Hi Jens.
Great. Yes, I see it now. And many thx for this help. It's now working as expected.
Original Message:
Sent: Jan 11, 2022 04:23 AM
From: Jens Fluegel
Subject: Meridian and AOS vs 8.9.0.1 vs 8.8.0.1 vs 8.7.0.0
Hi Gorazd,
this is not an issue. I assume that all your APs are only active on this one controller and the others have not APs or no APs in the APs groups you activated Meridian Beacon Management on.
Because Meridian Beacon Management is an HTTPS POST only, the connection is only made in case there are Beacons/BLE radios to be reported.
Therefore don't worry. Just make sure the configuration the same on all MDs (using the Mobility Conductor) and that all MDs have the correct cert chain installed.
Regards,
Jens
------------------------------
Jens Fluegel
Original Message:
Sent: Jan 11, 2022 04:17 AM
From: Gorazd Kikelj
Subject: Meridian and AOS vs 8.9.0.1 vs 8.8.0.1 vs 8.7.0.0
Hi Jens, Herman.
Many thx. It was my oversight. I did change Tokens as soon I see Herman's post.
So the problem is still there. Only one MD get a connection to Meridian, others are waiting in " Null Context -- Syncing Config..." state.
Best, Gorazd
------------------------------
Gorazd Kikelj
Original Message:
Sent: Jan 11, 2022 04:07 AM
From: Jens Fluegel
Subject: Meridian and AOS vs 8.9.0.1 vs 8.8.0.1 vs 8.7.0.0
Hi Gorazd,
Great! There is only a single token per Meridian location as described by Herman.
Please don't post you tokes in you posts for security reasons ;-). You should change them as suggested.
Regards,
Jens
------------------------------
Jens Fluegel
Original Message:
Sent: Jan 11, 2022 02:45 AM
From: Gorazd Kikelj
Subject: Meridian and AOS vs 8.9.0.1 vs 8.8.0.1 vs 8.7.0.0
Hi Jens.
Finally some progress :-)
Next question is, do I need a separate access tokens for each MD managed by MM? I have 4 MDs managed with one MM and only one is able to establish connection with Meridian. As not all MDs are in the same cluster, this could be an issue.
(ArubaMC-02) #show ble_relay report
---------------------------Profile[BLE-Asset-Tracking]---------------------------
WebSocket Connect Status : Connection Established
WebSocket Connection Established : Yes
Handshake Address : https://tags.meridianapps.com/api/v1beta1/streams/ingestion.start
Handshake Token : eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsIjo2NzI1NDg5NTg1NTUzNDA4LCJ0IjoxNTc0Njc0MDkyfQ.Agobfs6ME7ErDXissgDJPj5WUABxfBNKhl6JejfzK2M
Location Id : 6725489585553408
Websocket Address : wss://tags.meridianapps.com/streams/v1beta1/ingestion/tags/websocket/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb25uZWN0aW9uX2lkIjoiYXV0aF9rZXk6YzdlajNiaXZrNnM4OGI5dmkyNjAiLCJsb2NhdGlvbl9pZCI6IjY3MjU0ODk1ODU1NTM0MDgiLCJsb2NhdGlvbl9uYW1lIjoiSFBFIFNlbGVjdGl1bSIsIm9yZ19pZCI6IjU2ODE5OTgwMjE1MjU1MDQiLCJvcmdfbmFtZSI6IlNlbGVjdGl1bSIsImNvbm5lY3Rpb25fbmFtZSI6IiIsIm9zIjoiQU9TIiwib3NfdmVyc2lvbiI6IjguOS4wLjEiLCJ3aWZpX21hYyI6IiIsImV4cCI6MTY0MTg4NjM4MSwiaWF0IjoxNjQxODg2MTI2LCJpc3MiOiJkZXYiLCJuYmYiOjE2NDE4ODYxNDF9.yogP18GfFZBge4QRjxg6cf0W6NCQVdvw5MgYM9cBnpM
WebSocket Host : tags.meridianapps.com
