Controllerless Networks

last person joined: 2 hours ago 

Aruba Instant Wi-Fi: Meet the controllerless Wi-Fi solution that's easy to set-up, is loaded with security and smarts, and won't break your budget.
Expand all | Collapse all

IAP Updates fail-Cannot establish SSL

Jump to Best Answer
  • 1.  IAP Updates fail-Cannot establish SSL

    Posted Jan 26, 2021 09:54 PM
    Hello all,
    I have been fighting with certificate issues on my instant network. In addition to not being able to reach the update servers, it is preventing me from adding any new IAP's with mismatched firmware. Current error in logs is below:
    Jan 26 08:29:53 awc[2645]: awc_init_connection: 2233: connecting to device.arubanetworks.com:443
    Jan 26 08:29:53 awc[2645]: tcp_connect: 168: recv timeout set to 5
    Jan 26 08:29:53 awc[2645]: tcp_connect: 175: send timeout set to 5
    Jan 26 08:29:53 awc[2645]: awc_init_connection: 2275: connected to device.arubanetworks.com:443
    Jan 26 08:29:53 awc[2645]: awc_init_connection: 2317: Loading local CA certificates
    Jan 26 08:29:53 awc[2645]: awc_init_connection: 2321: Loading local CA certificates again
    Jan 26 08:29:53 awc[2645]: awc_init_connection: 2329: Failed to load CA root certificate: ASN date error, current date after
    Jan 26 08:29:53 awc[2645]: isc_init failed
    Jan 26 08:34:56 awc[2645]: awc_init_connection: 2233: connecting to device.arubanetworks.com:443
    Jan 26 08:34:56 awc[2645]: tcp_connect: 168: recv timeout set to 5
    Jan 26 08:34:56 awc[2645]: tcp_connect: 175: send timeout set to 5
    Jan 26 08:34:56 awc[2645]: awc_init_connection: 2275: connected to device.arubanetworks.com:443
    Jan 26 08:34:56 awc[2645]: awc_init_connection: 2317: Loading local CA certificates
    Jan 26 08:34:56 awc[2645]: awc_init_connection: 2321: Loading local CA certificates again
    Jan 26 08:34:56 awc[2645]: isc_init failed
    Jan 26 08:39:58 awc[2645]: awc_init_connection: 2233: connecting to device.arubanetworks.com:443
    Jan 26 08:39:58 awc[2645]: tcp_connect: 168: recv timeout set to 5
    Jan 26 08:39:58 awc[2645]: tcp_connect: 175: send timeout set to 5
    Jan 26 08:39:58 awc[2645]: awc_init_connection: 2275: connected to device.arubanetworks.com:443
    Jan 26 08:39:58 awc[2645]: awc_init_connection: 2317: Loading local CA certificates
    Jan 26 08:39:58 awc[2645]: awc_init_connection: 2321: Loading local CA certificates again
    Jan 26 08:39:58 awc[2645]: awc_init_connection: 2329: Failed to load CA root certificate: ASN date error, current date after
    Jan 26 08:39:58 awc[2645]: isc_init failed
    iap# ping google.com
    Press 'q' to abort.
    PING 172.217.14.238 (172.217.14.238): 56 data bytes
    64 bytes from 172.217.14.238: icmp_seq=0 ttl=116 time=3.5 ms
    64 bytes from 172.217.14.238: icmp_seq=1 ttl=116 time=2.9 ms
    64 bytes from 172.217.14.238: icmp_seq=2 ttl=116 time=2.8 ms
    64 bytes from 172.217.14.238: icmp_seq=3 ttl=116 time=2.2 ms
    64 bytes from 172.217.14.238: icmp_seq=4 ttl=116 time=3.0 ms

    --- 172.217.14.238 ping statistics ---
    5 packets transmitted, 5 packets received, 0% packet loss
    round-trip min/avg/max = 2.2/2.8/3.5 ms

    iap# ping whitehouse.gov
    Press 'q' to abort.
    PING 184.86.199.229 (184.86.199.229): 56 data bytes
    64 bytes from 184.86.199.229: icmp_seq=0 ttl=58 time=3.3 ms
    64 bytes from 184.86.199.229: icmp_seq=1 ttl=58 time=1.9 ms
    64 bytes from 184.86.199.229: icmp_seq=2 ttl=58 time=1.9 ms
    64 bytes from 184.86.199.229: icmp_seq=3 ttl=58 time=2.6 ms
    64 bytes from 184.86.199.229: icmp_seq=4 ttl=58 time=2.5 ms

    --- 184.86.199.229 ping statistics ---
    5 packets transmitted, 5 packets received, 0% packet loss
    round-trip min/avg/max = 1.9/2.4/3.3 ms

    iap# sho clock

    Current Time :2021-01-26 08:41:29
    iap#

    The log is indicating a CA date error. I have dns resolution from the pings above. I have changed the time server from a local dc to pool.ntp.org and no change. I am currently using the root ca of Comodo(USERTrust) which is the signing authority for the server/web ui wildcard I have on the system for our domain. I have also tried this with Digicert CA's that match the arubanetworks serials with the same result.

    I am currently at a loss of what else to look for to resolve this issue.

    ------------------------------
    Trevor
    ------------------------------


  • 2.  RE: IAP Updates fail-Cannot establish SSL
    Best Answer

    Posted 30 days ago
    Hi Trevor,

    My first guess. 
    Try to download the firmware from ASP and update the IAP manually. This should also solve the certificate issues you see. 

    BR
    Florian

    ------------------------------
    -------------------------------------------------------------------------------
    Florian Baaske
    -------------------------------------------------------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    -------------------------------------------------------------------------------
    Also visit the AirHeads Youtube Channel:
    https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
    -------------------------------------------------------------------------------
    Feel free to visit my personal Blog
    https://www.flomain.de
    ------------------------------



  • 3.  RE: IAP Updates fail-Cannot establish SSL

    Posted 28 days ago

    Thank you for the information Florian. After posting my original inquiry, I went down this path of manually updating all of my WAP's on each of my instant networks.

    After doing this the information being given in the logs was different and somewhat more descriptive.

    Essentially when adding a WAP to the network with mismatched firmware, it attempts to reach out to the update servers and download a match. Since this particular instant network has many end of life devices on it, it currently maxes out at build 75903. When trying to download it is being presented with a version 8 firmware that is not compatible with my WAP's so it fails.

    On my newer instant network, after updating to the latest 8.x.x build, it was able to check for updates and add new devices.

     

    Thank you for the information on this request.

     

    Trevor Davidson | IT Systems Engineer
    The Museum of Flight
    9404 East Marginal Way S
    Seattle, WA 98108
    Work: +1 (206) 716-0815 | Mobile: +1 (206) 595-8470
    www.museumofflight.org