Search the Community
- Global Forums
- Airheads Channel Group - UK and Ireland
- Airheads Channel Group (German speaking)
- Airheads Channel Group - France
- Airheads Channel Groep – Nederland
- Airheads Channel Group - Italy
- Airheads Channel Group - Taiwan
- Airheads Channel Group - Singapore
- Airheads Channel Group - Malaysia
- Airheads Channel Group – Norway
- Airheads Channel Group South Africa
- Airheads Channel Group Bechtle
- ClearPass Recipe Review
- ClearPass Recipe Submission
- Admin Tool - Assign Role in Bulk
- Admin Tool - User Search
- CWNP Conf 2015
- Airheads Conference Vegas 2015
- Wlan Pro Conference 2015
- Airheads Conference Shanghai 2014
- WLAN Pro Conf EU 2014
- CWNP Conference 2014 (Sep 22 - 24)
- Airheads Local 2014
- Wireless Field Day 7 (Aug 6-8, 2014)
- Black Hat 2014 Contest
- Airheads EMEA Italy 2014 (June 9 - 13)
- Americas Airheads Conference 2014
- WLAN Professionals Summit 2014
- Airheads Roadshow 2013
- EMEA Airheads Conference 2013
- APJ Airheads Conference 2013
- Americas Airheads Conference 2013
- Americas Airheads Conference 2012
- APJ Airheads Conference 2012
- EMEA Airheads Conference 2012
- Airheads EMEA 2012 Contest: How to Enter - Contest Terms & Conditions
- Airheads EMEA 2012 Contest: Create your Entry to Win Here!
- Airheads Conferences Prior to 2012
- Americas Airheads Local Events 2012
- EMEA Airheads Local Events 2012
- Wireless Field Day 3 @ Aruba Networks
- Wireless Tech Field Day 2- Silicon Valley
- Wi-Fi Mobility Symposium- San Jose, CA USA
- SDN Apps
- Connector Translation Testing area
With Airwave 8.2.3 release we have a new feature with respect to the interfaces. Docker0 interface has been introduced and used for the purpose of bridging in virtualization concept. One might face issues in their network since the "docker0" interface will pick an IP address from within the specified pool (172.17.0.0/16) which might match some other device in the same network. Hence communication between Airwave and devices in 172.17.0.0/16 subnet might fail.
To fix this we can disable or delete the docker0 interface. However instead of permanently disabling it we can change the IP address to a loopback IP address or any other non-routable IP. This would ensure that current network devices are not impacted and you can still use the docker interface if needed.
We can run the following commands from support shell of airwave:
Stop the service
- service docker stop
Bring the interface down
- ip link set dev docker0 down
Delete the interface
- brctl delbr docker0
Modify the configuration to use the new IP address
- vi /etc/sysconfig/docker
- add: --bip=x.x.x.x/xx to the other_args=”” line so it looks like this now:
Start the service
- service docker start
ifconfig to confirm docker0 has been changed.
We can also choose to delete this interface based on requirement:
[root@localhost mercury]# sudo ip link delete docker0 type bridge
[root@localhost mercury]# service network restart
Note: In case you decide to delete the interface then the docker0 would not show up in the output for ifconfig -a
[root@localhost mercury]# ifconfig -a
docker0 Link encap:Ethernet HWaddr 0E:64:FF:8A:79:B1
inet addr:127.0.0.2 Bcast:0.0.0.0 Mask:255.255.0.0
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
eth0 Link encap:Ethernet HWaddr 00:0C:29:83:F0:A1
inet addr:10.9.211.155 Bcast:10.9.211.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe83:f0a1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:73216 errors:0 dropped:0 overruns:0 frame:0
TX packets:46023 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:22175910 (21.1 MiB) TX bytes:24732844 (23.5 MiB)
eth1 Link encap:Ethernet HWaddr 00:0C:29:83:F0:AB
inet addr:192.168.1.135 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe83:f0ab/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15489 errors:0 dropped:0 overruns:0 frame:0
TX packets:184 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:1185883 (1.1 MiB) TX bytes:13383 (13.0 KiB)
....x space or the loopback address from the start. After a recent upgrade my IAP sites...
The solution is incomplete. After adding the loopback address to docker0, the engineer had to delete the previous 172.17.x.x address with the following steps:
Discover the IP address assigned to docker0: ip addr show dev docker0
Delete the 172.17. address from docker0 with: ip addr del 172.17.x.x/16 dev docker0
What is the logic behind Aruba Networks using an address for docker0 that would conflict with address space already used in a network? Why not use 169.254.x.x space or the loopback address from the start.
After a recent upgrade my IAP sites suddenly appeared as DOWN in the 172.17.0.0/16 space. Not only did this become an unnecessary waste of time troubleshooting, without CLI access the problem is impossible to find or correct yourself. (Did someone at HP think it was a good idea to use 172.17.0.0/16 for docker0?) Please add netstat commands to the show techsupport file.
Our version upgrade for airwave changed Docker0 to the 172.17 address and broke management to our...
Our version upgrade for airwave changed Docker0 to the 172.17 address and broke management to our Aruba devices in the 172.17.0.0/16 address space. This is ridiculous. Can someone at Aruba/HP get this really bad decision fixed and change the address of the docker0 interface to its loopback or a 169.254.x.x as previously mentioned in the thread?
You have removed our CLI access that prevents us from using the directions above and resolving this ourselves.
This issue also affects ClearPass when upgrading to 6.6.0 release from earlier releases. docker0 is...
This issue also affects ClearPass when upgrading to 6.6.0 release from earlier releases. docker0 is part of ClearPass extensions, and even though extensions aren't enabled, the interface is created and the address 172.17.0.1 is hard-coded. In my customer's case, 172.17.0.1 is the SVI for their CORE SWITCH. So upgrading ClearPass took out their core network. Needless to say it was a tough one to troubleshoot and required escalation in TAC to get to the root shell. Why on earth did anyone think that hard-coding an IP address into an interface would ever be a good idea?
..., or used 169.254.0.0/16 as mentioned in my previous post.
I don't care as much about the hard coded IP address as using an address range that is commonly used and likely to create a conflict for some networks. That is a really bad decision by HP. I wonder how many networks they are going to cause outages in before HP cares enough to change this. HP could have safely reserved a /24 out of their public address space for this, or used 169.254.0.0/16 as mentioned in my previous post.
@ mattGeorge I have an open case with a request to fix this in Airwave. I think the better...
@mattGeorge I have an open case with a request to fix this in Airwave. I think the better request is either Aruba dedicates a /24 public network within their IP Space for docker0 or create a second loopback address with a 127.0.0.x. Either works and neither will create problems in the customer network. .)
@mattGeorge, thanks for the info. Unfortunately the problem came up without us creating or enabling...@mattGeorge, thanks for the info. Unfortunately the problem came up without us creating or enabling extensions. It just happened when upgrading. We had no notification that this address would be used in any way, and no way of knowing that it came up until it brought down the VLAN.
How to add single or cluster of Instant APs to Aruba Central, in order to start managing them?
On getting an EVAL Aruba Central account, one had to get the Instant Access Points on board, in order to manage them. Central provides an option to add the devices and the below article would discuss in more detail:
- Once you login to Aruba Central, navigate to "All Groups" >> Maintenance >> Device Management
- In the top-right, click on the button that says "Add Devices"
Clicking on "Add Devices" will prompt us three ways to add the devices:
- Device List
- Cloud Activation Key
- Aruba Activate Credentials
This option is very straight forward. One need to add the serial no's and mac address of the Instant Access Points. It allows only 32 devices to be added here.
Cloud Activation Key:
IAPs when connected to network, they are programmed to talk to Activate Server. If it is a cluster of IAPs, then the elected master would talk to the Server. An program on server, would then decide a activation key and shares with the IAP. Therefore, only the administrator having the access to the IAP via CLI or GUI, would be able to find the activation key and add the to Central.
Activation Key and MAC address of the Master IAP needs to be submitted.
Aruba Activate Credentials:
Activate is the backend database. Provided credentials, Central would get in sync with activate and fetch the device count.
List of devices, would then get into Central and shown under "Device Management"
Once added, one can navigate to Maintenance >> Device Management anytime to verify the IAP list.
The remote AP (RAP) white list is the method where a controller could manage which RAP is allowed to terminate on the controller, which AP group it assigned to and etc. The RAP wired MAC address is needed in order for the certificate based RAP to establish the IPSEC tunnel successfully with the controller.
There are various ways the RAP white list could be managed. When you provision the RAP through the controller web interface, the wired MAC address will be added into the white list table automatically. However, when you're provisioning the RAP using the Aruba Instant Convert option, you will need to enter it manually into the controller. Alternatively, if the entries are available in the Activate server, you can configure the controller to pull the entries in to the controller.
This solution will allow user to enter a list of comma separated RAP wired MAC addresses and the system will generate the configuration codes where you can apply them into your controller. The three operation supported are add, delete and revoked. Note that the white list command is introduced since AOS 6.3 release, and prior AOS versions are using the local-userdb command.
Aruba Mobility Controller 7210 running AOS 18.104.22.168 build 43121
Access Point License.
- [User Guide] Converting IAP to RAP or CAP
- Find more articles tagged with:
IAP Cluster, being monitored or managed on Airwave or Aruba Central.
If we want to change the VC key on IAP, which is a unique attribute of a cluster, used to communicate with Airwave or Aruba central. We might required to change the key if it is matching with some other Cluster already present in Airwave. That might happen because of multiple reasons, if we switch the IAP from different cluster and it becomes Master on the new Cluster or if we import the backup from one cluster to the other etc.
We could check the VC key by running the below command on the IAP (VC or Master) CLI:
IAP Master 225# show running-config | include virtual*
and compare with already added IAP cluster. If it matches, for the above mentioned reasons or some other reasons, we should change the key for IAP to Airwave smooth communication.
since this key is unique, all we need to do is, change the last one or two letters/numbers of the key as shown below, in the below example am changing the last two letters:
IAP Master 225# config t
We now support CLI commit model, please type "commit apply" for configuration to take effect.
IAP Master 225 (config) # virtual-controller-key 797ceb400158cf69b78bbd572087d7d5ec5f4af2da50efbefh
IAP Master 225 (config) # exit
IAP Master 225# commit apply
once changed a reload is mandatory, for IAP cluster to start using the new key, we would need to do the following:
IAP Master 225# Reload
we could verify if the key is changed, by running the command:
IAP Master 225# show running-config | include virtual*
and also we could see the IAP logs, where we could verify its using the new key to communicate with Airwave:
IAP Master 225# show log ap-debug
Jan 1 00:03:39 awc: awc_init_connection: 2039: connected to 10.17.164.203:443
Jan 1 00:03:39 awc: awc_init_connection: 2173: Connected
Jan 1 00:03:39 awc: Sent header(len=312) 'POST /swarm HTTP/1.1^M Host: 10.17.164.203^M Content-Length: 0^M X-Type: login^M X-Guid: 797ceb400158cf69b78bbd572087d7d5ec5f4af2da50efbef^M X-Name: instant-C8:21:F8^M X-Organization: sita^MX-Shared-Secret: admin^M X-OEM-Tag: Aruba^M X-Accept-Authentication: PSK,CERT^MX-Ap-Info: CT0201852, 18:64:72:cd:76:96, AP-225^M ^M '
Jan 1 00:03:39 awc: Message over SSL from 10.17.164.203, SSL_read() returned 67, errstr=Success, Message is "HTTP/1.1 401 Unauthorized^M Connection: close^M Content-Length: 0^M ^M ", AWC response: (null)
- Find more articles tagged with:
- awms 8.0
- awms 8.2
- instant access point
How do I quickly search a specific Instant AP or Mobility Access Switch on Aruba Central?
Central provides a standard web-based interface that allows you to configure and monitor Instant Access Points (IAPs) and Mobility Access Switches. Integrated in this web interface is a Search tex box, which can be used by an administrator to search for an IAP, Mobility Access Switch, client, notification event, network or labels.
When you type a search string, the search function suggests matching keywords and allows you to automatically complete the search string entry. This option proves very handy when a user is not aware in which ap group, a client or IAP is part of.
- Find more articles tagged with:
- Aruba Central
- aruba central 2.0
- quickly search
- search bar
- serial number
I want to upload a file on 8.2.4 Airwave server. However, I do not have either a Linux machine or a Mac machine to SCP the file.
Airwave version 8.2.4
We could download Bitvise SSH Server (winsshd server) for Windows, using which we could create sftp host on Windows.
which can be used to scp from Airwave 8.2.4 to Windows.
NOTE: Bitvise SSH Server is free for NON-COMMERCIAL use. You must purchase this software.
Navigate to below URL to download bitvise software:
Click on Download on the Top Menu bar.
Select to download Bitvise SSH Server (WINSSHD) as highlighted below:
Click on the Bitvise Server Installer to download the .exe file, once downloaded, double click on it to run.
Use Personal Edition instead of the standard to avoid the 30 day Eval.
Launch the Bitvise tool, select the Start server option and choose the startup as manual, highlighted the fields below:
Now click on Open easy settings under Settings, shown below:
Navigate to Virtual Accounts tab, from the below window:
Click on Add to create a virutal username and password for the winsshd server:
I created the username as "testing" and set the password accordingly, leave the shell access type to be default "BvShell" and for the root directory, i already had the default TFTP-Root directory in my C:, used it and got it working:
Click ok to save it.
We could place the file, that needs to be transfered to Airwave 8.2.4 in C:\TFTP-Root directory, in this below example, i kept a file called testing:
AirWave Management Platform 8.2.4 on localhost.localdomain
1 Upload File
2 Download File
3 Delete File
10 Custom Commands
q >> Quit
Your choice: 1
SCP Source (user@host:path): testing@<PC IP>:testing.txt
Uploading testing@<PC IP>:testing.txt
testing.txt 100% 14 0.0KB/s 00:00
Hit enter to continue, 's' to show output, 'r' to show return code.
We could also see the audit logs on the bitvise once the transfer is complete or its fails, in the bitvise panel >> Activity tab:
- Find more articles tagged with:
- awms 8.2
...requires root access. Apparently it is not possible to upgrade from 8.2.4 without TAC as it needs root...
As online upgrade failed due to the public CA certificate does exist in AMP, adding it requires root access. Apparently it is not possible to upgrade from 8.2.4 without TAC as it needs root access too.
Is there any workaround?
...whole section missing which details what to do from the Airwave GUI to then get the file up from the...
I setup the Bitvise as shown but how do I then get the upgrade file uo to Airwave and how do I then perform the firmware update as I cannot Putty in as root anymore?!
There seems to be a whole section missing which details what to do from the Airwave GUI to then get the file up from the SSH server.
Question: What should I do if an Aruba controller or Mobility Switch is missing the TPM and/or factory certificates?
Environment: This article applies to the Aruba 7200, 6000, 3000 and 600 series Mobility Controllers and Aruba S3500, S2500 and S1500 Mobility Switches.
You can determine if a controller is missing the TPM and/or factory certificates in two ways:
. While booting up, the controller displays the following message on the console screen.
Initializing TPM and Certificates
====================== E R R O R =======================
TPM Initialization or Certificate Initialization failed.
For debug information see /tmp/deviceCertLib.log.
If this message appears even after rebooting the device
couple of times, please contact Aruba Networks.
. Output of "show tpm cert-info" command executed at the CLI prompt displays the following message:
#show tpm cert-info
Cannot get TPM and Factory Certificate Info.
TPM and/or Factory Certificates might be missing.
If you see these messages, contact Aruba Networks Global Support to process a RMA.
|Environment||This article applies to Aruba Instant™ Access Points running Aruba InstantOS 22.214.171.124-126.96.36.199 or higher and managed by Aruba Central.|
The amount of data that can be transmitted depends on the width of the channel used in data transmission. By bonding or combining two or more channels together, more bandwidth is available for data transmission. In 2.4 and 5 GHz frequency band, each channel is approximately 20 MHz wide. In 802.11n, two adjacent channels, each of 20 MHz are bonded to get a total bandwidth of 40 MHz. This provides increased channel width to transmit more data.
But the trade-off of using channel bonding is that fewer channels remain for other devices. In traditional 2.4 GHz Wi-Fi deployments. where there are only three non-overlapping 20MHz channels, channel bonding has been found to be harmful. However, the channel bonding has more relevance in 5 GHz frequency range where there are many as 23 adjacent non-overlapping channels currently available.
By Default channel bonding is enabled in 5 GHz Band. If the AP density is low you can enable it in the 2.4GHz band too and disable it altogether when there are legacy clients in the network that don't support Channel bonding
Configuring Wide Channel Bands on an IAP managed by Aruba Central.
1. Login to Aruba Central Dashboard
2. Navigate to Configuration>RF>ARM and select WIDE CHANNEL BANDS
3. Choose between None, All, 2.4 GHz and 5 GHz
4. Click Save to save the settings
This also allows mesh point to supports LAN bridging and thereby one can connect any wired device/switch to the downlink eth0 port.
Configuring "Eth0 Bridging"
Verification of communication between clients across the bridge link
Eth0 can be used as a downlink only when the uplink is wireless i.e Mesh Point, Wi-Fi Uplink or 3G uplink
Configuration can be done from AMP (Airwave Management Platform) running Airwave version 7.6 or later
Changes to the Eth0 Bridging Mode will take effect after the IAP is restarted.
The following software and hardware are used in this document to illustrate the concept and configuration steps:
|Hardware||Aruba Instant AP-105|
|Software||Aruba Instant 188.8.131.52-184.108.40.206_36986|
|Link bandwidth test||Iperf throughput testing tool|
Login into Instant WebUI
From the list of Access Points, select the IAP and click on "edit" link
Click on "Uplink" tab
Enable "Eth0 bridging" from the dropdown.
To verify the connectivity of Wi-Fi link, ping tests can be done from the devices connected behind the IAP's.
Iperf throughput test tool can be used to check the Wi-Fi uplink bandwidth.
Or copying a large file could across the link could reveal the link bandwidth.
Tested with two IAP-105's, one as mesh portal and other as mesh point with eth0 bridging enabled. Iperf test on wired clients behind the IAP's witnessed the bandwidth of 65 to 70 mb/s.
Is that one IAP 103 is connected to the switch act us a mesh portal and other one as the WIFI...
Is that one IAP 103 is connected to the switch act us a mesh portal and other one as the WIFI uplink whcih is acting as a mesh point and we would like to know if we can have the client connected to mesh point IAP 103 downlink on the other vlan say 400; if that`s the case it should work with configurfing the uplink mesh portal switch side as a trunk port for the traffic to go through.
When we say IAP 103 is connected to controller as PSK SSID on tunnel mode ? is the AP already converted to campus AP mode on the controller ? Please clarify if we are talking about Campus, IAP or IAP mesh or Controller mesh deployment ?
Okay. I have IAP103, that has a wifi-uplink. it is connected to a WPA2-PSK SSID(tunnel mode...
Okay. I have IAP103, that has a wifi-uplink. it is connected to a WPA2-PSK SSID(tunnel mode, vlan310) advertised from a AP that is connected to a controller.
With eth0-bridging on the IAP103, can i have the wired port profile configured as access to vlan 400?
Can my wired port profile(be configured as trunk)? I will connect a switch down the IAP103.