Hi there I faced some strange issues. Once I set up one IAP and connect two more, they don't join cluster properly. Here's most common scenario: sometimes one IAP appear in AP list, but operating as a monitor, even when configured as access point and then in 1-2 minutes goes down from AP list, but all LEDs glow green. At the same time 3rd IAP can be full down. IAPs obtain all the settings from master VC and every IAP works fine when it's standalone master, but others two don't join.
In the logs we could see "APAS provision timed out" "Activate failed enabling factory SSID" "Failed to connect to activate: unknown error number"
Before I was getting "APAS provision failed: connection-..."
Thank you in advance!
What hardware model are your three access points?
what version of IAP code are they running?
What regulatory domain are you using?
IAPs 103, 220.127.116.11. - 18.104.22.168 (but tried firmware out of the box before), regulatory domain - TR. Our native domain isn't broadcasting.
Try GB to make sure it is not the hardware that has malfunctioned. TR (Turkey) should work, though.
Tried it, no impact.
Today I also tried to deploy 93 IAPs. Result is the same. In the logs still see "APAS Provision Failed : connection-failed"
By the way I am using HP Procurve 2920-24g switch.
Does there exist any kind of network requirements or restrictions for successful provisioning of IAPs?
Make sure you have configured "allow-new-aps" to allow APs joining the cluster.
Are they getting their DHCP address from a central location and does the scope contain any options?
Do you have any ACL on the switchports you connect your APs to?
"Allow-new-aps" was turned on. I also tried turning it off and adding APs manually by MAC addresses.
IAPs were successfully getting IPs from firewall Cisco ASA and scope didn't contain any special options, all pretty much default, excepting internal dns options.
When I was trying to get access to the slave IAP via web ui, it was redirecting me to the master IAP.
No ACL on ports. Untagged access ports.
This sounds real strange. You were using all the same model of IAPs, right? For example IAP-103-RW?
I would pin-reset one of the APs and either console it or use SSH to log in to it (that shouldn´t redirect you to the current master) and theck the system log. Also check the system log on the current master to see if there´s any failures there.
That's right, all the same model, same firmware.
Okay, i'll try it. And what about getting "APAS provision failed: connection failed" and "APAS provision timed out" in the logs?
Does it mean no L2 visibility?
I see those messages all the time, I think it means that it could not get any provision parameters from activate.arubanetworks.com. Are you using activate and have any active configuration in there maybe?
No, I don't . Should I try Aruba Activate?
No, you should definately get your cluster working at the level you´re trying now before you do anything with activate.
Since I´ve joined IAPs together like this hundreds of times without an issue as long as they are on the same L2 and get IP addresses I must suspect something on your wired side. Are there any other configuration that could cause this on your switchports? Mac-limiting, broadcast blocks etc? Are the APs connected to the same switch?
Yeah, in spite of the fact that there are 2 stacked switches, all the APs connected to 1 physical switch.
No other configuration on switch, all by default. I didn't have direct access to the switch, bank IT network engineer was preparing infrastructure for me and that's what he told me: "no special config, default".
I'll ask him to re-check the config once more, any recommendations except broadcast blocks, mac-limiting? May it be concerned with STP somehow?
Please take a look at the post here: http://community.arubanetworks.com/t5/Video/VIDEO-Common-Issues-with-Instant-Access-Point-IAP-Not-Joining/ta-p/90318
I´m guessing you can ping each AP individually? Did you try SSH to them and check the system logg?
I´d ask him to check for any configuration that somehow limit functionality on those ports.
Yes, I was able to ping each ap and even get access via SSH.
But didn't check system logs.
Please remind me what CLI commands I can use to check syslogs on AP.
I think it´s "show log system"
Use "show log ?" to also view other relevant logs.
I would recommend rechecking the configuration of the switch.
If possible please advise if the port for the AP's are trunked and if so what is the native vlan on them.
IF the uplinks are trunked make sure that native vlan in the trunk is 503.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.