Wireless Access

 View Only
last person joined: 23 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

3 WiFi Access Points not functioning correctly - getting denied PAPI Port messages

This thread has been viewed 17 times
  • 1.  3 WiFi Access Points not functioning correctly - getting denied PAPI Port messages

    Posted Feb 26, 2024 04:20 AM

    I have 3 WiFi Access Points at a remote site behind a Firewall that are able to connect to our Mobility controller, however consistently reboot within 30 minutes and the logs show getting denied by PAPI ports.  After working with HPE Support, we validated that we have enough licenses.  The site is 2.5 hours drive, and I'd prefer not to make the drive.  Is it possible to resolve this remotely?

    Here is logs:

       ble_relay[6000]: PAPI_Security: Denying message 24309 received from unauthenticated source x.x.x.x:8514 for PAPI port 8515
       ble_relay[6000]: PAPI_Security: Denying message 24334 received from unauthenticated source x.x.x.x:8514 for PAPI port 8515
       stm[5568]: PAPI_Security: Denying message 16200 received from unauthenticated source x.x.x.x:17103 for PAPI port 8222

    Checking the Console, it says these AP's are "Generating CSR" and never get past that.

    In the Mobility Controller GUI, all 3 do show up, but constantly reboot.

    Any thoughts on how to resolve?



  • 2.  RE: 3 WiFi Access Points not functioning correctly - getting denied PAPI Port messages

    Posted Feb 26, 2024 05:15 AM

    1. The only ports you would need for the AP to function is PAPI - 8211 [ first boot ] and 8209 [ when cpsec is enabled ] to establish communication and talk to the controller.

    2. What other logs do you see? I dont think this is a PAPI port issue

    3. What flags do you see in " show ap database " , and what do you see in the " show datapath session table | include <IP of AP>"

    4. Is the mode set to auto-cert-provision under control-plane-security?

    5. Do you have papi security enabled? if its not a requirement for the network, id suggest toggling that setting to see if the APs are able to establish communication and stay that way. 

    " https://www.arubanetworks.com/techdocs/CLI-Bank/Content/aos8/papi-security.htm"

    6. Is the AP in the whitelist section of cpsec?

    show whitelist-db cpsec

    7. Try removing one of the problematic APs from this list and re adding them. ( bounce your switch ports for a forced reboot ).



    ------------------------------
    /AJ
    ------------------------------



  • 3.  RE: 3 WiFi Access Points not functioning correctly - getting denied PAPI Port messages

    Posted 22 days ago

    AJ,

     Thank you for your response.  As I am new to the airhead community, I was waiting for my post to be approved. I never realized it was approved.

    Here is the output of those commands.

    (Aruba_VMC) *[mynode] #show ap database

    AP Database

    -----------

    Name                           Group          AP Type  IP Address      Status            Flags  Switch IP     Standby IP

    ----                           -----          -------  ----------      ------            -----  ---------     ----------

    AlamedaCT-Boper-A00686         Alameda-APs    505      172.31.236.244  Down                     172.25.26.50  0.0.0.0

    (Aruba_VMC) *[mynode] #show datapath session table | include 172.31.236.244

    172.31.236.244    172.25.26.50    17   8211  8222   0/0     0    0   2   0/0/0       1b   0          0          FYCI            2

    172.31.236.244    172.25.26.50    17   8211  8515   0/0     0    0   0   0/0/0       f    0          0          FYCI            2

    172.25.26.50      172.31.236.244  17   8222  8211   0/0     0    0   0   0/0/0       1b   3          402        FI              2

    172.25.26.50      172.31.236.244  17   8211  8211   0/0     0    0   1   0/0/0       1b   0          0          FYI             2

    172.31.236.244    172.25.26.50    17   8211  8211   0/0     0    0   0   0/0/0       1b   9          2504       FCI             2

    172.25.26.50      172.31.236.244  17   8515  8211   0/0     0    0   1   0/0/0       f    0          0          FYI             2

    (Aruba_VMC) *[mynode] #show whitelist-db cpsec

    Control-Plane Security Allowlist-entry Details

    ----------------------------------------------

    MAC-Address        AP-Group       AP-Name                        Enable   State                   Cert-Type     Description   Revoke Text          Last Updated

    -----------        --------       -------                        ------   -----                   ---------     -----------   -----------          ------------

    20:9c:b4:cc:f5:c8  Alameda-APs    AlamedaCT-Boper-A00686         Enabled  unapproved-no-cert      switch-cert                                      Fri Mar 15 07:40:54 2024


    I checked the Running Config of the VMC and found that it seems to be permitted, but no enhanced-security enabled:

    ip access-list session control
        user any udp 68 deny
        any any svc-icmp permit
        any any svc-dns permit
        any any svc-papi permit
        any any svc-sec-papi permit
        any any svc-cfgm-tcp permit
        any any svc-adp permit
        any any svc-tftp permit
        any any svc-dhcp permit
        any any svc-natt permit
        any any tcp 6633 permit

    .

    .


    ip access-list session v6-control
        ipv6 user any udp 546 deny
        ipv6 any any svc-v6-icmp permit
        ipv6 any any svc-dns permit
        ipv6 any any svc-papi permit
        ipv6 any any svc-sec-papi permit
        ipv6 any any svc-cfgm-tcp permit
        ipv6 any any svc-adp permit
        ipv6 any any svc-tftp permit
        ipv6 any any svc-v6-dhcp permit
        ipv6 any any svc-natt permit
        ipv6 any any svc-dhcp permit
    .

    .


    license-pool-profile-root
        pefng-licenses-enable
        rfp-license-enable
    !
    papi-security
    !
    est profile "default"
    !

    ----------

    I had 1 AP brought back to me, confirmed it works fine with correct static IP at HQ office. I then reprovisioned it for the Alameda Location, and had it sent down. Waiting on Staff to plug it in so I can check the logs again.




  • 4.  RE: 3 WiFi Access Points not functioning correctly - getting denied PAPI Port messages

    Posted 22 days ago

    Also, To clarify as well. When I originally had this Issue, we opened a TAC with Aruba Support. They looked at our logs and saw we were out of licenses.  So Once we got the licenses registered, I assumed it would resolve this issue.  It may be possible that it did resolve the issue, but I needed to physically reprovision the AP's again, whitelist them, etc.

    That may have been the initial cause all along...