This article applies to all the controllers running any AOS versions and AP models.
An AP usually goes into “Dirty” flag or “D” flag when it is unable to download the complete configuration from the controller. The main reason behind this could be reachability issues between the AP and the controller. The reachability may be intermittently disturbed due to congestion or other factors causing the APs not to be able to complete the full configuration from the controller.
Below are some of the troubleshooting steps to overcome the “D” flag issues:
- Ensure the reachability is fine between the AP and the controller
- Ensure there is no packet loss on the path that may hamper the APs to download config from the controller
- In case there is a WAN in the path between AP and the controller, please prefer having a Remote AP (RAP) in place of Campus AP (CAP). Due to the WAN link, there could be heartbeat misses between the AP and the controller causing the AP to get into “D”flag. By default, the heartbeat threshold for CAP is 8. You could increase this value to 30 or 60 under “ap-system-profile” on the controller and see if the AP stabilizes.
- Enable “control-plane security” on the controller. Please note, enabling this feature may cause all the APs to reboot causing an outage.
- Check the “sapd” logs on the AP. To enable “sapd” logging on AP –
- Get into apboot mode.
- Execute “setenv sapd_debug 1” command
This will print sapd degud logs to /tmp/sapd_debug_log on AP
Or
Go into the AP Linux shell and do
# touch /tmp/sapd_debug
# killall sapd
When sapd restarts, it starts logging into the file /tmp/sapd_debug_log
NOTE: You may need TAC’s assistance to get the sapd logs from the AP.
6. Enable following logging on the controller:
(Aruba)(config)logging level debug systemp process stm
(Aruba)(config)logging level debug ap-debug <ap-name>
Get the output of the following commands:
a.show log system all | include stm
b.show log ap-debug all
c.show log errorlog all
d. After the AP has been stuck in "D" state -
show ap details advanced ap-name <name>
show ap debug system-status ap-name <name>
7. Please check MTU on the intermediate hops between the AP and the controller. For non-cpsec CAP, the controller fragments packets at default MTU of 1500. So each fragment becomes 1514 bytes