Wireless Access

last person joined: 20 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Clarity - Synthetic and authentication

This thread has been viewed 0 times

  • 1.  Clarity - Synthetic and authentication

    Posted Feb 03, 2017 06:08 AM

    I have been testing with Clarity and installed the separate Clarity Engine. I have two questions concerning Clarity.

     

    • Synthetic: I did multiple tests, but all results in one of these two error messages: Failed: Failed to establish gre & websocket connection with syntheticAP  or Failed: Aborting due to AP keepalive timeout.

    I see the following error logs:

     

    GRE & WEBSOCKET

    jsonArray: [{"BSSID":"XX:XX:XX:XX:XX:XX","SUMMARYDATA":[{"result":"Failed:Test TESTINIT aborted for target BSSID XX:XX:XX:XX:XX:XX"}],"TESTID":"3d6a031c-106b-9b30-e986-2b6f7dae9d34","INITDATA":{"webSocketStatus":"FAILURE","apForwardModeChanged":"FALSE","apForwardingMode":"None","mgmtEntityConfigChanged":"FALSE","result":"Failed: Failed to establish gre & websocket connection with syntheticAP","startTime":"2017-01-31 08:17:50.711555 UTC","greStatus":"FAILURE"}}]
    2017-01-31 09:18:04.605 WARN TestDataHandler - no failed RESULT
    2017-01-31 09:18:04.605 WARN TestDataHandler - no failed Result
    2017-01-31 09:18:04.605 WARN TestDataHandler - result contains failed - setting status to errorFailed: Failed to establish gre & websocket connection with syntheticAP
    2017-01-31 09:18:04.606 INFO TestDataHandler - bldrString is "ERRORDATA":
    [{"BSSID":"XX:XX:XX:XX:XX:XX","SUMMARYDATA":[{"result":"Failed:Test TESTINIT aborted for target BSSID XX:XX:XX:XX:XX:XX"}],"TESTID":"3d6a031c-106b-9b30-e986-2b6f7dae9d34","INITDATA":{"webSocketStatus":"FAILURE","apForwardModeChanged":"FALSE","apForwardingMode":"None","mgmtEntityConfigChanged":"FALSE","result":"Failed: Failed to establish gre & websocket connection with syntheticAP","startTime":"2017-01-31 08:17:50.711555 UTC","greStatus":"FAILURE"}}]
    2017-01-31 09:18:04.606 WARN TestDataHandler - arrayBlder is [{
    "ERRORDATA":
    [{"BSSID":"XX:XX:XX:XX:XX:XX","SUMMARYDATA":[{"result":"Failed:Test TESTINIT aborted for target BSSID XX:XX:XX:XX:XX:XX"}],"TESTID":"3d6a031c-106b-9b30-e986-2b6f7dae9d34","INITDATA":{"webSocketStatus":"FAILURE","apForwardModeChanged":"FALSE","apForwardingMode":"None","mgmtEntityConfigChanged":"FALSE","result":"Failed: Failed to establish gre & websocket connection with syntheticAP","startTime":"2017-01-31 08:17:50.711555 UTC","greStatus":"FAILURE"}}]

     

    AP KEEPALIVE

     

    2017-01-31 12:32:04.170 WARN TestDataHandler -

    jsonArray: [{"BSSID":"A8:BD:27:11:24:90","SUMMARYDATA":[{"result":"Failed:Test TESTINIT aborted for target BSSID A8:BD:27:11:24:90"}],"TESTID":"0dc3158f-d43f-e3b8-ecd5-9492c27eb2b8","INITDATA":{"webSocketStatus":"FAILURE","apForwardModeChanged":"FALSE","apForwardingMode":"None","mgmtEntityConfigChanged":"FALSE","result":"Failed: Aborting due to AP keepalive timeout","startTime":"2017-01-31 11:31:20.354552 UTC","greStatus":"FAILURE"},"WPADATA":{"startTime":"2017-01-31 11:31:51.602520 UTC","wpaauthentication":{"result":"Failed","groupText":"Authentication","startTime":"1970-01-01 00:00:00.000000 UTC","time":0,"retryCount":0,"WPAAUTHEAPOLDATA":{}},"wpaassociation":{"result":"Failed","retryCount":0,"groupText":"Association","startTime":"1970-01-01 00:00:00.000000 UTC","time":0},"wpascan":{"result":"Failed","retryCount":0,"groupText":"Scan","startTime":"1970-01-01 00:00:00.000000 UTC","time":0},"wpa4wayhandshake":{"WPAKey4TxRetryCount":0,"WPAKey2TxRetryCount":0,"WPAKey3RXRetryCount":0,"groupText":"4 Way Handshake","startTime":"1970-01-01 00:00:00.000000 UTC","time":0,"retryCount":0,"WPAKey1RxRetryCount":0,"result":"Failed"},"clientMACAddress":"d8:c7:c8:6b:db:0f"}}]

     

    Could the wired IEEE 802.1x authentication for the access-points be a possible explaination for this problem?

     

    • Authentication time: I notice that authentication times are always red, when authenticating against ClearPass via EAP-PEAP and ClearPass uses Active Directory to authenticate the users. Is this behavior default, or do I need to tweek ClearPass or Active Directory to get better authentication times? Authentication times are perfect when using the controller as authentication server and authentication times are "better" when using local users on ClearPass.

    gre-failed.png

     

    ap-keepalive.png



  • 2.  RE: Clarity - Synthetic and authentication

    Posted Feb 22, 2017 05:24 AM

    It´s a shame that there are no more active Aruba folks here when you are running it in beta. To get people started and help midigate these problems.

     

    Same here running Airwave 8.2.3.1 with Controllers running 6.5.0.x



  • 3.  RE: Clarity - Synthetic and authentication

    Posted Feb 22, 2017 07:06 AM

    Another question, does it work with Instant IAP-225:s ?

    Provided they are running 6.5.1.x branch + 8.2.3.1



  • 4.  RE: Clarity - Synthetic and authentication

    EMPLOYEE
    Posted Feb 22, 2017 09:37 AM

    Mikael, IAPs do not support Synthetic, they would need to be CAPs running on a controller.



  • 5.  RE: Clarity - Synthetic and authentication

    Posted Apr 25, 2018 10:55 AM

    What about IAPs converted to CAP, connected to controller? Do they support synthetic



  • 6.  RE: Clarity - Synthetic and authentication

    EMPLOYEE
    Posted Apr 25, 2018 12:33 PM
    dkatai@valkyr.huwrote:

    What about IAPs converted to CAP, connected to controller? Do they support synthetic

    Once an IAP is converted to a CAP, it is identical to every other CAP.



  • 7.  RE: Clarity - Synthetic and authentication

    EMPLOYEE
    Posted Feb 22, 2017 09:41 AM

    Mikael, Clarity Live on that train of IAP will (SHOULD) work, not Synthetic.



  • 8.  RE: Clarity - Synthetic and authentication

    EMPLOYEE
    Posted Feb 22, 2017 07:06 AM

    Mikael, there's nothing precluding you from opening a TAC case, worst thing that can happen is they won't help you. In general you see this most often when the AP models being used aren't supported or there are issues with the rights of the credentials the AMP has to the controller. Also is the AP settings set to allow the AMP to change the role (I don't have a 6.x controller to log in to to screenshot, but there should be a setting that basically won't allow the AMP to change the role of the synthetic AP if there's clients on it, but I may be mis-remembering).

     

    Things to check would be to look at the controller's audit logs and see if there's any errors in a) airwave credentials being able to change the role, or b) errors in trying to change the role but the controller disallowing it. It can also happen if the synthetic client is the newer AP-33x or 30x, and sometimes the 31x, that's why we need the hardware and exact software version.

     

    As for why things are red in the Auth, you would need to screenshot the auth details from the clarity output. If your RADIUS to AD lookups are taking a long time (which is common in a house/home lab with VMs as both the AD server and for Clearpass). To see this you mouse over the 'WPA Test' and post a screenshot here.



  • 9.  RE: Clarity - Synthetic and authentication

    EMPLOYEE
    Posted Feb 22, 2017 06:51 AM

    Controller model, AOS version, AMP version, AP models (what was the AP being targeted, what was the synthetic AP model being used)?



  • 10.  RE: Clarity - Synthetic and authentication

    Posted Feb 22, 2017 06:57 AM

    Hello and thanks for the replay.

    The controller was 7220 running 6.5.0.0 with airwave running 8.2.3.1.

     

    Ap models were:

    Client: AP-215

    Target: AP-215

     

    Both AP:s running off the same controller.

     



  • 11.  RE: Clarity - Synthetic and authentication

    Posted Feb 22, 2017 07:02 AM

    Controller is mix of 7010 and 7030 controllers.

    • 2 x 7010 as master and backup master 
    • 2 x 7030 as locals

    ArubaOS: 6.5.0.3

    AMP version: 8.2.3

    AP model: AP205



  • 12.  RE: Clarity - Synthetic and authentication

    EMPLOYEE
    Posted Feb 22, 2017 09:38 AM

    Rene, move up to the latest 6.5.1 (I think it's 6.5.1.3), there's been a few bug fixes on Synthetic issues. the 200s shoudl absolutely work. Also make sure credentials for management that airwave is using also work (the audit trail should show you if it's not).