Wireless Access

Reply
Contributor II

Verify if ports are open between AP and controller?

Hi,

 

I have an installation with a HQ and several sub locations. The HQ is the only one with an internet connection and all sub locations have leased lines towards the HQ. My access points at the HQ show up normally and work fine, whereas the sub locations would only join in the default group, but nothing more, I couldn't provision them.

 

So I attached the AP for the sub locations at the HQ and configured them and installed them at the sub locations. On the controller they now appear in the right group, but with the flag ID (Inactive, Dirty or no config). Even a reboot or provision command from the controller won't do anything.

 

Is there a way to check what's causing this issue or is it just checking every option and hope for the best?

 

Tom

 

 

Guru Elite

Re: Verify if ports are open between AP and controller?

 

You can type "show datapath session table <ip address of AP>" to see what ports are being sent back and forth between the AP and the controller.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II

Re: Verify if ports are open between AP and controller?

The first 2 results are from AP connected at HQ, the others are from the sub locations.

 

(Controller) #show datapath session table 90.0.0.81


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       r - Route Nexthop
       A - Application Firewall Inspect


Source IP       Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
90.0.0.226      90.0.0.81       17   8494  8211   0/0     0    0   1   0/0/0       15   2          424        FI
90.0.0.81       90.0.0.226      17   8211  8224   1/0     0    0   0   local       2    0          0          FYI
90.0.0.226      90.0.0.81       17   8421  8211   0/0     0    0   0   0/0/0       2    0          0          FYI
90.0.0.81       90.0.0.226      17   8211  8419   0/0     0    0   1   0/0/0       9    0          0          FYCI
90.0.0.81       90.0.0.226      17   8211  8222   0/0     0    0   0   0/0/0       3    0          0          FYCI


90.0.0.226      90.0.0.81       17   8222  8211   0/0     0    0   1   0/0/0       3    0          0          FYI
90.0.0.226      90.0.0.81       47   0     0      0/0     0    0   0   0/0/0       3169 12207      1218422    F
90.0.0.226      90.0.0.81       17   8224  8211   0/0     0    0   0   local       2    1          387        FCI
90.0.0.226      90.0.0.81       17   8211  8211   0/0     0    0   1   0/0/0       1e   0          0          FYI
90.0.0.81       90.0.0.226      17   8211  8494   0/0     0    0   1   0/0/0       15   0          0          FYCI


90.0.0.81       90.0.0.226      47   0     0      0/0     0    40  0   0/0/0       3169 27686      4549703    FC
90.0.0.81       90.0.0.226      17   8211  8211   0/0     0    0   0   0/0/0       1e   24         13667      FCI
90.0.0.81       90.0.0.226      17   8211  8421   0/0     0    0   0   0/0/0       2    0          0          FYCI
90.0.0.226      90.0.0.81       17   8419  8211   0/0     0    0   0   0/0/0       9    0          0          FYI
(Controller) #show datapath session table 90.0.0.58


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       r - Route Nexthop
       A - Application Firewall Inspect


Source IP       Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
90.0.0.58       90.0.0.226      17   8211  8211   1/0     0    0   0   0/0/0       7    12         6575       FCI
90.0.0.58       90.0.0.226      47   0     0      0/0     0    40  1   0/0/0       2ee8 12087      1201599    FC
90.0.0.58       90.0.0.226      17   8211  8494   1/0     0    0   0   0/0/0       2    0          0          FYCI
90.0.0.226      90.0.0.58       17   8494  8211   0/0     0    0   0   0/0/0       2    2          256        FI
90.0.0.226      90.0.0.58       17   8419  8211   0/0     0    0   0   0/0/0       1    1          508        FI


90.0.0.58       90.0.0.226      17   8211  8419   1/0     0    0   0   0/0/0       1    0          0          FYCI
90.0.0.58       90.0.0.226      17   8211  8224   0/0     0    0   1   local       18   0          0          FYI
90.0.0.226      90.0.0.58       17   8211  8211   0/0     0    0   0   0/0/0       7    0          0          FYI
90.0.0.58       90.0.0.226      17   8211  8222   1/0     0    0   0   0/0/0       7    0          0          FYCI
90.0.0.226      90.0.0.58       17   8224  8211   0/0     0    0   0   local       18   2          774        FCI


90.0.0.226      90.0.0.58       47   0     0      0/0     0    0   0   0/0/0       2ee8 11590      1157157    F
90.0.0.226      90.0.0.58       17   8222  8211   0/0     0    0   0   0/0/0       7    2          208        FI
(Controller) #show datapath session table 90.0.1.80


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       r - Route Nexthop
       A - Application Firewall Inspect


Source IP       Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
90.0.1.80       90.0.0.226      17   8211  8211   0/0     0    0   0   0/0/0       c    3          3952       FCI
90.0.0.226      90.0.1.80       17   8211  8211   0/0     0    0   1   0/0/0       c    0          0          FYI
90.0.0.226      90.0.1.80       17   8222  8211   0/0     0    0   1   0/0/0       c    0          0          FYI
90.0.1.80       90.0.0.226      17   8211  8222   0/0     0    0   1   0/0/0       c    0          0          FYCI
(Controller) #show datapath session table 90.0.2.81


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       r - Route Nexthop
       A - Application Firewall Inspect


Source IP       Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
90.0.2.81       90.0.0.226      17   8211  8222   0/0     0    0   1   0/0/0       11   0          0          FYCI
90.0.0.226      90.0.2.81       17   8222  8211   0/0     0    0   1   0/0/0       11   0          0          FYI
(Controller) #show datapath session table 90.0.3.82

Datapath Session Table Entries ------------------------------ Flags: F - fast age, S - src NAT, N - dest NAT D - deny, R - redirect, Y - no syn H - high prio, P - set prio, T - set ToS C - client, M - mirror, V - VOIP Q - Real-Time Quality analysis I - Deep inspect, U - Locally destined E - Media Deep Inspect, G - media signal r - Route Nexthop A - Application Firewall Inspect Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags --------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- --------- --------- --------------- 90.0.3.82 90.0.0.226 17 8211 8222 0/0 0 0 1 0/0/0 11 0 0 FYCI 90.0.0.226 90.0.3.82 17 8211 8211 0/0 0 0 4 0/0/0 49 0 0 FYI 90.0.0.226 90.0.3.82 17 8222 8211 0/0 0 0 1 0/0/0 11 0 0 FYI 90.0.3.82 90.0.0.226 17 8211 8211 0/0 0 0 1 0/0/0 49 10 13206 FCI

 

Guru Elite

Re: Verify if ports are open between AP and controller?

Protocol 47 (GRE) does not look like it is being passed.  Typicallty GRE packets have larger sizes and get dropped in some WAN environments.  I would Edit the AP System Profile in that ap-group and set the SAP MTU to something like 1400, to start.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II

Re: Verify if ports are open between AP and controller?

I'll get them to check that and make sure port 47 is allowed. If I edit the SAP MTU size, will the AP actually receive those details? Because when I click provision or AP reboot from the controller GUI, nothing happens to the AP.

Guru Elite

Re: Verify if ports are open between AP and controller?

Not port 47, PROTOCOL 47, which is GRE..



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II

Re: Verify if ports are open between AP and controller?

MY BAD! I meant protocol :)

Guru Elite

Re: Verify if ports are open between AP and controller?

9/10 times, GRE gets blocked due to MTU on a WAN link.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: