Wireless Access

Reply
Occasional Contributor II
Posts: 12
Registered: ‎08-29-2011

AP provision through vpn tunnel

I have a couple of AP-93's, that I am trying to connect to a 3400 on the other side of an vpn tunnel. The AP's will show up as status "upgrading" after a long while, and then dissappear again. This continues over and over, I tried setting the MTU to 1300 on the ap system-profile, but this doesn't seem to help.

 

The AP's hadn't been provisioned before, so they ended up with the default profile. My best bet right now is to do a purge and reset the AP's and try again.

 

Any suggestions?

Aruba Employee
Posts: 571
Registered: ‎04-17-2009

Re: AP provision through vpn tunnel

How are you setting up the AP-93? Are you hard coding the controller IP / master IP on the AP?

 

(assuming this is a master/local scenario)

 

My guess would be that they cannot communicate with the controller IP address that they are being assigned to. You could even try creating a new ap group, setup the LMS as the master IP address, and provision them in there. If that works, you know it's a problem with them getting to the local.

Thanks,

Zach Jennings
Aruba Employee
Posts: 10
Registered: ‎04-02-2007

Re: AP provision through vpn tunnel

[ Edited ]

If the AP-93 is new, it is very possible that it does not have an ArubaOS image. It will use its firmware to download the ArubaOS image via tftp by resolving aruba-master.yourdomain.com (where yourdomain.com is the domain it received via dhcp).

To override the server name resolution, you could hard-code the server-ip and master environment variables by dropping into the apboot prompt and entering the following:

setenv serverip xx.xx.xx.xx

setenv master xx.xx.xx.xx

save

reset

 

Once the AP-93 downloads its code via tftp, it will boot up and attempts to contact the master controller. Once it does, it will download the version running on the master via ftp. I suggest version 6.1.3.1 on the controller for best results. 

 

Occasional Contributor II
Posts: 12
Registered: ‎08-29-2011

Re: AP provision through vpn tunnel

Hi,

I checked now, and can see traffic going to and from the controller and AP's. I am setting the controller through dhcp options 43 and 60. Will try to add aruba-master record in dns.

Occasional Contributor II
Posts: 12
Registered: ‎08-29-2011

Re: AP provision through vpn tunnel

now the AP changes state to denied. in the whitelist, they have a state of "approved-ready-for-cert"

the log shows the following messages:

 

Unsecure AP "d8:c7:c8:c8:98:8d" (MAC d8:c7:c8:c8:98:8d, IP x.x.x.x) has been denied access because Control Plane Security is enabled and the AP is not approved.

 

<303086> <ERRS> |AP d8:c7:c8:c8:99:3e@x.x.x.x nanny| Process Manager (nanny) shutting down - AP will reboot!

<303022> <WARN> |AP d8:c7:c8:c8:98:8d@x.x.x.x nanny|  Reboot Reason: AP rebooted Tue Apr 24 07:10:58 GMT 2012; SAPD: Reboot after image upgrade failed: -1

 

this problem only occurs for AP's going through vpn tunnels

Guru Elite
Posts: 20,812
Registered: ‎03-29-2007

Re: AP provision through vpn tunnel

danish82,

 

Unfortunately, the MTU setting in the  ap system profile only takes effect once an ap has upgraded and gotten its instructions.  If the AP has not made it to the whitelist yet, it cannot receive the MTU 1300 command.  You can try to sidestep this by turning off control plane security temporarily if you do not need it, or upgrade the APs before sending them out to the site with VPN.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 12
Registered: ‎08-29-2011

Re: AP provision through vpn tunnel

ok :(

There's no way to set this manually on the AP either?

Occasional Contributor II
Posts: 12
Registered: ‎08-29-2011

Re: AP provision through vpn tunnel

no difference with control plane security disabled.

it seems like the ap downloads the boot image ok, but every time it logs the following:

Reboot Reason: AP rebooted Tue Apr 24 12:59:20 GMT 2012; SAPD: Reboot after image upgrade failed: -1

 

then it will try to download the boot image again, and the circle continues. is the only solution, to actually ship the AP back, provision it and send it out again?

 

Guru Elite
Posts: 20,812
Registered: ‎03-29-2007

Re: AP provision through vpn tunnel

please open a TAC case, so they can determine exactly what is happening.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 12
Registered: ‎08-29-2011

Re: AP provision through vpn tunnel

case solved. The problem was an RTT of around 300ms. The download of AP image was too slow, which caused a process to timeout (10 mins) and the cycle repeated it self over and over.

 

TAC provided me with a patched image which works just fine now :)

 

This was only a problem because I hadn't provisioned the AP's before shipping them out.

Search Airheads
Showing results for 
Search instead for 
Did you mean: