Wireless Access

Just upgraded an M3 to 6.1.3.2 - and it would not allow more than 100 active AP's.   I have licensing to support upto 512.

I did have cpsec enabled - but auto-provisioning was on as well (also didn't appear to help when I turned it off)

I reverted back to 5.0.4.3 - but same limit appeared.   Some cryptic elemnts in the logs and  I've grabbed some logs and opened a case with TAC - but wondering if I got something in the config that didn;t take effect unitl my reboot.   But I'm not aware of a config option that would limit # of active AP's below your license limit....   looks like the AP's are comming up OK on my N+1 controller - also upgraded to 6.1.3.2 today...

though some AP's appears to be having trouble with certificates

Anything to check as I wait for TAC?

Do you have all the licenses required?  If you have PEF-NG or RFP licenses, you will be limited to the smallest number of licenses.

If you do "show ap database" from the CLI, do you see more than 100 APs?  If so, do they have flags in the far right column?

---

@olino wrote:

Do you have all the licenses required?  If you have PEF-NG or RFP licenses, you will be limited to the smallest number of licenses.

 

If you do "show ap database" from the CLI, do you see more than 100 APs?  If so, do they have flags in the far right column?

---

I am using PEF licenses - but have 512 of those installed.

sho ap database - shows 380 devices - these ones that were up while cpsec enabled had the expected 2 flag

the others were down and had no flags

I did notice that I was seeing AP ip addresses in the user table - with no MAC - in the logon role with an auth of "TRANSPORT-VPN"   which I have not seen before

Try this:

(host) #  show license-usage ap

AP Licenses
-----------
Type                      Number
----                      ------
AP Licenses               10
RF Protect Licenses       10
PEF Licenses              10
Overall AP License Limit  10

AP Usage
--------
Type            Count
----            -----
CAPs            2
RAPs            0
Tunneled nodes  0
Total APs       2

Remaining AP Capacity
---------------------
Type  Number
----  ------
CAPs  8                                           
RAPs  8

(host) # 

#show license-usage ap
Total AP Licenses : 512
AP Licenses Used : 0
MUX Licenses Used : 0
Unused AP Licenses : 512
Licenses used for Campus AP's : 0
Available Campus AP's : 512
Licenses used for Remote AP's : 0
Available Remote AP's : 512
Total Ortronics AP Licenses : 0
Ortronics AP Licenses Used : 0
Total Indoor Mesh AP's Supported : 2048
Indoor Mesh AP's Active : 0
Total Outdoor Mesh AP's supported : 2048
Outdoor Mesh AP's Active : 0
Total PEF Licenses : 512
PEF Licenses Used : 0
Total 802.11n-120abg Licenses : 0
802.11n-120abg Licenses Used : 0
Total 802.11n-121abg Licenses : 0
802.11n-121abg Licenses Used : 0
Total 802.11n-124abg Licenses : 0
802.11n-124abg Licenses Used : 0
Total 802.11n-125abg Licenses : 0
802.11n-125abg Licenses Used : 0

and the output of "show keys"

---

@cjoseph wrote:

and the output of "show keys"

 

---

#show keys
Licensed Features
-----------------
Feature Status
------- ------
Access Points 512
Remote Access Points 512
Ortronics Access Points 0
Outdoor Mesh Access Points 2048
Wireless Intrusion Protection Module 0
Voice Service Module Unlimited
VPN Server Module 8192
xSec Module 0
Indoor Mesh Access Points 2048
120abg Upgrade 0
121abg Upgrade 0
124abg Upgrade 0
125abg Upgrade 0
Application-Acceleration Remote APs 0
Next Generation Policy Enforcement Firewall Module 512
bSec Module 0
Service provider AP 0
WLAN Switch ENABLED
Wireless Intrusion Protection DISABLED
Policy Enforcement Firewall ENABLED
Remote APs ENABLED
External Services Interface ENABLED
Client Integrity Module ENABLED
VPN Server ENABLED
xSec Module DISABLED
MMC AP DISABLED
Netgear AP DISABLED
Voice Services Module ENABLED
Ortronics AP DISABLED
Mesh Point APs ENABLED
AP Developers Module DISABLED
Internal Test Functions DISABLED
Public Access DISABLED
Application Acceleration DISABLED
Policy Enforcement Firewall for VPN users DISABLED
Content Security DISABLED
bSec Module DISABLED
Service Provider Access Point DISABLED

There are no aps on that server.  Is that the one you are having problems with?  What version of ArubaOS is this?

Currently I have the AP's on their backup LMS -   I'm running 6.1.3.2 on this controller.

Am I running into issues with having cpsec enabled - but no whitelist syncing between my LMS and backup LMS?

I was thinking that auto-cert provisioning should handle things, although a bit slower than having the campus ap whitelist synced between the LMS and backup LMS that are setup as stand-alone masters - since the cert provisioning will force a reboot.

tschick,

If you are working with support, please continue to work with support and let us know how far you get.  This seems to be a bit more than a routine licensing issue.

Looks like it comes down to an issue with AP70's, cpsec and multiple stand alone master controllers running n+1 redundancy.

Why I only saw 100 AP's well technically I had 109 AP 105 and AP 125 on this controller - all others with AP70's - don't think my scroll back buffer goes back far enough - but I'm gonna take a hunch the 100 AP's I saw were just the ap105's and ap125's

so the issue is that AP70's need to download a cert from the controller - if an ap70 swiches to a backup controller/premptively moves back to home controller with a differnet cert it can get into a state where it is unable to replace the cert from a previous controller.  If you are lucky you can manually approve the AP in the whitelist-db (even if auto-cert-prov is enabled).... in other cases looks like console access and purging the AP is required (still needed to manually approve on my provisioning controller)

It also seems somehow dependent upon the cert already installed/controller moving to/from - sometimes It works fine.