Hi folks, hopefully someone can shed some light on how this works... For I am confused.
I have a pair of VMMs with a cluster of 7240 controllers running AOS 220.127.116.11 CPSEC is enabled with auto cert provisioning.
I'm working on moving APs from 6.5 to 8.4 and doing this by re-provisioning the APs. All has been good so far, but yesterday I can into one AP that didn't come up - it was failing to sort out IPsec. Sure enough it wasn't in the whitelist. But why? I haven't had to manually add any other APs to the whitelist.
Adding this AP to the whitelist worked, it came up and is happy on the cluster. In an attempt to recreate this I wanted to factory default the AP, delete it from the mobility master, and remove it from the whitelist.
The last part is the problem. I removed the AP from the whitelist using the CLI at the /md level. All good... it's gone from the CLI. However it hasn't gone from the MDs.
What should happen here. When removing an AP from the whitelist on the Mobility Master at the managed network level, should that be pushed out to the MDs?
This currently feels a bit flaky, but not sure if I've missed something.
Please open a case with TAC to troubleshoot further. I've seen similar behavior also with 18.104.22.168, but have not been able to reliably reproduce it to see what's going on.
I had a similar issue when I upgrade from 6.5 to 8.3. I ended up disabling CPSec to get APs back online since I had to close my change window. I have since manually added all APs to the whitelist but I have not scheduled a change window yet to re-enable CPSec.
I am planning on opening a TAC case for when I switch CPSec back on to capture any issues but I'm very curious to see what you find out.
It's odd. I've got something like 800 APs running across two OS8 clusters and it's all worked just fine.... until yesterday when APs have stopped being automatically whitelisted.
This bit of the docs feels a bit messy too. Sometimes it refers to being at the managed network level, other times the MM. As far as I can tell everything should be done at the MM level for whitelisting and viewing the whitelist-db... Though that might be incorrect.
There's one reference to the database being copied on demand, so I don't think all the controllers should have a coherent copy of the whitelist-db. This makes sense, because the database could get unwieldy in a big network with a 12 controller cluster.
Because manually whitelisting works I've done that, but something is clearly wrong. But there are quite a few bug fixes in 22.214.171.124 related to the management of the whitelist-db so I'm probably going to hold off raising anything with TAC until I've been able to do an upgrade.
Thanks for posting the follow-up, Matthew. I'm sure the difference between "write erase" and "write erase all" has gotten more than a few people.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.