Wireless Access

last person joined: 23 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Convert IAP205 to CAP error

This thread has been viewed 1 times

  • 1.  Convert IAP205 to CAP error

    Posted Jul 03, 2017 10:09 AM

    Dears,

     

    Our customer has a misterious problem... They are trying to convert an IAP205 to a CAP. When doing this, they receive the following error:

    Error in server response, closing control connection.
Retrying.
    Target : AP-HASSELT


show vpn status


profile name:default
--------------------------------------------------
current using tunnel                            :unselected tunnel
current tunnel using time                       :0
ipsec is preempt status                         :disable
ipsec is fast failover status                   :disable
ipsec hold on period                            :600s
ipsec tunnel monitor frequency (seconds/packet) :5
ipsec tunnel monitor timeout by lost packet cnt :6

ipsec     primary tunnel crypto type            :Cert
ipsec     primary tunnel peer address           :N/A
ipsec     primary tunnel peer tunnel ip         :N/A
ipsec     primary tunnel ap tunnel ip           :N/A
ipsec     primary tunnel using interface        :N/A
ipsec     primary tunnel using MTU              :N/A
ipsec     primary tunnel current sm status      :Init
ipsec     primary tunnel tunnel status          :Down
ipsec     primary tunnel tunnel retry times     :0
ipsec     primary tunnel tunnel uptime          :0

ipsec      backup tunnel crypto type            :Cert
ipsec      backup tunnel peer address           :N/A
ipsec      backup tunnel peer tunnel ip         :N/A
ipsec      backup tunnel ap tunnel ip           :N/A
ipsec      backup tunnel using interface        :N/A
ipsec      backup tunnel using MTU              :N/A
ipsec      backup tunnel current sm status      :Init
ipsec      backup tunnel tunnel status          :Down
ipsec      backup tunnel tunnel retry times     :0
ipsec      backup tunnel tunnel uptime          :0
end of show vpn status
========================================================

show upgrade info

Image Upgrade Progress
----------------------
Mac                IP Address   AP Class  Status       Image Info                        Error Detail
---                ----------   --------  ------       ----------                        ------------
34:fc:b9:c2:09:a6  10.11.21.11  Taurus    downloading  ac-ftp://10.20.21.10/armv7ns.ari  Retrieve image fail
Auto reboot           :enable
Use external URL      :enable
Master wait Time      :99 secs 0 count
Switch Partition      :enable
end of show upgrade info
========================================================

show log upgrade
----------Download log start----------

Executing '/aruba/bin/download_image_swarm ac-ftp://10.20.21.10/armv7ns.ari --no-proxy X-Ap-Info:CNCKHMJ3NB,34:fc:b9:c2:09:a6,AP-205'
fetching ('/usr/sbin/wget -T 120 -t 3 --no-proxy --header=X-Ap-Info:CNCKHMJ3NB,34:fc:b9:c2:09:a6,AP-205 -a /tmp/download_url_log ftp://sap:x@10.20.21.10/armv7ns.ari')
--08:01:32--  ftp://sap:*password*@10.20.21.10/armv7ns.ari
           => `armv7ns.ari'
Connecting to 10.20.21.10:21... connected.
Logging in as sap ... 
Error in server response, closing control connection.
Retrying.

--08:03:35--  ftp://sap:*password*@10.20.21.10/armv7ns.ari
  (try: 2) => `armv7ns.ari'
Connecting to 10.20.21.10:21... connected.
Logging in as sap ... 
Error in server response, closing control connection.
Retrying.

--08:05:38--  ftp://sap:*password*@10.20.21.10/armv7ns.ari
  (try: 3) => `armv7ns.ari'
Connecting to 10.20.21.10:21... connected.
Logging in as sap ... 
Error in server response, closing control connection.
Giving up.

Error: failed to retrieve image
cleaning up
done

----------Download log end------------
Download status: Retrieve image fail
----------Upgrade log start----------
upgrade log not available
----------Upgrade log end------------
Upgrade status: upgrade status not available
end of show log upgrade
========================================================

show log rapper
Rapper info not available
end of show log rapper
========================================================

    They can ping the controller, and even in the datapath session on the controller, I can see the FTP port 21 comming from our IAP205. The controller is also answering, but it seems that it is not received by our IAP.

    IAP is connected on a private WAN link. Is it possible that it has something to do with MTU size or something like that?

     

    Kind regards,

    Thomas



  • 2.  RE: Convert IAP205 to CAP error

    MVP EXPERT
    Posted Jul 03, 2017 11:24 AM

    Hey, what is the version  of code you are running on the controller and on the IAP? Is there any packet loss between the controller and IAP? I assume you've also whitelisted the IAP as well? (CPSec).

     

    Thanks



  • 3.  RE: Convert IAP205 to CAP error

    Posted Jul 03, 2017 11:35 AM

    Controller 6.4.4.12

    IAP: 6.4.4.8 - 4.2.4.3

    No packet loss between controller an IAP

    For now we have activated Control Plane Security with Auto-cert provisioning and all addressess allowed for Auto Cert. (no limitations) but still not working



  • 4.  RE: Convert IAP205 to CAP error

    EMPLOYEE
    Posted Jul 03, 2017 12:41 PM

    You should try opening up an FTP window from a client on the AP's subnet to the controller and see if it asks for a username and password:

     

    ftp

    ftp> open <ip address of controller> 

    connected to 192.168.1.20

    220 FTP server ready

     



  • 5.  RE: Convert IAP205 to CAP error

    Posted Jul 05, 2017 04:15 AM

    Hi cjoseph,

     

    we receive the expected output from the ftp; it is asking for username and password.

    So ftp is not blocked.



  • 6.  RE: Convert IAP205 to CAP error

    EMPLOYEE
    Posted Jul 05, 2017 09:09 AM

    There seems to be a problem with the login portion of the conversion.  Is there a firewall between the IAP and the controller?  Regardless of the answer, you probably should open a TAC case to get to the bottom of it.  Below is what a normal conversion looks like.

     

    ----------Download log start----------

Executing '/aruba/bin/download_image_swarm ac-ftp://10.2.100.20/armv7ns.ari --no-proxy'
fetching ('/usr/sbin/wget -T 120 -t 3 --no-proxy -a /tmp/download_url_log ftp://sap:x@10.2.100.20/armv7ns.ari')
--21:05:09--  ftp://sap:*password*@10.2.100.20/armv7ns.ari
           => `armv7ns.ari'
Connecting to 10.2.100.20:21... connected.
Logging in as sap ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD not needed.
==> PASV ... done.    ==> RETR armv7ns.ari ... done.

    0K .......... .......... .......... .......... ..........   52.78 KB/s
   50K .......... .......... .......... .......... ..........  256.68 KB/s


  • 7.  RE: Convert IAP205 to CAP error

    Posted Jul 05, 2017 09:50 AM

    I think it has something to do with MTU, If I convert the IAP to RAP, it works without any issue.

    The link is over a private WAN link that is provided by one of the big telecom providers in BE. I think it is MTU related, since RAP is using 1200bytes via port 4500 while the CAP is using 1500 in his initial connection to the controller via FTP, if I am not mistaking?