Community Home > Discuss > Technology > Network Management > Trouble applying configuration to mobility control...

Network Management

Reply
feroscare
Occasional Contributor II
feroscare

Trouble applying configuration to mobility controller using Airwave

‎06-02-2014 01:30 AM

On our Airwave server, I made a number of changes to the configuration of a group of 3 mobility controllers (model 7210 running firmware 6.3.1.2), and applied the changes to the group. The changes included creation of a new campus WLAN and associated settings such as AAA and SSID profiles, as well as a user role, and a firewall policy.

 

All the settings got pushed out correctly, except that the firewall policy has not been applied to the user role. Both the role and the policy were applied to the controllers, though. Airwave reports that the 3 controllers have mismatched configurations, and show the following when clicking on the "mismatched" link:

   

                                                                   Current Device Configuration                              Desired Configuration

 
 User Role 'FC-RESIDENTIAL-GUEST_role' Policy '1' Aruba AP Group(not set)default
 User Role 'FC-RESIDENTIAL-GUEST_role' Policy '1' Policy(not set)FC-RESIDENTIAL-GUEST_ACL_POLICY
 User Role 'FC-RESIDENTIAL-GUEST_role' Policy '1' Position(not set)1
 User Role 'FC-RESIDENTIAL-GUEST_role' Policy '1' Status(not set)Create

 

Repairing the configuration does not change the result. I cannot see any errors logged in relation to applying the configuration.

 

I have not tried changing this directly in the controller GUI and would prefer not to as our policy is to use Airwave. Please advise steps I need to take to get the Airwave to apply the firewall policy.

 

I have one other (hopefully) simple question: under the virtual AP for the WLAN in question, I have set a VLAN ID. In the AAA profile under the virtual AP profile, the role is the "FC-RESIDENTIAL-GUEST_role" from the table above. However the role itself does not have a VLAN ID assigned. The WLAN is working fine (except that the firewall policy is not applied) and the traffic is on the right VLAN once it hits the wired network, so I'm assuming that the VLAN ID doen't need to be applied at the role level too? Or could this be related to the issue above, or be likely to cause any other complications?

 

Thanks in advance!

Alert a Moderator
Message 1 of 6
2,659 Views
Reply
0 Kudos
MVP
MVP
Victor Fabian

Re: Trouble applying configuration to mobility controller using Airwave

‎06-02-2014 03:40 AM

 

Do you have a PEF licenses installed on your controller ?

Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Alert a Moderator
Message 2 of 6
2,642 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cjoseph

Re: Trouble applying configuration to mobility controller using Airwave

‎06-02-2014 03:53 AM

Login to one of the controllers (must be the master) and type "show audit-trail) to see exactly what was pushed and when.  You might have to go back some to find out what happened.

 

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Alert a Moderator
Message 3 of 6
2,640 Views
Reply
0 Kudos
feroscare
Occasional Contributor II
feroscare

Re: Trouble applying configuration to mobility controller using Airwave

‎06-02-2014 06:10 PM

Thanks for the replies.

 

Victor, the PEF licences are installed and I have previously applied firewall policies without issue.

 

Colin, checking the audit trail, all I see is the commands being executed successfully (no errors). I can see that the user role command is executed, followed by the access list policy being created and the rules added. I am not sure if there is supposed to be another command that specifically applies the policy to the role or not...?

 

When I attempt to repair the configuration from the Airwave, the following is logged:

Jun 3 09:19:19 fpcli: USER:admin@10.100.100.42 COMMAND:<no paging > -- command executed successfully
Jun 3 09:19:19 fpcli: USER:admin@10.100.100.42 COMMAND:<encrypt disable > -- command executed successfully
Jun 3 09:19:58 fpcli: USER:admin@10.100.100.42 COMMAND:<user-role "FC-RESIDENTIAL-GUEST_role" > -- command executed successfully
Jun 3 09:19:59 fpcli: USER:admin@10.100.100.42 COMMAND:<write memory > -- command executed successfully
Jun 3 09:20:12 fpcli: USER:admin@10.100.100.42 COMMAND:<no paging > -- command executed successfully
Jun 3 09:20:12 fpcli: USER:admin@10.100.100.42 COMMAND:<encrypt disable > -- command executed successfully

 

Something else I've noticed and don't understand is the first line under the mismatched config: "User Role 'FC-RESIDENTIAL-GUEST_role' Policy '1' Aruba AP Group". Current config is "not set" and desired is "default". This matches what is shown by Airwave when clicking on "Controller Config" under the group with the controllers in it: the "default" AP group (which has all APs in it) has "FC-RESIDENTIAL-GUEST_role" as the user role. There are a number of roles on these controllers, so why does Airwave want to assign this role to the AP group? If and when this applies on the controllers, will it affect any other roles? Can I stop Airwave from having this as the desired configuration?

 

Thanks again,

Matt

Alert a Moderator
Message 4 of 6
2,614 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cjoseph

Re: Trouble applying configuration to mobility controller using Airwave

‎06-03-2014 03:25 AM

You can look at the user role in Airwave Configuration and see if it is assigned to a user group, and if it is, remove it (change it to none):

policy.png

 

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Alert a Moderator
Message 5 of 6
2,599 Views
Reply
feroscare
Occasional Contributor II
feroscare

Re: Trouble applying configuration to mobility controller using Airwave

‎06-03-2014 08:02 PM

Thanks Colin, the default AP group was set there, and removing it allowed the configuration to be applied without any problems.

 

To answer my own question in my original post about setting the VLAN ID on the user role to match the virtual AP: this apparently is necessary - clients had no connectivity until this was set.

Alert a Moderator
Message 6 of 6
2,583 Views
Reply
Search Airheads
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

© Copyright 2018 Hewlett Packard Enterprise Development LP
All Rights Reserved.
Powered by Lithium