Wireless Access

last person joined: 4 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Airgroup and Apple TV - almost works!!!

Jump to Best Answer
  • 1.  Airgroup and Apple TV - almost works!!!

    Posted Oct 29, 2012 03:32 AM

    Hi there

    We have just updated to Airgroup version of AOS and it almost, sort of works.

     

    We have the Apple TV's now visible on the iPads and showing images from the Photo App works a treat.

    However - mirroring does not work (no error - just doesn't work) and movies "try" to work - but fail with a generic Apple TV error of "an error occured"

     

    Has anyone got this working in a production environment? We are not using Clearpass

     

    Background to the setup:

     

    Users are on 802.1x network SSID

    Apple TV is on MAC authenticated SSID

    Apple TV OS is version 5

    Apple iPAD is iOS6

    Both devices say they are running latest versions of software.

    Airgroup is enabled via CLI - (host) (config) # airgroup enable

    Airplay services are enabled

     

    AirGroup Feature

    ----------------

    Status

    ------

    Enabled

     

    AirGroup Enforce Registration

    -----------------------------

    Status

    ------

    Disabled

     

    AirGroup Service Information

    ----------------------------

    Service   Status

    -------   ------

    airplay   Enabled

    airprint  Enabled

    allowall  Enabled

     

    Anyone got any ideas?

    Wally



  • 2.  RE: Airgroup and Apple TV - almost works!!!

    Posted Oct 29, 2012 06:24 AM


  • 3.  RE: Airgroup and Apple TV - almost works!!!

    Posted Oct 29, 2012 09:42 PM

    Thanks for the pointer - but this thread is Pre Airgroup.

    However - IPV6 was disabled on the firewall and I have enabled it.

    Both the iPad and the apple TV now show up in the user table with IPV6 addresses as well as the IPV4 address but still no go on the Apple Mirror option.

     

    I can get the photo app to display on the Apple TV but that is all - no mirror and no video,

     

    Note - the other options in this post are as i said all pre Airgroup.

     

    I too have got Apple TV to work seamlessly IF I enable BC/MC and therefore mDNS and Bonjour with two devices on the SAME SSID  - it works fine.

    But the whole point of Airgroup I thought was to enable Airplay services to work across the controllers without enabling mDNS and propagating all this traffic. That is the Controller works as mDNS proxy converting the BC/MC to Unicast.

     

    So - still stuck here - any other ideas?

    Wally

     



  • 4.  RE: Airgroup and Apple TV - almost works!!!

    Posted Oct 29, 2012 09:51 PM

    Are you turning on BC/MC optimization on the SSID or on the VLAN?  Turn both of those off and enable drop broadcasts at the Virtual AP.

     

    I referred you to the other article because there is an iPv6 component that might have contributed to your issue.

     



  • 5.  RE: Airgroup and Apple TV - almost works!!!

    Posted Oct 30, 2012 12:19 AM

    just to confirm that BC/MC optimization is turned off on the VLAN and Drop BC/MC is enabled on the VAP as shown below.

     

    Here is the current config: Let me know if you can spot anything wrong....

     

    Client VAP:

     

    Virtual AP profile "Wireless@TTS-VAP"

    -------------------------------------

    Parameter                                       Value

    ---------                                       -----

    Virtual AP enable                               Enabled

    Allowed band                                    all

    AAA Profile                                     TTSAAA-WIRELESS@TTS

    802.11K Profile                                 default

    SSID Profile                                    WIRELESS@TTS-SSID

    VLAN                                            200

    Forward mode                                    tunnel

    Deny time range                                 N/A

    Mobile IP                                       Enabled

    HA Discovery on-association                     Disabled

    DoS Prevention                                  Enabled

    Station Blacklisting                            Enabled

    Blacklist Time                                  3600 sec

    Dynamic Multicast Optimization (DMO)            Disabled

    Dynamic Multicast Optimization (DMO) Threshold  6

    Authentication Failure Blacklist Time           3600 sec

    Strict Compliance                               Disabled

    VLAN Mobility                                   Enabled

    Preserve Client VLAN                            Disabled

    Remote-AP Operation                             standard

    Drop Broadcast and Multicast                    Enabled

    Convert Broadcast ARP requests to unicast       Enabled

    Deny inter user traffic                         Disabled

    Band Steering                                   Enabled

    Steering Mode                                   prefer-5ghz

    WMM Traffic Management Profile                  N/A

     

    AppleTV VAP:

     

    Virtual AP profile "Secure@TTS-VAP"

