is "not set" and desired is "default". This matches what is shown by Airwave when clicking on "Controller Config" under the group with the controllers in it: the "default" AP group (which has all APs in it) has "FC-RESIDENTIAL-GUEST_role" as the user role. There are a number of roles on these controllers, so why does Airwave want to assign this role to the AP group? If and when this applies on the controllers, will it affect any other roles? Can I stop Airwave from having this as the desired configuration?

 

Thanks again,

Matt

Guru Elite
Posts: 20,583
Registered: ‎03-29-2007

Re: Trouble applying configuration to mobility controller using Airwave

You can look at the user role in Airwave Configuration and see if it is assigned to a user group, and if it is, remove it (change it to none):

policy.png

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 13
Registered: ‎03-11-2014

Re: Trouble applying configuration to mobility controller using Airwave

Thanks Colin, the default AP group was set there, and removing it allowed the configuration to be applied without any problems.

 

To answer my own question in my original post about setting the VLAN ID on the user role to match the virtual AP: this apparently is necessary - clients had no connectivity until this was set.

Search Airheads
Showing results for 
Search instead for 
Did you mean: