Controllerless Networks

Hello all,
I have been fighting with certificate issues on my instant network. In addition to not being able to reach the update servers, it is preventing me from adding any new IAP's with mismatched firmware. Current error in logs is below:
Jan 26 08:29:53 awc[2645]: awc_init_connection: 2233: connecting to device.arubanetworks.com:443
Jan 26 08:29:53 awc[2645]: tcp_connect: 168: recv timeout set to 5
Jan 26 08:29:53 awc[2645]: tcp_connect: 175: send timeout set to 5
Jan 26 08:29:53 awc[2645]: awc_init_connection: 2275: connected to device.arubanetworks.com:443
Jan 26 08:29:53 awc[2645]: awc_init_connection: 2317: Loading local CA certificates
Jan 26 08:29:53 awc[2645]: awc_init_connection: 2321: Loading local CA certificates again
Jan 26 08:29:53 awc[2645]: awc_init_connection: 2329: Failed to load CA root certificate: ASN date error, current date after
Jan 26 08:29:53 awc[2645]: isc_init failed
Jan 26 08:34:56 awc[2645]: awc_init_connection: 2233: connecting to device.arubanetworks.com:443
Jan 26 08:34:56 awc[2645]: tcp_connect: 168: recv timeout set to 5
Jan 26 08:34:56 awc[2645]: tcp_connect: 175: send timeout set to 5
Jan 26 08:34:56 awc[2645]: awc_init_connection: 2275: connected to device.arubanetworks.com:443
Jan 26 08:34:56 awc[2645]: awc_init_connection: 2317: Loading local CA certificates
Jan 26 08:34:56 awc[2645]: awc_init_connection: 2321: Loading local CA certificates again
Jan 26 08:34:56 awc[2645]: isc_init failed
Jan 26 08:39:58 awc[2645]: awc_init_connection: 2233: connecting to device.arubanetworks.com:443
Jan 26 08:39:58 awc[2645]: tcp_connect: 168: recv timeout set to 5
Jan 26 08:39:58 awc[2645]: tcp_connect: 175: send timeout set to 5
Jan 26 08:39:58 awc[2645]: awc_init_connection: 2275: connected to device.arubanetworks.com:443
Jan 26 08:39:58 awc[2645]: awc_init_connection: 2317: Loading local CA certificates
Jan 26 08:39:58 awc[2645]: awc_init_connection: 2321: Loading local CA certificates again
Jan 26 08:39:58 awc[2645]: awc_init_connection: 2329: Failed to load CA root certificate: ASN date error, current date after
Jan 26 08:39:58 awc[2645]: isc_init failed
iap# ping google.com
Press 'q' to abort.
PING 172.217.14.238 (172.217.14.238): 56 data bytes
64 bytes from 172.217.14.238: icmp_seq=0 ttl=116 time=3.5 ms
64 bytes from 172.217.14.238: icmp_seq=1 ttl=116 time=2.9 ms
64 bytes from 172.217.14.238: icmp_seq=2 ttl=116 time=2.8 ms
64 bytes from 172.217.14.238: icmp_seq=3 ttl=116 time=2.2 ms
64 bytes from 172.217.14.238: icmp_seq=4 ttl=116 time=3.0 ms

--- 172.217.14.238 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 2.2/2.8/3.5 ms

iap# ping whitehouse.gov
Press 'q' to abort.
PING 184.86.199.229 (184.86.199.229): 56 data bytes
64 bytes from 184.86.199.229: icmp_seq=0 ttl=58 time=3.3 ms
64 bytes from 184.86.199.229: icmp_seq=1 ttl=58 time=1.9 ms
64 bytes from 184.86.199.229: icmp_seq=2 ttl=58 time=1.9 ms
64 bytes from 184.86.199.229: icmp_seq=3 ttl=58 time=2.6 ms
64 bytes from 184.86.199.229: icmp_seq=4 ttl=58 time=2.5 ms

--- 184.86.199.229 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.9/2.4/3.3 ms

iap# sho clock

Current Time :2021-01-26 08:41:29
iap#

The log is indicating a CA date error. I have dns resolution from the pings above. I have changed the time server from a local dc to pool.ntp.org and no change. I am currently using the root ca of Comodo(USERTrust) which is the signing authority for the server/web ui wildcard I have on the system for our domain. I have also tried this with Digicert CA's that match the arubanetworks serials with the same result.

I am currently at a loss of what else to look for to resolve this issue.

------------------------------
Trevor
------------------------------

Hi Trevor,

My first guess. 
Try to download the firmware from ASP and update the IAP manually. This should also solve the certificate issues you see. 

BR
Florian

------------------------------
-------------------------------------------------------------------------------
Florian Baaske
-------------------------------------------------------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
-------------------------------------------------------------------------------
Also visit the AirHeads Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
-------------------------------------------------------------------------------
Feel free to visit my personal Blog
https://www.flomain.de
------------------------------

Original Message:
Sent: Jan 26, 2021 11:48 AM
From: Trevor Davidson
Subject: IAP Updates fail-Cannot establish SSL

Hello all,
I have been fighting with certificate issues on my instant network. In addition to not being able to reach the update servers, it is preventing me from adding any new IAP's with mismatched firmware. Current error in logs is below:
Jan 26 08:29:53 awc[2645]: awc_init_connection: 2233: connecting to device.arubanetworks.com:443
Jan 26 08:29:53 awc[2645]: tcp_connect: 168: recv timeout set to 5
Jan 26 08:29:53 awc[2645]: tcp_connect: 175: send timeout set to 5
Jan 26 08:29:53 awc[2645]: awc_init_connection: 2275: connected to device.arubanetworks.com:443
Jan 26 08:29:53 awc[2645]: awc_init_connection: 2317: Loading local CA certificates
Jan 26 08:29:53 awc[2645]: awc_init_connection: 2321: Loading local CA certificates again
Jan 26 08:29:53 awc[2645]: awc_init_connection: 2329: Failed to load CA root certificate: ASN date error, current date after
Jan 26 08:29:53 awc[2645]: isc_init failed
Jan 26 08:34:56 awc[2645]: awc_init_connection: 2233: connecting to device.arubanetworks.com:443
Jan 26 08:34:56 awc[2645]: tcp_connect: 168: recv timeout set to 5
Jan 26 08:34:56 awc[2645]: tcp_connect: 175: send timeout set to 5
Jan 26 08:34:56 awc[2645]: awc_init_connection: 2275: connected to device.arubanetworks.com:443
Jan 26 08:34:56 awc[2645]: awc_init_connection: 2317: Loading local CA certificates
Jan 26 08:34:56 awc[2645]: awc_init_connection: 2321: Loading local CA certificates again
Jan 26 08:34:56 awc[2645]: isc_init failed
Jan 26 08:39:58 awc[2645]: awc_init_connection: 2233: connecting to device.arubanetworks.com:443
Jan 26 08:39:58 awc[2645]: tcp_connect: 168: recv timeout set to 5
Jan 26 08:39:58 awc[2645]: tcp_connect: 175: send timeout set to 5
Jan 26 08:39:58 awc[2645]: awc_init_connection: 2275: connected to device.arubanetworks.com:443
Jan 26 08:39:58 awc[2645]: awc_init_connection: 2317: Loading local CA certificates
Jan 26 08:39:58 awc[2645]: awc_init_connection: 2321: Loading local CA certificates again
Jan 26 08:39:58 awc[2645]: awc_init_connection: 2329: Failed to load CA root certificate: ASN date error, current date after
Jan 26 08:39:58 awc[2645]: isc_init failed
iap# ping google.com
Press 'q' to abort.
PING 172.217.14.238 (172.217.14.238): 56 data bytes
64 bytes from 172.217.14.238: icmp_seq=0 ttl=116 time=3.5 ms
64 bytes from 172.217.14.238: icmp_seq=1 ttl=116 time=2.9 ms
64 bytes from 172.217.14.238: icmp_seq=2 ttl=116 time=2.8 ms
64 bytes from 172.217.14.238: icmp_seq=3 ttl=116 time=2.2 ms
64 bytes from 172.217.14.238: icmp_seq=4 ttl=116 time=3.0 ms

--- 172.217.14.238 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 2.2/2.8/3.5 ms

iap# ping whitehouse.gov
Press 'q' to abort.
PING 184.86.199.229 (184.86.199.229): 56 data bytes
64 bytes from 184.86.199.229: icmp_seq=0 ttl=58 time=3.3 ms
64 bytes from 184.86.199.229: icmp_seq=1 ttl=58 time=1.9 ms
64 bytes from 184.86.199.229: icmp_seq=2 ttl=58 time=1.9 ms
64 bytes from 184.86.199.229: icmp_seq=3 ttl=58 time=2.6 ms
64 bytes from 184.86.199.229: icmp_seq=4 ttl=58 time=2.5 ms

--- 184.86.199.229 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.9/2.4/3.3 ms

iap# sho clock

Current Time :2021-01-26 08:41:29
iap#

The log is indicating a CA date error. I have dns resolution from the pings above. I have changed the time server from a local dc to pool.ntp.org and no change. I am currently using the root ca of Comodo(USERTrust) which is the signing authority for the server/web ui wildcard I have on the system for our domain. I have also tried this with Digicert CA's that match the arubanetworks serials with the same result.

I am currently at a loss of what else to look for to resolve this issue.

------------------------------
Trevor
------------------------------

Original Message:
Sent: 1/31/2021 12:46:00 AM
From: FlorianBaaske
Subject: RE: IAP Updates fail-Cannot establish SSL

Hi Trevor,

My first guess. 
Try to download the firmware from ASP and update the IAP manually. This should also solve the certificate issues you see. 

BR
Florian

------------------------------
-------------------------------------------------------------------------------
Florian Baaske
-------------------------------------------------------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
-------------------------------------------------------------------------------
Also visit the AirHeads Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
-------------------------------------------------------------------------------
Feel free to visit my personal Blog
https://www.flomain.de
------------------------------

Original Message:
Sent: Jan 26, 2021 11:48 AM
From: Trevor Davidson
Subject: IAP Updates fail-Cannot establish SSL

Hello all,
I have been fighting with certificate issues on my instant network. In addition to not being able to reach the update servers, it is preventing me from adding any new IAP's with mismatched firmware. Current error in logs is below:
Jan 26 08:29:53 awc[2645]: awc_init_connection: 2233: connecting to device.arubanetworks.com:443
Jan 26 08:29:53 awc[2645]: tcp_connect: 168: recv timeout set to 5
Jan 26 08:29:53 awc[2645]: tcp_connect: 175: send timeout set to 5
Jan 26 08:29:53 awc[2645]: awc_init_connection: 2275: connected to device.arubanetworks.com:443
Jan 26 08:29:53 awc[2645]: awc_init_connection: 2317: Loading local CA certificates
Jan 26 08:29:53 awc[2645]: awc_init_connection: 2321: Loading local CA certificates again
Jan 26 08:29:53 awc[2645]: awc_init_connection: 2329: Failed to load CA root certificate: ASN date error, current date after
Jan 26 08:29:53 awc[2645]: isc_init failed
Jan 26 08:34:56 awc[2645]: awc_init_connection: 2233: connecting to device.arubanetworks.com:443
Jan 26 08:34:56 awc[2645]: tcp_connect: 168: recv timeout set to 5
Jan 26 08:34:56 awc[2645]: tcp_connect: 175: send timeout set to 5
Jan 26 08:34:56 awc[2645]: awc_init_connection: 2275: connected to device.arubanetworks.com:443
Jan 26 08:34:56 awc[2645]: awc_init_connection: 2317: Loading local CA certificates
Jan 26 08:34:56 awc[2645]: awc_init_connection: 2321: Loading local CA certificates again
Jan 26 08:34:56 awc[2645]: isc_init failed
Jan 26 08:39:58 awc[2645]: awc_init_connection: 2233: connecting to device.arubanetworks.com:443
Jan 26 08:39:58 awc[2645]: tcp_connect: 168: recv timeout set to 5
Jan 26 08:39:58 awc[2645]: tcp_connect: 175: send timeout set to 5
Jan 26 08:39:58 awc[2645]: awc_init_connection: 2275: connected to device.arubanetworks.com:443
Jan 26 08:39:58 awc[2645]: awc_init_connection: 2317: Loading local CA certificates
Jan 26 08:39:58 awc[2645]: awc_init_connection: 2321: Loading local CA certificates again
Jan 26 08:39:58 awc[2645]: awc_init_connection: 2329: Failed to load CA root certificate: ASN date error, current date after
Jan 26 08:39:58 awc[2645]: isc_init failed
iap# ping google.com
Press 'q' to abort.
PING 172.217.14.238 (172.217.14.238): 56 data bytes
64 bytes from 172.217.14.238: icmp_seq=0 ttl=116 time=3.5 ms
64 bytes from 172.217.14.238: icmp_seq=1 ttl=116 time=2.9 ms
64 bytes from 172.217.14.238: icmp_seq=2 ttl=116 time=2.8 ms
64 bytes from 172.217.14.238: icmp_seq=3 ttl=116 time=2.2 ms
64 bytes from 172.217.14.238: icmp_seq=4 ttl=116 time=3.0 ms

--- 172.217.14.238 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 2.2/2.8/3.5 ms

iap# ping whitehouse.gov
Press 'q' to abort.
PING 184.86.199.229 (184.86.199.229): 56 data bytes
64 bytes from 184.86.199.229: icmp_seq=0 ttl=58 time=3.3 ms
64 bytes from 184.86.199.229: icmp_seq=1 ttl=58 time=1.9 ms
64 bytes from 184.86.199.229: icmp_seq=2 ttl=58 time=1.9 ms
64 bytes from 184.86.199.229: icmp_seq=3 ttl=58 time=2.6 ms
64 bytes from 184.86.199.229: icmp_seq=4 ttl=58 time=2.5 ms

--- 184.86.199.229 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.9/2.4/3.3 ms

iap# sho clock

Current Time :2021-01-26 08:41:29
iap#

The log is indicating a CA date error. I have dns resolution from the pings above. I have changed the time server from a local dc to pool.ntp.org and no change. I am currently using the root ca of Comodo(USERTrust) which is the signing authority for the server/web ui wildcard I have on the system for our domain. I have also tried this with Digicert CA's that match the arubanetworks serials with the same result.

I am currently at a loss of what else to look for to resolve this issue.

------------------------------
Trevor
------------------------------