    -----------------------------------

    Parameter                                       Value

    ---------                                       -----

    Virtual AP enable                               Enabled

    Allowed band                                    all

    AAA Profile                                     TTSAAA-SECURE

    802.11K Profile                                 default

    SSID Profile                                    Secure@TTS-SSID

    VLAN                                            20

    Forward mode                                    tunnel

    Deny time range                                 N/A

    Mobile IP                                       Enabled

    HA Discovery on-association                     Disabled

    DoS Prevention                                  Enabled

    Station Blacklisting                            Enabled

    Blacklist Time                                  3600 sec

    Dynamic Multicast Optimization (DMO)            Disabled

    Dynamic Multicast Optimization (DMO) Threshold  6

    Authentication Failure Blacklist Time           3600 sec

    Strict Compliance                               Disabled

    VLAN Mobility                                   Enabled

    Preserve Client VLAN                            Disabled

    Remote-AP Operation                             standard

    Drop Broadcast and Multicast                    Enabled

    Convert Broadcast ARP requests to unicast       Enabled

    Deny inter user traffic                         Disabled

    Band Steering                                   Enabled

    Steering Mode                                   prefer-5ghz

    WMM Traffic Management Profile                  N/A

     

     

    And here is the config of the VLAN for

     

    VLAN200 is up line protocol is up
    Hardware is CPU Interface, Interface address is
    Description: 802.1Q VLAN
    Internet address is 192.168.208.1  255.255.252.0
    IPv6 is enabled, link-local address is
    IPv6 Router Advertisements are disabled
    Routing interface is enable, Forwarding mode is enable
    Directed broadcast is disabled, BCMC Optimization disabled ProxyARP disabled Suppress ARP enable
    Encapsulation 802, loopback not set
    MTU 1500 bytes
    Last clearing of "show interface" counters 6 day 20 hr 24 min 48 sec
    link status last changed 6 day 20 hr 21 min 21 sec

    Config of VLAN for Apple TV:

     

    VLAN20 is up line protocol is up
    Hardware is CPU Interface, Interface address is
    Description: 802.1Q VLAN
    Internet address is 10.1.80.7  255.255.252.0
    IPv6 is enabled, link-local address is
    IPv6 Router Advertisements are disabled
    Routing interface is enable, Forwarding mode is enable
    Directed broadcast is disabled, BCMC Optimization disabled ProxyARP disabled Suppress ARP enable
    Encapsulation 802, loopback not set
    MTU 1500 bytes
    Last clearing of "show interface" counters 6 day 21 hr 47 min 4 sec
    link status last changed 6 day 21 hr 44 min 45 sec
    Tunnels Configured on this Interface:
    Tunnel 0
    Associated Ports:,GE1/0



  • 6.  RE: Airgroup and Apple TV - almost works!!!

    Posted Oct 30, 2012 12:59 AM

    Looks good.  Quick questions:

     

    - Do you have NAT between those subnets (ip nat inside on either ip interface)?

    - What are the firewall policies for each that are assigned to the role for both devices that would like to connect?

     



  • 7.  RE: Airgroup and Apple TV - almost works!!!

    Posted Oct 30, 2012 02:40 AM

    OK - we are so close now....it appears it is the NAT..

    Question then is what is the NAT doing that is stopping Mirroring working even if both clients on the same NATed VLAN.

    It is our desire if possible to keep the wireless students on this VLAN - happy to put the Apple TV's on as well - but can we get it work with NAT?

     

    Here is what I found....

     

    NAT got me thinking as the Secure SSID we were using was because it was an existing MAC based SSID we had for some legacy devices that needed VLAN 20 access..and thought we would use it for the Apple TV MAC authentication as well.

     

    Also thought about whether same VLAN was required for this to work -so did the following test.

     

    Scenario 1:

    Apple TV is on Secure SSID - MAC Authentication - no NAT - same IP range as the AP - VLAN20 (10.1.x.x)

    Client is on 802.1X SSID - VLAN 200 - NAT in place (192.168.x.x)

     

    Result

    Photo App works

    Videos do not work

    Mirror does not work

     

    Scenario 2:

    Apple TV is on Secure SSID - MAC Authentication - moved to VLAN 200 (same as client) - 192.168.X.X

    Client is on 802.1X SSID - VLAN 200 - NAT in place (192.168.x.x)

    Reboot everything.

     

    Result:

    Photo App works

    Videos WORK!!!

    Mirror does not work

     

    Scenario 3:

    Apple TV is on Secure SSID - MAC Authentication - moved back to VLAN 20 no NAT - same IP range as the AP - (10.1.x.x)

    Client is moved to secure SSID VLAN 20 (as I cannot move the production SSID to a different VLAN) - no NAT - 10.1.x.x

    Reboot everything

     

    Result:

    WORKS!!! Everything works including mirroring.

     

    DOUBLE CHECKING:

    With the Apple TV and the Client stll connected to the same Non NAT VLAN - BC/MC dropped and conver to unicast turned on. It works.

    So did a Conf t - Airgroup disable  - and then Apple TV disappeared from the network. Enabled airgroup and appeared again.

     

     

     So with clients on same NON NATed VLAN and Airgroup enabled - we are away!!

    Question is can we get it work with a NATed VLAN?

    Wally

     



  • 8.  RE: Airgroup and Apple TV - almost works!!!

    Posted Oct 30, 2012 02:43 AM

    The application simply does not work across a NAT boundary.  There is nothing that we can do about that.

     



  • 9.  RE: Airgroup and Apple TV - almost works!!!

    Posted Oct 30, 2012 05:33 AM

    Any chance of a technical reason why mirroring wont work across NAT boundary? Is this because we are dropping BC and MC?

    Is this unique to Aruba as on a home network the Apple TV and ipad are obviously on a NATed subnet behind a typical home router / firewall.

    Wally



  • 10.  RE: Airgroup and Apple TV - almost works!!!

    Posted Oct 30, 2012 07:25 AM

    The bonjour protocol is a very simple protocol that is only designed for the home.  It is not meant to be on opposite sides of a NAT translation.



  • 11.  RE: Airgroup and Apple TV - almost works!!!

    Posted Nov 08, 2012 02:51 PM

    This has been a very helpful thread. I'm troubleshooting the same thing in my lab environment. I was able to do Airplay just fine between networks, but not mirroring. The only way I could get the mirroring to function was by disabling NAT on the client VLAN.

     

    Maybe I'm missing something simple here, but how am i supposed to allow my clients to access public addresses if they cannot be NAT'd to a public IP? Would this require a seperate device to perform the NAT?



  • 12.  RE: Airgroup and Apple TV - almost works!!!

    Posted Nov 08, 2012 02:53 PM
    Separate Device for Nat....


  • 13.  RE: Airgroup and Apple TV - almost works!!!

    Posted Nov 08, 2012 03:36 PM

    Thanks. I'll test this out in my lab. I'm currently running 6.1.3.4-AirGroup. Is it recommended to update to 6.1.3.5 yet or is 6.1.3.4-AirGroup more stable?



  • 14.  RE: Airgroup and Apple TV - almost works!!!

    Posted Nov 08, 2012 03:41 PM
    6.1.3.5 does not have Air group. Do not upgrade to that if you need that feature.


  • 15.  RE: Airgroup and Apple TV - almost works!!!

    Posted Nov 12, 2012 10:22 AM

    Thanks, I thought I had read that it would be available in 6.1.3.5, but I must have missunderstood.

     



  • 16.  RE: Airgroup and Apple TV - almost works!!!

    Posted Nov 20, 2012 11:49 AM

    Hello we are having an issue where we cannot connect to apple TV if its on a different subnet, Apple TV works fine if your on the same subnet connects,mirroring all works.

    We have a controller with Airgroup enabled, so if I'm on a different subnet than the apple TV I can see the apple TV and try to connect, it tries for about 5 to 10 seconds but doesn't connect.

     

    NAT is not enabled I checked and also otherwise I wouldn't be able to connect on the same subnet. Any ideas?



  • 17.  RE: Airgroup and Apple TV - almost works!!!

    Posted Nov 20, 2012 08:43 PM

    Make sure iPv6 is disabled on the client and try again.

     



  • 18.  RE: Airgroup and Apple TV - almost works!!!

    Posted Jan 22, 2013 01:44 AM

    Well a long awaited update and not all good news...

     

    Airgoup still SORT of works.

     

    This is the typical scenario we have to run through.

    1. Start Apple TV
    2. Connect via ipad (seems to work OK first time)
    3. Teacher disconnects (or ipad goes to black screen due to time out and Apple TV disconnects and returns to menu screen)
    4. Try and reconnect - no airplay option on ipad.
    5. Run a show airgroup servers command and Apple TV not listed.
    6. Turn Airplay off and on (or restart) and appears back in list - BUT NOT AS OPTION ON IPAD
    7. Wait....wait.....wait....wait...start to yell and curse.....no airplay option....
    8. Check Dashboard on Controller - AppleTV is listed as server and ipad is listed as an Airgroup user - but still no airplay option....
    9. Keep waiting.....turn wireless on and off on ipad (or airplane mode)
    10. HOORAY - Airplay option appears.....
    11. Go to step 2 and repeat until you drive yourself insane....

     

    It just seems really flakey and unreliable. The local vendor has no idea on how to troubleshoot and blames the Apple devices.

     

    Has ANYONE got this running stable in their live environment??? If so would you be kind enough to share the setup?

     

    What we have here is the following:

     

    Wireless SSID using 802.1x that staff connect to via CPPM and are assigned a 10.1.x.x address on VLAN 20

    Apple TV SSID that we connect Apple TV to via MAC authentication and is assigned 10.1.x.x address on VLAN 20

    No NAT is occuring. All the remainder is the same as earlier posts regarding dropping multicast etc.

     

    Anyone??

    Cheers

    Wally

     

     



  • 19.  RE: Airgroup and Apple TV - almost works!!!

    Posted Jan 22, 2013 09:21 AM

    Wally,

     

    Please open a case in parallel in the event that you do not have the same symptoms that others do.

     



  • 20.  RE: Airgroup and Apple TV - almost works!!!

    Posted Jan 25, 2013 11:18 AM

    Wally,

     

    Those 11 steps you outlined are spot on for me.  I've been having trouble with the Apple TV and the current 'fix' is precisely what you layed out.

     

    I'm curious - does you mdns process crash at all?

     

    #show process monitor statistics

     

    Name                                    State                               Restarts Allowed   Restarts Timeout Value    Timeout Chances Time Started
    ...

    /mswitch/bin/mdns             PROCESS_RUNNING       -                         130          240                         5                Fri Jan 25 11:04:00 2013

     

     

    The controller has only been up for 20 hours too since I rebooted it. I have a ticket open for the crashes - but I'm not sure if it is releated to the Apple TV disappearing after the first connection like you mention.

     

    For us the crashes seem to be related to number of devices - during winter break with far less people on campus the MDNS service didn't crash at all.  I was curious if there was a way to limit airgroup users from being allowed or showing up.

     

    What I mean is I have most VLANs disabled - so the only devices that show up in show airgroup servers are those devices in the allowed vlans; however in the show airgroup users I get all devices on campus that can be clients (in any vlan).  I'm not sure if this is by design or not but I'd like to try not allowing them to see if it fixes our numbers issue.

     

    I like being able to get to the allowed devices from any vlan on campus (would prefer that), but if for the time being mdns isn't going to be stable with that many users - is there a way for me to limit it?

     



  • 21.  RE: Airgroup and Apple TV - almost works!!!

    Posted Mar 03, 2013 08:06 PM

    Back again - long overdue update - but we have had TAC on this for ages - only be told finally - update firmware - AGGH!!!!!!

     

    We are yet to do this - but reasoning we are being given is

    "Airgroup 6.1.3.4 is not supported on multiple controllers in integrated mode"

     

    We are being advised to update to 6.1.3.6-airgroup, which was just released last week which does support this.

     

    This has taken 6 weeks to arrive at this point. We have yet to update so do not know if this will work or not - but wanted to let others know in case they were having the same issues. Update is scheduled for later this week - so will let you know.

     

    Still frustrated that it has taken this long - but hopefully we will have a solution soon.

    Wally



  • 22.  RE: Airgroup and Apple TV - almost works!!!
    Best Answer

    Posted Mar 06, 2013 02:39 AM

    WOOHOO!!!!!!! It works.

     

    New firmware was applied to all 4 controllers last night and as of today the Apple TV has been visible all day without having to go through all the steps (turn airplay on and off, turn wireless on and off etc etc etc).

     

    Will keep you informed otherwise - but success so far with 6.1.3.6-airgroup firmware version. YAY!!!

     

    Wally



  • 23.  RE: Airgroup and Apple TV - almost works!!!

    Posted Mar 06, 2013 04:20 PM

    I'm on 6.1.3.6-AirGroup firmware now as well.  So far none of the previous issues have showed up.

     

    The only part that got me a bit was setting up the domain and we were using the local controller - but now only certain commands are available on the master.

     

    Looking good at this point.



  • 24.  RE: Airgroup and Apple TV - almost works!!!

    Posted Jan 31, 2014 09:41 PM

    We upgraded our controller not only to a 3600XM, but also to 6.1.3.6-Aigroup & it seems far more stable at this point.