Wireless Access

Reply
Occasional Contributor I
Posts: 9
Registered: ‎03-30-2012

OAW-6000 and AP61 connected remotely with VPN connection

Hello,

I would like to check something with my configuration.
I have one OAW-6000 Aruba controller (firmware : ArubaOS 5.0.4.2) connected in my datacenter. In an other place, i have 11 AP61 connected to a router with a vpn Ipsec connection to the datacenter. AP61 have never been connected with this controller in the same LAN network.
The Aruba 6000 Controller is configured with control plane security enable and auto cert provisioning enable. Virtual AP is configured with bridge mode.
When i connect an AP61, i can see it in my controller but the AP is not able to install it's certificate.
My question is : is it possible to manage access points like that with Aruba or if i had to install a local controller?
Is there a way to install manualy a certificate on AP61?
I know that if i connect an AP on the same lan of my controller, then the certificate will be installed and then i'm able to install it in the other site. But sites are not close from each others!

Many thanks for your answers.

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: OAW-6000 and AP61 connected remotely with VPN connection

[ Edited ]

Try trying "show log system 50" at the command prompt to see if there is anything noticeable.

 

With that being said, an ap could possibly not come up over a site to site VPN tunnel due to the MTU.  If you edit that ap group and then go into the ap system profile, change the MTU to 1200 and see if that fixes it.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 9
Registered: ‎03-30-2012

Re: OAW-6000 and AP61 connected remotely with VPN connection

Hi

 

First of all, many thanks for your quick answer.

 

With your command line, i get this log :

 

Apr 2 10:37:37 :305048: <WARN> |stm| Dropping unsecure AP message code 16121 from AP at 10.0.2.1 (MAC address 00:1a:1e:c4:dd:11)
Apr 2 10:39:05 :305048: <WARN> |stm| Dropping unsecure AP message code 16121 from AP at 10.0.2.1 (MAC address 00:1a:1e:c4:dd:11)
Apr 2 10:41:05 :305048: <WARN> |stm| Dropping unsecure AP message code 16121 from AP at 10.0.2.1 (MAC address 00:1a:1e:c4:dd:11)
Apr 2 10:43:05 :305048: <WARN> |stm| Dropping unsecure AP message code 16121 from AP at 10.0.2.1 (MAC address 00:1a:1e:c4:dd:11)
Apr 2 10:45:05 :305048: <WARN> |stm| Dropping unsecure AP message code 16121 from AP at 10.0.2.1 (MAC address 00:1a:1e:c4:dd:11)
Apr 2 10:47:05 :305048: <WARN> |stm| Dropping unsecure AP message code 16121 from AP at 10.0.2.1 (MAC address 00:1a:1e:c4:dd:11)
Apr 2 10:49:05 :305048: <WARN> |stm| Dropping unsecure AP message code 16121 from AP at 10.0.2.1 (MAC address 00:1a:1e:c4:dd:11)
Apr 2 10:51:05 :305048: <WARN> |stm| Dropping unsecure AP message code 16121 from AP at 10.0.2.1 (MAC address 00:1a:1e:c4:dd:11)

 

I don't undestand why it's recognized as an unsecure AP because control plane security is enable and auto-cert provisioning is on for all ip addresses?

And i have already tried to switch the SAP MTU to 1200 but with the same result.

 

If you have any other idea, it will be great!

 

Many thanks again.

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: OAW-6000 and AP61 connected remotely with VPN connection

That message certainly means that the access point does not have a certificate when it needs to be cause CPSEC is on.  What version of code is this, and is this access point new to this network?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 9
Registered: ‎03-30-2012

Re: OAW-6000 and AP61 connected remotely with VPN connection

Hi cjoseph,

 

"That message certainly means that the access point does not have a certificate when it needs to be cause CPSEC is on.  What version of code is this, and is this access point new to this network?"

 

In red : i don't understand your question? You mean :  what's theArubaOS version?


For the AP, it's a new one to this network. It was connected to another Aruba controller. I have made on it a "purgeenv" command and i have configured all ip and master configuration manualy.

 

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: OAW-6000 and AP61 connected remotely with VPN connection

What version of Aruba code is this on the current controller?  What was the code of the controller that the AP61 was used with before?

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 9
Registered: ‎03-30-2012

Re: OAW-6000 and AP61 connected remotely with VPN connection

 

Now : 

 

Aruba OS version  :5.0.4.2 build 30773

compiled : 2011-10-20 at 22:53:13 PDT (build 30773) by p4build

rom : System Bootstrap, Version CPBoot 1.1.6 (Aug 9 2004 - 11:56:58)
  

 

Before :

 

ArubaOS : 

AOS-W 3.1.0.13 build 15591

 

 

 

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: OAW-6000 and AP61 connected remotely with VPN connection

Do you have any other AP61s from that other controller that you can bring up at your corporate main site, and not a remote site to see if it works?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 9
Registered: ‎03-30-2012

Re: OAW-6000 and AP61 connected remotely with VPN connection

I have already tried to take one of these AP61 and connect it localy to my Aruba 6000 controller. In this case, the controller generate a CSR and then install it on the AP and everything is working. And if i take this AP and connect it to my remote site through the VPN, it works! But i can't install the CSR through the VPN!
The process, config and AP are the same but the controller never want to install the CSR remotely!

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: OAW-6000 and AP61 connected remotely with VPN connection

[ Edited ]

Okay,

 

First things, first:  Alcatel APs connecting to Aruba controllers and vice versa is not supported because there is no formal testing, so it is not guaranteed to work, even though it does.  

 

Secondly, the mechanism that is used to distribute certificates to non-cpsec devices does not get the MTU parameter until after it has connected to the controller successfully WITH a certificate, so you probably need to first provision access points local to the controler, get the certificate and then send them to be installed on the other side of the VPN; but you probably already know that...

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: