This has been plaguing my troubleshooting process for a while now. Whenever my laptop (or any wireless device) is associated to the AP that is acting as the virtual controller, I am unable to access the IAP web configuration. It simply times out. If I walk out of range and associate with one of our other three Aruba IAPs that are not virtual controllers, I am able to get to the web configuration just fine. I am on the same SSID and have the same IP between AP accosiations, so this does not appear to be a problem with either firewall or ACLs or any kind of network access issue. It seems to be a software issue for some reason.
Does anyone know how to fix this? I am in the middle of troubleshooting a problem with devices being randomly dropped from network access and it's very unhelpful walking around the office with my laptop when I associate with the virtual controller AP and lose all access to the web configuration until I associate to another AP.
Are you trying to use an ip address or fqdn to get to the page?
Any ideas on why this happens?
There could be many reasons, but you should focus on the AP that you have problems with. Can you even ping the ip address that you want to connect to when you are associated to that AP with the problem? You if you are not blocking any user traffic, it is typically a routing/switching issue...
I really dont think it is a routing/switching issue if when I associate to another AP in the office that isn't the master or use wired (which is the same IP/VLAN btw) that it works. Not to mention the problem follows the master AP when I promote another AP to the master.
Remove the master from the equation and see if any of the other devices have the same issue. If not, the problem is the physical connection to the master, somehow. If it is not being blocked by some policy or configuration, that could be the only conclusion.
Didn't I already remove the master from the equation when I promoted one of the other APs to the master and the problem followed the master AP? I've already done all of this. It isn't a switching/routing issue, it isn't a firewall issue.
I am just guessing based on the limited information that you have written. Can you even ping the ip address when you are in this situation?
I didn't give you limited information, I gave you quite detailed information that proves that it isn't a switch/routing/firewall issue. If I can connect to it from non-master APs and the problem follows the master AP no matter which IAP is acting as the VC, that rules out any sort of routing or firewall issue and it wouldn't make sense that it would be a switching issue since the AP is performing perfectly fine other than the fact that I can't load the webUI when I am associated with the virtual controller.
Yes when associated to the IAP with the virtual controller I can still ping it, can't get to the web interface. The management section has our whole sysadmin subnet in it, which includes the same IP I have been accessing it from since we first set these up a couple years ago.
I would just open a TAC case. Your responses seem as if our help isn't doing you any good at this point, nor is it being appreciated, based on your responses. They can look at your config and go from there and should be able to get you straightened out. Good luck!
What I don't appreciate is me spending time making this post and giving you all the details then someone to turn around and tell me I didn't provide any details forcing me to repeat everything I've said multiple times. I would appreciate the help if it was helpful or I received help in a timely manner. We went weeks without a response after my last response. Usually I find these forums helpful but today they certainly haven't been.
First, and most importantly, this community forum is supported by the community (both Aruba SEs and by customers and partners) on a volunteer basis, and should not be considered (and certainly IS not) a substitute for TAC/support. If you have a critical operational issue, you should contact TAC at 1-800-WIFILAN for immediate assistance and then your issue will get worked on and hopefully resolved to your satisfaction.
Secondly, in regards to your position that you provided plenty of detail. Your original post did NOT include the detail that your SSID and IAP management are on separate VLANs. That tells us a lot about the pathing for data when it leaves one IAP on user VLAN 66 and is destined to the IAP mgmt VLAN 99. So there IS routing taking place from the WiFi user VLAN to the IAP management VLAN, which could be telling based on your config.
What we would consider plenty of detail would be things like network drawings that show the topology of your network and where the IAPs are in relation to VLANs (for L2/L3), possibly the config from your VC to look at roles and policies, etc. However, it's certainly understandable to not want to post that kind of data, to wit opening a TAC case is the next vest step.
You have a pair of fairly experienced engineers with over 20 years combined with Aruba that were working on assisting you on this issue today, and I apologize you went weeks without a response, but again, this forum IS NOT an official support mechanism and if you are having technical issues that require remedy, the proper course of action is TAC. So sometimes support is a catch as catch can, and sometimes things go unanswered. Since our assistance isn't appreciated and you feel we haven't helped you, I would again suggest TAC and wish you the best. If you find the remedy with TAC, please feel free to post the corrective actions or diagnosis here for others. But that is up to you.
Sorry you are disappointed. Good luck and happy hunting.
Yes they are on different VLANs. But it isn't a VLAN problem if I can access them when not connected to the virtual controller IAP. The management IPs are all on the same VLAN as one another, if the problem is following the virtual controller, then there is a problem with the software not the network. So why would I provide details that aren't going to help diagnose the problem? This is troubleshooting 101.
Honestly, I can think of two or three different things I would look at and troubleshoot that would be related to the IAP mgmt and the VC GUI on different VLANs from the WiFI and why a VC would or might not be 'reachable' on the GUI outside of the management, but I would be afraid that my asking for that data/config/tests would be viewed as 'not necessary' heh, so for now I will let you open a TAC case and they can work it out with you instead.
Sometimes things you think don't matter do, but as you feel strongly to the contrary, the best direction is to open a case. We were only trying to help, and we apologize for asking for information you feel is not needed or warranted while trying to help. Good luck and I hope TAC can get you straightened out.
Well now I'm curious. What about the VLANs being different would stop my from connecting to the IAP VC via HTTPS when ONLY associated with that IAP VC, but not stop me when I am connected to the same SSID on other IAPs in the cluster that are all configured similarly AND I have the same IP address? I mean if you want information, I'll give it to you. I just don't like people saying I didn't provide any details when I surely did provide plenty of details. If you want more, I'll give you more, just don't treat me like I am not giving you the information you asked for because all I had been asked up to that point is if I was connecting to it via FQDN or IP address which I gladly answered. If you want to know certain information, then ASK for it, don't just accuse me of not providing enough information.
Is your wireless SSID on a different VLAN from your management VLAN that the IAP interfaces are on, or is it all one big flat VLAN (client IP is in the same broadcast domain as the VC IP)?
Are there any settings in the roles the clients get from the IAP that involve any filtering or is the role 'authenticated" (any any all).
Just so I don't leave out any details...
The SSID I am connected to (Employee) is on VLAN66. The management IP of the VC (and the IAPs) is on VLAN99.
The role assigns the user VLAN to the user based on their group membership in LDAP. Other than that, there is nothing in roles.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.