Wireless Access

 have an Aruba 3200XM controller and I have a RAP-2WG that is located remotely and it has been connecting to the mobility controller fine for several weeks. 

They now would like to have another RAP located on their second floor for users who cannot access the RAP because of distance limitations.  I configured a RAP3 in my office and tested using an external network.  I was able to connect to our local resources as needed.  When they took this device to the customer and connected it to the same network as the RAP-2WG it would not connect.  As soon as the RAP-2 was disconnected the RAP3 came up without fail. 

I would like to be able to connect both devices to the same network yet on separate floors.  I assume both floors share the same VLANS, but I do not have access to their network at all.

I thought maybe that the secondary device was acting as a backup or standby unit and that may have been why only one device will work at a time. 

One thing I did notice is that on the controller under Monitor-->Controller --> Access Points no matter what RAP they have connected at the remote site the Enet1 column says standby.  All of my other RAP devices say Wired Port.  When the device was connected to my other external network it said wired. 

 If anyone could point me in the right direction I would very much appreciate it!

Make sure those two devices don't have the same name.

The reason you are probably seeing "standby" is because there's nothing connected to that port  and its not active

The "AP Name" is different.  They also are assigned to two different "AP Groups"

The SSID and password is the same. 

You should probably enable logging level debugging ap-debug <apname> and see if the logs tell what might be the issue.

Do you see any flags on the RAP2 when you connect the RAP3 when you run the show ap database | include <apname>

I will try this and let you know what results i get.

thank you !!

The issue may be the site router has IPSEC "passthrough" or "fixup" support.    The IPSEC tunnels will use native IPSEC transport if the NAT router at the site (typical of Linksys, netgear, etc on commodity internet service connection) with these enabled.   It won't switch to NAT-T transport over UDP unless it fails native IPSEC first.   The issue then is the NAT router typically can only track the one IPSEC session and send responce packets to the internal RAP address.   When you use two RAPs only the last RAP IP that entered the state table for the IPSEC fixup/passthrough function will work correctly.   This usually is the last that came online, and it breaks the first RAPs tunnel - which eventually causes the RAP to reboot and then it comes online and works and kicks off the other, rinse and repeate...

If you disable the feature in the local router, both RAPs will fall back to NAT-T transport and use UDP.  The basic source port NAT functionality in the router will then be able to track the two NAT-T sessions independantly and both RAPs will come online.

Just an update on this issue... I was not having an issue with having two RAP's connected on the same network at all... what was happening was that I had a license issue.  I only had licenses for 8 devices.  When i disconneted one,(being the 8th device)  the other one would connect to the mobility controller without an issue.

thanks for all your help!