Wireless Access

Reply
Frequent Contributor I

Convert IAP205 to CAP error

Dears,

 

Our customer has a misterious problem... They are trying to convert an IAP205 to a CAP. When doing this, they receive the following error:

Error in server response, closing control connection.
Retrying.
Target : AP-HASSELT


show vpn status


profile name:default
--------------------------------------------------
current using tunnel                            :unselected tunnel
current tunnel using time                       :0
ipsec is preempt status                         :disable
ipsec is fast failover status                   :disable
ipsec hold on period                            :600s
ipsec tunnel monitor frequency (seconds/packet) :5
ipsec tunnel monitor timeout by lost packet cnt :6

ipsec     primary tunnel crypto type            :Cert
ipsec     primary tunnel peer address           :N/A
ipsec     primary tunnel peer tunnel ip         :N/A
ipsec     primary tunnel ap tunnel ip           :N/A
ipsec     primary tunnel using interface        :N/A
ipsec     primary tunnel using MTU              :N/A
ipsec     primary tunnel current sm status      :Init
ipsec     primary tunnel tunnel status          :Down
ipsec     primary tunnel tunnel retry times     :0
ipsec     primary tunnel tunnel uptime          :0

ipsec      backup tunnel crypto type            :Cert
ipsec      backup tunnel peer address           :N/A
ipsec      backup tunnel peer tunnel ip         :N/A
ipsec      backup tunnel ap tunnel ip           :N/A
ipsec      backup tunnel using interface        :N/A
ipsec      backup tunnel using MTU              :N/A
ipsec      backup tunnel current sm status      :Init
ipsec      backup tunnel tunnel status          :Down
ipsec      backup tunnel tunnel retry times     :0
ipsec      backup tunnel tunnel uptime          :0
end of show vpn status
========================================================

show upgrade info

Image Upgrade Progress
----------------------
Mac                IP Address   AP Class  Status       Image Info                        Error Detail
---                ----------   --------  ------       ----------                        ------------
34:fc:b9:c2:09:a6  10.11.21.11  Taurus    downloading  ac-ftp://10.20.21.10/armv7ns.ari  Retrieve image fail
Auto reboot           :enable
Use external URL      :enable
Master wait Time      :99 secs 0 count
Switch Partition      :enable
end of show upgrade info
========================================================

show log upgrade
----------Download log start----------

Executing '/aruba/bin/download_image_swarm ac-ftp://10.20.21.10/armv7ns.ari --no-proxy X-Ap-Info:CNCKHMJ3NB,34:fc:b9:c2:09:a6,AP-205'
fetching ('/usr/sbin/wget -T 120 -t 3 --no-proxy --header=X-Ap-Info:CNCKHMJ3NB,34:fc:b9:c2:09:a6,AP-205 -a /tmp/download_url_log ftp://sap:x@10.20.21.10/armv7ns.ari')
--08:01:32--  ftp://sap:*password*@10.20.21.10/armv7ns.ari
           => `armv7ns.ari'
Connecting to 10.20.21.10:21... connected.
Logging in as sap ... 
Error in server response, closing control connection.
Retrying.

--08:03:35--  ftp://sap:*password*@10.20.21.10/armv7ns.ari
  (try: 2) => `armv7ns.ari'
Connecting to 10.20.21.10:21... connected.
Logging in as sap ... 
Error in server response, closing control connection.
Retrying.

--08:05:38--  ftp://sap:*password*@10.20.21.10/armv7ns.ari
  (try: 3) => `armv7ns.ari'
Connecting to 10.20.21.10:21... connected.
Logging in as sap ... 
Error in server response, closing control connection.
Giving up.

Error: failed to retrieve image
cleaning up
done

----------Download log end------------
Download status: Retrieve image fail
----------Upgrade log start----------
upgrade log not available
----------Upgrade log end------------
Upgrade status: upgrade status not available
end of show log upgrade
========================================================

show log rapper
Rapper info not available
end of show log rapper
========================================================

They can ping the controller, and even in the datapath session on the controller, I can see the FTP port 21 comming from our IAP205. The controller is also answering, but it seems that it is not received by our IAP.

IAP is connected on a private WAN link. Is it possible that it has something to do with MTU size or something like that?

 

Kind regards,

Thomas

Thomas
ACMX#370 ACCP

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.

Re: Convert IAP205 to CAP error

Hey, what is the version  of code you are running on the controller and on the IAP? Is there any packet loss between the controller and IAP? I assume you've also whitelisted the IAP as well? (CPSec).

 

Thanks


ACMA, ACMP, ACSA
If my post addresses your query, give kudos:)
Frequent Contributor I

Re: Convert IAP205 to CAP error

Controller 6.4.4.12

IAP: 6.4.4.8 - 4.2.4.3

No packet loss between controller an IAP

For now we have activated Control Plane Security with Auto-cert provisioning and all addressess allowed for Auto Cert. (no limitations) but still not working

Thomas
ACMX#370 ACCP

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite

Re: Convert IAP205 to CAP error

You should try opening up an FTP window from a client on the AP's subnet to the controller and see if it asks for a username and password:

 

ftp

ftp> open <ip address of controller> 

connected to 192.168.1.20

220 FTP server ready

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

Re: Convert IAP205 to CAP error

Hi cjoseph,

 

we receive the expected output from the ftp; it is asking for username and password.

So ftp is not blocked.

Thomas
ACMX#370 ACCP

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite

Re: Convert IAP205 to CAP error

There seems to be a problem with the login portion of the conversion.  Is there a firewall between the IAP and the controller?  Regardless of the answer, you probably should open a TAC case to get to the bottom of it.  Below is what a normal conversion looks like.

 

----------Download log start----------

Executing '/aruba/bin/download_image_swarm ac-ftp://10.2.100.20/armv7ns.ari --no-proxy'
fetching ('/usr/sbin/wget -T 120 -t 3 --no-proxy -a /tmp/download_url_log ftp://sap:x@10.2.100.20/armv7ns.ari')
--21:05:09--  ftp://sap:*password*@10.2.100.20/armv7ns.ari
           => `armv7ns.ari'
Connecting to 10.2.100.20:21... connected.
Logging in as sap ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD not needed.
==> PASV ... done.    ==> RETR armv7ns.ari ... done.

    0K .......... .......... .......... .......... ..........   52.78 KB/s
   50K .......... .......... .......... .......... ..........  256.68 KB/s


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

Re: Convert IAP205 to CAP error

I think it has something to do with MTU, If I convert the IAP to RAP, it works without any issue.

The link is over a private WAN link that is provided by one of the big telecom providers in BE. I think it is MTU related, since RAP is using 1200bytes via port 4500 while the CAP is using 1500 in his initial connection to the controller via FTP, if I am not mistaking?

Thomas
ACMX#370 ACCP

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: