Wireless Access

Reply
Occasional Contributor II

Reprovisioning Offline RAPs

Hey guys,

 

I've reprovisioned a RAP to change its ap group, I've just changed the group and ignore the FQLN parameters. So I guess that the only parameters that were changed was those.

 

Anyway the RAP (AP-105) is now offline so it can't pass ipsec sa, so I think this is like an authentication issue.

 

Here's the reprovisioned log.

 

Mar  6 14:08:56  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<clear provisioning-ap-list > -- command executed successfully
Mar  6 14:08:56  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<provision-ap read-bootinfo ap-name "AP-QRO-01" > -- command executed successfully
Mar  6 14:09:04  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<provision-ap copy-provisioning-params ap-name "AP-QRO-01" > -- command executed successfully
Mar  6 14:09:04  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<provision-ap installation default > -- command executed successfully
Mar  6 14:09:04  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<provision-ap no external-antenna > -- command executed successfully
Mar  6 14:09:04  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<provision-ap no master > -- command executed successfully
Mar  6 14:09:04  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<provision-ap ap-group "APG-AP-FORANEA" > -- command executed successfully
Mar  6 14:09:04  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<provision-ap ap-name "AP-QRO-01" > -- command executed successfully
Mar  6 14:09:04  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<provision-ap no syslocation > -- command executed successfully
Mar  6 14:09:04  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<provision-ap remote-ap > -- command executed successfully
Mar  6 14:09:04  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<provision-ap no fqln > -- command executed successfully
Mar  6 14:09:04  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<provision-ap reprovision ap-name "AP-QRO-01" > -- command executed successfully
Mar  6 14:09:04  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<clear provisioning-ap-list > -- command executed successfully
Mar  6 14:09:04  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<clear provisioning-params > -- command executed successfully

 

 

And here is the log of SAs

 

(MXMEXWLANMASTER01) #show crypto isakmp sa

ISAKMP SA Active Session Information
------------------------------------
Initiator IP     Responder IP   Flags       Start Time      Private IP      
------------     ------------   -----     ---------------   ----------      
10.49.164.127    10.49.124.1    r-m-p-x-R Mar  6 09:23:24   192.168.69.4     
10.49.124.3      10.49.124.2    r-a-p     Mar  6 11:57:22          -         

Flags: i = Initiator; r = Responder
       m = Main Mode; a = Agressive Mode v2 = IKEv2
       p = Pre-shared key; c = Certificate/RSA Signature; e =  ECDSA Signature
       x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled
       3 = 3rd party AP; C = Campus AP; R = RAP
       V = VIA; S = VIA over TCP

Total ISAKMP SAs: 2

(MXMEXWLANMASTER01) #show crypto ipsec sa

IPSEC SA Active Session Information
-----------------------------------
Initiator IP     Responder IP     InitiatorID         ResponderID         Flags    Start Time      Inner IP      
------------     ------------     -----------         -----------         -----  ---------------   --------
10.49.124.3      10.49.124.2      10.49.124.3/32      10.49.124.2/32      T      Mar  6 14:23:08     -              

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
       L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2

Total IPSEC SAs: 1

 

IP address 10.49.164.127 is the outer IP of the AP

 

Is there a way to ensure the AP has all the correct parameters?

 

Regards,

Aruba Employee

Re: Reprovisioning Offline RAPs

I'm pretty sure the only way to know is when it comes back up and connects to its controller.

Occasional Contributor II

Re: Reprovisioning Offline RAPs

Yeah, I guess that it hasn't the right parameters as it is not coming up.

Is there a way to reprovision it remotely?


I mean this is a RAP and there is nobody on site who can unmount the AP and connect a console cable to reset it.
Aruba Employee

Re: Reprovisioning Offline RAPs

Unfortunately, if it's not coming up after you changed those parameters, it's going to have to be set back to factory defaults and reprovisioned from scratch.

Aruba Employee

Re: Reprovisioning Offline RAPs

You can try power cycling the RAP to see if it is able to recover and connect successfully. The RAP could be stuck in a wierd state which should be cleared when you power cycle the RAP.

Occasional Contributor II

Re: Reprovisioning Offline RAPs

Great! I'll try it

 

Thanks bpudugramam.

 

Aruba Employee

Re: Reprovisioning Offline RAPs

"Mar  6 14:09:04  webui[1410]: USER:admin@xxx.xxx.xxx.xxx COMMAND:<provision-ap no master > -- command executed successfully"

 

Just curious, why did you pull the master config off the AP?

Occasional Contributor II

Re: Reprovisioning Offline RAPs

 

Honestly I don't know, what I did is to enter to the provisioning page, changed the AP group, check the remove FQLN option, and leave everything else unchanged, as I thought it would be transparent for the AP and what I really needed is to change the AP group only.

 

And the AP was working fine previously with the old AP group:

 

(MXMEXWLANMASTER01) #show ap active

Active AP Table
---------------
Name            Group               IP Address     11g Clients  11g Ch/EIRP/MaxEIRP  11a Clients  11a Ch/EIRP/MaxEIRP  AP Type  Flags  Uptime       Outer IP
----            -----               ----------     -----------  -------------------  -----------  -------------------  -------  -----  ------       --------
AP-QRO-01       APG-RAP             192.168.69.4   0            AP:HT:11/20/20       0            AP:HT:149+/24/24     105      R      21h:18m:3s   10.49.164.127

 

Aruba Employee

Re: Reprovisioning Offline RAPs

Oh, ok, I see, this was from the provisioning page.  It looks like when you did that there was no master controller specified so there was a "no" issued on the master and that AP most likely doesn't know how to get to its master at this point.

 

Any luck on the reboot?

Occasional Contributor II

Re: Reprovisioning Offline RAPs

That's right, I checked AP's config and see that there was no master and server IP. What I don't understand is why the isakmp sa could be stablished and the ipsec sa don't.

 

I guess that in order that this won't happen again I ask the customer to add the controller in their DNS server.

 

Anyway, I had to ask somebody to reprovison the AP, and now it is working fine.

 

Thank you very much for your help Mike

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: