Wireless Access

Reply
Guest Blogger
Posts: 24
Registered: ‎02-20-2015

Clarity - Synthetic and authentication

I have been testing with Clarity and installed the separate Clarity Engine. I have two questions concerning Clarity.

 

  • Synthetic: I did multiple tests, but all results in one of these two error messages: Failed: Failed to establish gre & websocket connection with syntheticAP  or Failed: Aborting due to AP keepalive timeout.

I see the following error logs:

 

GRE & WEBSOCKET

jsonArray: [{"BSSID":"XX:XX:XX:XX:XX:XX","SUMMARYDATA":[{"result":"Failed:Test TESTINIT aborted for target BSSID XX:XX:XX:XX:XX:XX"}],"TESTID":"3d6a031c-106b-9b30-e986-2b6f7dae9d34","INITDATA":{"webSocketStatus":"FAILURE","apForwardModeChanged":"FALSE","apForwardingMode":"None","mgmtEntityConfigChanged":"FALSE","result":"Failed: Failed to establish gre & websocket connection with syntheticAP","startTime":"2017-01-31 08:17:50.711555 UTC","greStatus":"FAILURE"}}]
2017-01-31 09:18:04.605 WARN TestDataHandler - no failed RESULT
2017-01-31 09:18:04.605 WARN TestDataHandler - no failed Result
2017-01-31 09:18:04.605 WARN TestDataHandler - result contains failed - setting status to errorFailed: Failed to establish gre & websocket connection with syntheticAP
2017-01-31 09:18:04.606 INFO TestDataHandler - bldrString is "ERRORDATA":
[{"BSSID":"XX:XX:XX:XX:XX:XX","SUMMARYDATA":[{"result":"Failed:Test TESTINIT aborted for target BSSID XX:XX:XX:XX:XX:XX"}],"TESTID":"3d6a031c-106b-9b30-e986-2b6f7dae9d34","INITDATA":{"webSocketStatus":"FAILURE","apForwardModeChanged":"FALSE","apForwardingMode":"None","mgmtEntityConfigChanged":"FALSE","result":"Failed: Failed to establish gre & websocket connection with syntheticAP","startTime":"2017-01-31 08:17:50.711555 UTC","greStatus":"FAILURE"}}]
2017-01-31 09:18:04.606 WARN TestDataHandler - arrayBlder is [{
"ERRORDATA":
[{"BSSID":"XX:XX:XX:XX:XX:XX","SUMMARYDATA":[{"result":"Failed:Test TESTINIT aborted for target BSSID XX:XX:XX:XX:XX:XX"}],"TESTID":"3d6a031c-106b-9b30-e986-2b6f7dae9d34","INITDATA":{"webSocketStatus":"FAILURE","apForwardModeChanged":"FALSE","apForwardingMode":"None","mgmtEntityConfigChanged":"FALSE","result":"Failed: Failed to establish gre & websocket connection with syntheticAP","startTime":"2017-01-31 08:17:50.711555 UTC","greStatus":"FAILURE"}}]

 

AP KEEPALIVE

 

2017-01-31 12:32:04.170 WARN TestDataHandler -

jsonArray: [{"BSSID":"A8:BD:27:11:24:90","SUMMARYDATA":[{"result":"Failed:Test TESTINIT aborted for target BSSID A8:BD:27:11:24:90"}],"TESTID":"0dc3158f-d43f-e3b8-ecd5-9492c27eb2b8","INITDATA":{"webSocketStatus":"FAILURE","apForwardModeChanged":"FALSE","apForwardingMode":"None","mgmtEntityConfigChanged":"FALSE","result":"Failed: Aborting due to AP keepalive timeout","startTime":"2017-01-31 11:31:20.354552 UTC","greStatus":"FAILURE"},"WPADATA":{"startTime":"2017-01-31 11:31:51.602520 UTC","wpaauthentication":{"result":"Failed","groupText":"Authentication","startTime":"1970-01-01 00:00:00.000000 UTC","time":0,"retryCount":0,"WPAAUTHEAPOLDATA":{}},"wpaassociation":{"result":"Failed","retryCount":0,"groupText":"Association","startTime":"1970-01-01 00:00:00.000000 UTC","time":0},"wpascan":{"result":"Failed","retryCount":0,"groupText":"Scan","startTime":"1970-01-01 00:00:00.000000 UTC","time":0},"wpa4wayhandshake":{"WPAKey4TxRetryCount":0,"WPAKey2TxRetryCount":0,"WPAKey3RXRetryCount":0,"groupText":"4 Way Handshake","startTime":"1970-01-01 00:00:00.000000 UTC","time":0,"retryCount":0,"WPAKey1RxRetryCount":0,"result":"Failed"},"clientMACAddress":"d8:c7:c8:6b:db:0f"}}]

 

Could the wired IEEE 802.1x authentication for the access-points be a possible explaination for this problem?

 

  • Authentication time: I notice that authentication times are always red, when authenticating against ClearPass via EAP-PEAP and ClearPass uses Active Directory to authenticate the users. Is this behavior default, or do I need to tweek ClearPass or Active Directory to get better authentication times? Authentication times are perfect when using the controller as authentication server and authentication times are "better" when using local users on ClearPass.

gre-failed.png

 

ap-keepalive.png

@rene_booches | ACMX #438 / ACCP / CCNP Routing & Switching / CEH
Co-owner/Solution Specialist@4IP / blog owner@booches.nl
Occasional Contributor II
Posts: 20
Registered: ‎09-05-2012

Re: Clarity - Synthetic and authentication

It´s a shame that there are no more active Aruba folks here when you are running it in beta. To get people started and help midigate these problems.

 

Same here running Airwave 8.2.3.1 with Controllers running 6.5.0.x

MVP
Posts: 1,357
Registered: ‎11-07-2008

Re: Clarity - Synthetic and authentication

Controller model, AOS version, AMP version, AP models (what was the AP being targeted, what was the synthetic AP model being used)?

Jerrod Howard
Sr. Techical Marketing Engineer
Occasional Contributor II
Posts: 20
Registered: ‎09-05-2012

Re: Clarity - Synthetic and authentication

Hello and thanks for the replay.

The controller was 7220 running 6.5.0.0 with airwave running 8.2.3.1.

 

Ap models were:

Client: AP-215

Target: AP-215

 

Both AP:s running off the same controller.

 

Guest Blogger
Posts: 24
Registered: ‎02-20-2015

Re: Clarity - Synthetic and authentication

Controller is mix of 7010 and 7030 controllers.

  • 2 x 7010 as master and backup master 
  • 2 x 7030 as locals

ArubaOS: 6.5.0.3

AMP version: 8.2.3

AP model: AP205

@rene_booches | ACMX #438 / ACCP / CCNP Routing & Switching / CEH
Co-owner/Solution Specialist@4IP / blog owner@booches.nl
Occasional Contributor II
Posts: 20
Registered: ‎09-05-2012

Re: Clarity - Synthetic and authentication

Another question, does it work with Instant IAP-225:s ?

Provided they are running 6.5.1.x branch + 8.2.3.1

MVP
Posts: 1,357
Registered: ‎11-07-2008

Re: Clarity - Synthetic and authentication

Mikael, there's nothing precluding you from opening a TAC case, worst thing that can happen is they won't help you. In general you see this most often when the AP models being used aren't supported or there are issues with the rights of the credentials the AMP has to the controller. Also is the AP settings set to allow the AMP to change the role (I don't have a 6.x controller to log in to to screenshot, but there should be a setting that basically won't allow the AMP to change the role of the synthetic AP if there's clients on it, but I may be mis-remembering).

 

Things to check would be to look at the controller's audit logs and see if there's any errors in a) airwave credentials being able to change the role, or b) errors in trying to change the role but the controller disallowing it. It can also happen if the synthetic client is the newer AP-33x or 30x, and sometimes the 31x, that's why we need the hardware and exact software version.

 

As for why things are red in the Auth, you would need to screenshot the auth details from the clarity output. If your RADIUS to AD lookups are taking a long time (which is common in a house/home lab with VMs as both the AD server and for Clearpass). To see this you mouse over the 'WPA Test' and post a screenshot here.

Jerrod Howard
Sr. Techical Marketing Engineer
MVP
Posts: 1,357
Registered: ‎11-07-2008

Re: Clarity - Synthetic and authentication

Mikael, IAPs do not support Synthetic, they would need to be CAPs running on a controller.

Jerrod Howard
Sr. Techical Marketing Engineer
MVP
Posts: 1,357
Registered: ‎11-07-2008

Re: Clarity - Synthetic and authentication

Rene, move up to the latest 6.5.1 (I think it's 6.5.1.3), there's been a few bug fixes on Synthetic issues. the 200s shoudl absolutely work. Also make sure credentials for management that airwave is using also work (the audit trail should show you if it's not). 

Jerrod Howard
Sr. Techical Marketing Engineer
MVP
Posts: 1,357
Registered: ‎11-07-2008

Re: Clarity - Synthetic and authentication

Mikael, Clarity Live on that train of IAP will (SHOULD) work, not Synthetic.

Jerrod Howard
Sr. Techical Marketing Engineer
Search Airheads
Showing results for 
Search instead for 
Did you mean: