Controllerless Networks

I've inherited 5x IAP-225, and am trying to get two to talk to each other before I do anything else. I have them on an isolated VLAN with just them and the L3 switch that's also acting as DHCP server. I cannot get them to sync up with each other, and I'm not sure what's wrong - I'm used to 3xx's just working.

• Both are running 8.6.0.12, and I've reflashed them to ArubaInstant_Centaurus_8.6.0.12_812b47 in case they were running non-Instant code.
• Both have been factory reset (via both the reset button and the console)
• After reset, I leave them for 10 minutes to see if they'll talk to each other, then I log in and set a password and also set them to the same country code (AU/Australia).
• Afterwards I can log into each via SSH and have each IAP-225 ping each other.
• "show log system" has the message "is_factory_reset_on_prework : Swarm quit factory default status by : Neither ssid in flash nor empty_cfg" (repeats every 15 minutes) and "AP not allowed, turn off master election" (repeats every minute).
• "allow-new-aps" is active in both, and adding the other's MAC address to "allowed-ap" doesn't seem to make any difference.

What am I missing? Is there anything I can provide that would help?
(And yes, the label on them says they are IAP-225's, not AP-225's.)

------------------------------
Andrew Rutherford
------------------------------

Do they both have the same country code?
IAP-225-<Country Code>

------------------------------
Dustin Burns
Senior Mobility and Access Engineer @WEI

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2021
If my post was useful accept solution and/or give kudos
------------------------------

Original Message:
Sent: Sep 10, 2021 01:18 AM
From: Andrew Rutherford
Subject: IAP-225's not forming a VC

I've inherited 5x IAP-225, and am trying to get two to talk to each other before I do anything else. I have them on an isolated VLAN with just them and the L3 switch that's also acting as DHCP server. I cannot get them to sync up with each other, and I'm not sure what's wrong - I'm used to 3xx's just working.

• Both are running 8.6.0.12, and I've reflashed them to ArubaInstant_Centaurus_8.6.0.12_812b47 in case they were running non-Instant code.
• Both have been factory reset (via both the reset button and the console)
• After reset, I leave them for 10 minutes to see if they'll talk to each other, then I log in and set a password and also set them to the same country code (AU/Australia).
• Afterwards I can log into each via SSH and have each IAP-225 ping each other.
• "show log system" has the message "is_factory_reset_on_prework : Swarm quit factory default status by : Neither ssid in flash nor empty_cfg" (repeats every 15 minutes) and "AP not allowed, turn off master election" (repeats every minute).
• "allow-new-aps" is active in both, and adding the other's MAC address to "allowed-ap" doesn't seem to make any difference.

What am I missing? Is there anything I can provide that would help?
(And yes, the label on them says they are IAP-225's, not AP-225's.)

------------------------------
Andrew Rutherford
------------------------------

I think 'AP not allowed, turn off master election' indicates these APs are not IAPs but APs, and the country code factory programmed to the APs is invalid.

Can you check from the apboot (console in, boot AP and interrupt boot sequence) if the command 'mfginfo' shows the CCODE country information? Code is AP-dependent, so all APs should have a different CCODE.

I think there is an option to really wipe the AP, if you want to decommision and make sure all keying material is gone. Could it be that that procedure has been performed on the AP? In that case, these can't be used anymore. I would not expect the AP to boot in that case though.

On your switch port, do you have just that isolated VLAN? Or possibly also tagged VLANs that are shared with other IAPs?

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 10, 2021 01:18 AM
From: Andrew Rutherford
Subject: IAP-225's not forming a VC

I've inherited 5x IAP-225, and am trying to get two to talk to each other before I do anything else. I have them on an isolated VLAN with just them and the L3 switch that's also acting as DHCP server. I cannot get them to sync up with each other, and I'm not sure what's wrong - I'm used to 3xx's just working.

• Both are running 8.6.0.12, and I've reflashed them to ArubaInstant_Centaurus_8.6.0.12_812b47 in case they were running non-Instant code.
• Both have been factory reset (via both the reset button and the console)
• After reset, I leave them for 10 minutes to see if they'll talk to each other, then I log in and set a password and also set them to the same country code (AU/Australia).
• Afterwards I can log into each via SSH and have each IAP-225 ping each other.
• "show log system" has the message "is_factory_reset_on_prework : Swarm quit factory default status by : Neither ssid in flash nor empty_cfg" (repeats every 15 minutes) and "AP not allowed, turn off master election" (repeats every minute).
• "allow-new-aps" is active in both, and adding the other's MAC address to "allowed-ap" doesn't seem to make any difference.

What am I missing? Is there anything I can provide that would help?
(And yes, the label on them says they are IAP-225's, not AP-225's.)

------------------------------
Andrew Rutherford
------------------------------

Sorry all, someone's playing with me/the client. :-(
Although the sticker on the back says "IAP-225" (no country code), the bar code above it scans as "AP-225" and on super-close inspection at least two of them have a very slight wobble in the "I" and all of the "I"'s shine differently in the light indicating someone's draw them on pen. Unfortunately I have no idea where the client's original IT manager (now long gone) got these from. :-(

What does surprise me is that the AP-225 is successfully booting an Instant image without obvious complaint, and I can make Instant-specific configuration into it also without complaint (eg, make this the IAP master) via both web interface and CLI.

Does anyone know if these would work if I got a real IAP-225 to act as the master, or do I need a proper controller? Sorry for asking, I usually only deal with Instant AP's. I think I can borrow another IAP-225 from another site

One issue here I guess is that one sticker is the only differentiation - comparing to actual IAP-225's, as far as I can see all the information printed directly on the back is identical - same Model, same IC, same FCC ID, etc.

In answer to Herman's question: no, there's no CCODE information. VLAN's: it's just that isolated VLAN in access (untagged) mode, there are no other tagged VLAN's on those two ports.

apboot> mfginfo
Inventory:
Card 0: System
     Date Code : 021616
     Serial : CT082xxxx
     Wired MAC : 84:d4:7e:c7:xx:xx
     Wired MAC Count : 2
Card 1: CPU
     Major Rev : 10
     Minor Rev/Variant : 00
     Assembly : 2010169E
     Serial : WG040xxxx
Card 2: Antenna
     Minor Rev/Variant : 01

apboot> osinfo
Partition 0:
image type: 0
machine type: 25
size: 14524212
version: 8.6.0.12-8.6.0.12
build string: ArubaOS version 8.6.0.12-8.6.0.12 for Centaurus (p4build@pr-hpn-build10) (gcc version 4.5.1) #81247 SMP Mon Aug 23 06:10:04 UTC 2021
flags: Instant preserve
oem: aruba

Image is signed; verifying checksum... passed
Signer Cert OK
Policy Cert OK
RSA signature verified.


------------------------------
Andrew Rutherford
------------------------------

Original Message:
Sent: Sep 10, 2021 08:09 AM
From: Herman Robers
Subject: IAP-225's not forming a VC

I think 'AP not allowed, turn off master election' indicates these APs are not IAPs but APs, and the country code factory programmed to the APs is invalid.

Can you check from the apboot (console in, boot AP and interrupt boot sequence) if the command 'mfginfo' shows the CCODE country information? Code is AP-dependent, so all APs should have a different CCODE.

I think there is an option to really wipe the AP, if you want to decommision and make sure all keying material is gone. Could it be that that procedure has been performed on the AP? In that case, these can't be used anymore. I would not expect the AP to boot in that case though.

On your switch port, do you have just that isolated VLAN? Or possibly also tagged VLANs that are shared with other IAPs?

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 10, 2021 01:18 AM
From: Andrew Rutherford
Subject: IAP-225's not forming a VC

I've inherited 5x IAP-225, and am trying to get two to talk to each other before I do anything else. I have them on an isolated VLAN with just them and the L3 switch that's also acting as DHCP server. I cannot get them to sync up with each other, and I'm not sure what's wrong - I'm used to 3xx's just working.

• Both are running 8.6.0.12, and I've reflashed them to ArubaInstant_Centaurus_8.6.0.12_812b47 in case they were running non-Instant code.
• Both have been factory reset (via both the reset button and the console)
• After reset, I leave them for 10 minutes to see if they'll talk to each other, then I log in and set a password and also set them to the same country code (AU/Australia).
• Afterwards I can log into each via SSH and have each IAP-225 ping each other.
• "show log system" has the message "is_factory_reset_on_prework : Swarm quit factory default status by : Neither ssid in flash nor empty_cfg" (repeats every 15 minutes) and "AP not allowed, turn off master election" (repeats every minute).
• "allow-new-aps" is active in both, and adding the other's MAC address to "allowed-ap" doesn't seem to make any difference.

What am I missing? Is there anything I can provide that would help?
(And yes, the label on them says they are IAP-225's, not AP-225's.)

------------------------------
Andrew Rutherford
------------------------------

AP models will not work without an external controller.
AP models cannot be joined to an existing IAP Instant cluster, unfortunately.

Instant APs have a country code programmed in (that is that CCODE), and without that, the AP will not be able to turn on it's radios. The reason behind that is regulations in some countries that require equipment sold in that country can only be used with the country settings for that country. For APs that is achieved with the country code of the controller, for Instant it is done in the AP itself as there is no controller.

I assume you have a controller? Otherwise, the APs should not have worked before?

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 12, 2021 08:35 PM
From: Andrew Rutherford
Subject: IAP-225's not forming a VC

Sorry all, someone's playing with me/the client. :-(
Although the sticker on the back says "IAP-225" (no country code), the bar code above it scans as "AP-225" and on super-close inspection at least two of them have a very slight wobble in the "I" and all of the "I"'s shine differently in the light indicating someone's draw them on pen. Unfortunately I have no idea where the client's original IT manager (now long gone) got these from. :-(

What does surprise me is that the AP-225 is successfully booting an Instant image without obvious complaint, and I can make Instant-specific configuration into it also without complaint (eg, make this the IAP master) via both web interface and CLI.

Does anyone know if these would work if I got a real IAP-225 to act as the master, or do I need a proper controller? Sorry for asking, I usually only deal with Instant AP's. I think I can borrow another IAP-225 from another site

One issue here I guess is that one sticker is the only differentiation - comparing to actual IAP-225's, as far as I can see all the information printed directly on the back is identical - same Model, same IC, same FCC ID, etc.

In answer to Herman's question: no, there's no CCODE information. VLAN's: it's just that isolated VLAN in access (untagged) mode, there are no other tagged VLAN's on those two ports.

apboot> mfginfo
Inventory:
Card 0: System
     Date Code : 021616
     Serial : CT082xxxx
     Wired MAC : 84:d4:7e:c7:xx:xx
     Wired MAC Count : 2
Card 1: CPU
     Major Rev : 10
     Minor Rev/Variant : 00
     Assembly : 2010169E
     Serial : WG040xxxx
Card 2: Antenna
     Minor Rev/Variant : 01

apboot> osinfo
Partition 0:
image type: 0
machine type: 25
size: 14524212
version: 8.6.0.12-8.6.0.12
build string: ArubaOS version 8.6.0.12-8.6.0.12 for Centaurus (p4build@pr-hpn-build10) (gcc version 4.5.1) #81247 SMP Mon Aug 23 06:10:04 UTC 2021
flags: Instant preserve
oem: aruba

Image is signed; verifying checksum... passed
Signer Cert OK
Policy Cert OK
RSA signature verified.


------------------------------
Andrew Rutherford

Original Message:
Sent: Sep 10, 2021 08:09 AM
From: Herman Robers
Subject: IAP-225's not forming a VC

I think 'AP not allowed, turn off master election' indicates these APs are not IAPs but APs, and the country code factory programmed to the APs is invalid.

Can you check from the apboot (console in, boot AP and interrupt boot sequence) if the command 'mfginfo' shows the CCODE country information? Code is AP-dependent, so all APs should have a different CCODE.

I think there is an option to really wipe the AP, if you want to decommision and make sure all keying material is gone. Could it be that that procedure has been performed on the AP? In that case, these can't be used anymore. I would not expect the AP to boot in that case though.

On your switch port, do you have just that isolated VLAN? Or possibly also tagged VLANs that are shared with other IAPs?

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 10, 2021 01:18 AM
From: Andrew Rutherford
Subject: IAP-225's not forming a VC

I've inherited 5x IAP-225, and am trying to get two to talk to each other before I do anything else. I have them on an isolated VLAN with just them and the L3 switch that's also acting as DHCP server. I cannot get them to sync up with each other, and I'm not sure what's wrong - I'm used to 3xx's just working.

• Both are running 8.6.0.12, and I've reflashed them to ArubaInstant_Centaurus_8.6.0.12_812b47 in case they were running non-Instant code.
• Both have been factory reset (via both the reset button and the console)
• After reset, I leave them for 10 minutes to see if they'll talk to each other, then I log in and set a password and also set them to the same country code (AU/Australia).
• Afterwards I can log into each via SSH and have each IAP-225 ping each other.
• "show log system" has the message "is_factory_reset_on_prework : Swarm quit factory default status by : Neither ssid in flash nor empty_cfg" (repeats every 15 minutes) and "AP not allowed, turn off master election" (repeats every minute).
• "allow-new-aps" is active in both, and adding the other's MAC address to "allowed-ap" doesn't seem to make any difference.

What am I missing? Is there anything I can provide that would help?
(And yes, the label on them says they are IAP-225's, not AP-225's.)

------------------------------
Andrew Rutherford
------------------------------