WebSocket Path : streams/v1beta1/ingestion/tags/websocket/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb25uZWN0aW9uX2lkIjoiYXV0aF9rZXk6YzdlajNiaXZrNnM4OGI5dmkyNjAiLCJsb2NhdGlvbl9pZCI6IjY3MjU0ODk1ODU1NTM0MDgiLCJsb2NhdGlvbl9uYW1lIjoiSFBFIFNlbGVjdGl1bSIsIm9yZ19pZCI6IjU2ODE5OTgwMjE1MjU1MDQiLCJvcmdfbmFtZSI6IlNlbGVjdGl1bSIsImNvbm5lY3Rpb25fbmFtZSI6IiIsIm9zIjoiQU9TIiwib3NfdmVyc2lvbiI6IjguOS4wLjEiLCJ3aWZpX21hYyI6IiIsImV4cCI6MTY0MTg4NjM4MSwiaWF0IjoxNjQxODg2MTI2LCJpc3MiOiJkZXYiLCJuYmYiOjE2NDE4ODYxNDF9.yogP18GfFZBge4QRjxg6cf0W6NCQVdvw5MgYM9cBnpM
Vlan Interface : Not Configured
Current WebSocket Started at : 2022-01-11 08:29:06
Last Send Time : 2022-01-11 08:33:59
Websocket Write Stats : 6 (14373B)
Websocket Write WM : 0B (0)
Websocket Read Stats : 0 (0B)
---------------------------Profile[BLE-Beacon-Management]---------------------------
Last Send Time: 2022-01-11 08:32:09
Sent report to Endpoint server (111s) ago: success 3, failed 0, last curl result code 200
Timeout(-1):20 Jobs added: 3
Vlan Interface : Not Configured
Server response:
Response time: 2022-01-11 08:32:09
{"next_sync":3600,"updates":[]}
(ArubaMC-02) #show crypto-local pki trustedCA
Certificates
------------
Name Original Filename Reference Count Expired
-------------- ----------------- --------------- -------
DigiCert-Meridian DigiCertGlobalRootCA.crt 0 No
Meridian_GlobalSign_Root_CA GlobalSign_Root_CA.crt 0 No
Meridian_GTS_Root_R1 GTS_Root_R1.crt 0 No
(ArubaMC-02) #show crypto-local pki intermediateCA
Certificates
------------
Name Original Filename Reference Count Expired
-------------- ----------------- --------------- -------
Meridian_GTS_CA_1D4 GTS_CA_1D4.crt 0 No
(ArubaMC-02) #show ble_relay iot-profile
ConfigID : 22
---------------------------Profile[BLE-Asset-Tracking]---------------------------
serverURL : https://tags.meridianapps.com/api/v1beta1/streams/ingestion.start
serverType : Meridian Asset Tracking
deviceClassFilter : Aruba Tags
reportingInterval : 600 second
authentication-mode : none
accessToken : eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsIjo2NzI1NDg5NTg1NTUzNDA4LCJ0IjoxNTc0Njc0MDkyfQ.Agobfs6ME7ErDXissgDJPj5WUABxfBNKhl6JejfzK2M
clientID : 6725489585553408
rssiReporting : Average
environmentType : office
include_ap_group : MP-Tower10-11,MP-Tower3,MP-Tower5,MP-Tower6,MP-Tower8
Server Connection State
--------------------------
TransportContext : Connection Established
Last Data Update : 2022-01-11 08:38:46
Last Send Time : 2022-01-11 08:39:34
TransType : Websocket
---------------------------Profile[BLE-Beacon-Management]---------------------------
serverURL : https://edit.meridianapps.com/api/beacons/manage
serverType : Meridian Beacon Management
deviceClassFilter : Aruba Beacons
reportingInterval : 600 second
authentication-mode : none
accessToken : eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsIjo2NzI1NDg5NTg1NTUzNDA4LCJ0IjoxNTc0Njc0MDkyfQ.Agobfs6ME7ErDXissgDJPj5WUABxfBNKhl6JejfzK2M
rssiReporting : Average
environmentType : office
include_ap_group : MP-Tower10-11,MP-Tower3,MP-Tower5,MP-Tower6,MP-Tower8
Server Connection State
--------------------------
TransportContext : Ready
Last Data Update : 2022-01-11 08:38:46
Last Send Time : 2022-01-11 08:38:47
Last Receive Time : 2022-01-11 08:38:47
TransType : Https
------------------------------
Gorazd Kikelj
Original Message:
Sent: Jan 10, 2022 12:21 PM
From: Jens Fluegel
Subject: Meridian and AOS vs 8.9.0.1 vs 8.8.0.1 vs 8.7.0.0
Hi Gorazd,
I am seeing the same issue in my lab with Aruba Instant.
ap505h# show ap debug ble-relay iot-profile---------------------------Profile[MBM]---------------------------serverURL : https://edit.meridianapps.com/api/beacons/manageserverType : Meridian Beacon ManagementdeviceClassFilter : Aruba BeaconsreportingInterval : 600 secondauthentication-mode : noneaccessToken : <access token>rssiReporting : AverageenvironmentType : officeServer Connection State--------------------------TransportContext : FailedFail Reason : no response (timeout...etc)Last Data Update : 2022-01-10 20:40:24Last Send Time : 2022-01-10 20:40:24TransType : Httpsap505h#ap505h# show ap debug ble-relay report MBM---------------------------Profile[MBM]---------------------------Last Send Time: 2022-01-10 20:50:25Sent report to Endpoint server (42s) ago: success 0, failed 3, last curl result code 0Timeout(-1):20 Jobs added: 3Server: https://edit.meridianapps.com/api/beacons/manage with proxy: NAProxy username: NA, password: NAVlan Interface : Not ConfiguredRequest to Server:{"meta": {"AP": {"mac": "204C03BAC7B0", "apb_mac": "204C03BB798D", "hw_type": "AP-505H", "software_version": "8.9.0.1-8.9.0.1", "software_build": "82154", "ipv4-addr": "192.168.100.10", "name": "ap505h", "clients": 0}, "timestamp": 1641833425}, "beacons": [{"mac": "204C03BB798D", "uuid": "4152554E-F99B-4A3B-86D0-947070693A78", "major": 0, "minor": 0, "cal_pwr": -69, "battery_level": 100, "rssi": 0, "txpower": 15, "timestamp": 1641833416, "hw_type": "BT-AP505H", "local_apb": true, "firmware": {"B": {"version": "1.4-95"}}}, {"mac": "204C03A5675C", "battery_level": 100, "rssi": -62, "timestamp": 1641833423, "hw_type": "BT-AP500", "local_apb": false, "firmware": {"B": {"version": "1.4-94"}}}]}Last Curl logs:* Trying 142.250.186.83:443...* Connected to edit.meridianapps.com (142.250.186.83) port 443 (#0)* ALPN, offering h2* ALPN, offering http/1.1* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH* successfully set certificate verify locations:* CAfile: none CApath: /aruba/cacertrehash/* SSL certificate problem: unable to get local issuer certificate* Closing connection 0Server response:Response time: 2022-01-10 20:50:25▒▒T6ap505h#
As you can see in the log it is an SSL certificate validation problem.
I could solve it by adding the full trusted ca chain to my instant access point. Adding just the root CA cert is not enough, neither on Aruba Instant, nor on ArubaOS.
After adding the complete trusted CA chain it works.
I have attached for you the certificate chain files for ArubaOS (dedicated cert/pem files) and Aruba Instant (single PEM file).
After the installation of the complete certificate chain on your controller it should look like this:
ap505h# show ap debug ble-relay report MBM---------------------------Profile[MBM]---------------------------Last Send Time: 2022-01-10 21:10:26Sent report to Endpoint server (466s) ago: success 2, failed 4, last curl result code 200Timeout(-1):20 Jobs added: 6Server: https://edit.meridianapps.com/api/beacons/manage with proxy: NAProxy username: NA, password: NAVlan Interface : Not ConfiguredRequest to Server:{"meta": {"AP": {"mac": "204C03BAC7B0", "apb_mac": "204C03BB798D", "hw_type": "AP-505H", "software_version": "8.9.0.1-8.9.0.1", "software_build": "82154", "ipv4-addr": "192.168.100.10", "name": "ap505h", "clients": 0}, "timestamp": 1641834626}, "beacons": [{"mac": "204C03BB798D", "uuid": "4152554E-F99B-4A3B-86D0-947070693A78", "major": 0, "minor": 0, "cal_pwr": -69, "battery_level": 100, "rssi": 0, "txpower": 15, "timestamp": 1641834616, "hw_type": "BT-AP505H", "local_apb": true, "firmware": {"B": {"version": "1.4-95"}}}, {"mac": "204C03A5675C", "battery_level": 100, "rssi": -56, "timestamp": 1641834623, "hw_type": "BT-AP500", "local_apb": false, "firmware": {"B": {"version": "1.4-94"}}}]}Last Curl logs:* Trying 142.250.186.83:443...* Connected to edit.meridianapps.com (142.250.186.83) port 443 (#0)* ALPN, offering h2* ALPN, offering http/1.1* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH* successfully set certificate verify locations:* CAfile: none CApath: /aruba/cacertrehash/* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256* ALPN, server accepted to use h2* Server certificate:* subject: CN=edit.meridianapps.com* start date: Nov 29 09:17:19 2021 GMT* expire date: Feb 27 09:17:18 2022 GMT* subjectAltName: host "edit.meridianapps.com" matched cert's "edit.meridianapps.com"* issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1D4* SSL certificate verify ok.* Using HTTP2, server supports multi-use* Connection state changed (HTTP/2 confirmed)* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0* Using Stream ID: 1 (easy handle 0x1747f4)> POST /api/beacons/manage HTTP/2Host: edit.meridianapps.comcontent-type: application/jsonauthorization: MERIDIAN <access token removed>accept: application/vnd.meridian.v1+jsoncontent-length: 698* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!* We are completely uploaded and fine< HTTP/2 200< x-ratelimit-remaining: 99999< x-xss-protection: 1; mode=block< content-security-policy: script-src 'self' 'unsafe-eval' 'unsafe-inline' *.googleapis.com www.googletagmanager.com www.google-analytics.com www.google.com cdnjs.cloudflare.com files.meridianapps.com; style-src 'self' 'unsafe-inline' *.googleapis.com www.google.com cdnjs.cloudflare.com; default-src 'self'; img-src 'self' data: blob: files.meridianapps.com edit.meridianapps.com www.google-analytics.com storage.googleapis.com edit-eu.meridianapps.com maps.gstatic.com *.googleusercontent.com http://*.googleusercontent.com http://*.ggpht.com *.ggpht.com http://*.googleapis.com *.googleapis.com; connect-src 'self' api.keen.io sentry.io wss: www.google-analytics.com tags.meridianapps.com *.appspot.com; object-src 'self' blob:; font-src 'self' data: *.googleapis.com *.gstatic.com< content-language: en< strict-transport-security: max-age=3600< vary: Accept, Accept-Language, Cookie< x-ratelimit-limit: 100000/second< etag: "129386107711ec622a3919d9eedbf5c2"< allow: POST, OPTIONS< access-control-allow-credentials: false< x-frame-options: SAMEORIGIN< access-control-allow-origin: *< x-content-type-options: nosniff< content-type: application/json< x-meridian-media-type: version=v1< x-cloud-trace-context: 85333e277ce97fa4eee7ee1e03efec43< date: Mon, 10 Jan 2022 17:10:26 GMT< server: Google Frontend< content-length: 31<* Connection #0 to host edit.meridianapps.com left intactServer response:Response time: 2022-01-10 21:10:26{"next_sync":3600,"updates":[]}ap505h#
Let me know if that solves your problem.
Regards,
Jens
------------------------------
Jens Fluegel
Original Message:
Sent: Jan 10, 2022 10:38 AM
From: Gorazd Kikelj
Subject: Meridian and AOS vs 8.9.0.1 vs 8.8.0.1 vs 8.7.0.0
Hi Jens.
We did upload the correct certificate and it is working on 8.8.0.x. When I boot the controller from 8.9.0.1 partition, I get the following from show ble_relay iot-profile
(ArubaMC-01) [MDC] #show ble_relay iot-profile
ConfigID : 8
---------------------------Profile[BLE-Beacon-Management]---------------------------
serverURL : https://edit.meridianapps.com/api/beacons/manage
serverType : Meridian Beacon Management
deviceClassFilter : Aruba Beacons
reportingInterval : 600 second
authentication-mode : none
accessToken : ...
rssiReporting : Average
environmentType : office
include_ap_group : MP-Tower10-11,MP-Tower3,MP-Tower5,MP-Tower6,MP-Tower8
Server Connection State
--------------------------
TransportContext : Failed
Fail Reason : no response (timeout...etc)
Last Data Update : 2021-12-23 12:16:50
Last Send Time : 2021-12-23 12:16:50
TransType : Https
Management transport profile looks like this:
show iot trans BLE-Beacon-Management
IoT Data Profile "BLE-Beacon-Management"
----------------------------------------
Parameter Value
--------- -----
Server Type Meridian-Beacon-Management
Server URL https://edit.meridianapps.com/api/beacons/manage
Access Token ...
Client Id N/A
Username N/A
Password N/A
Reporting interval 600
Device Class Filter aruba-beacons
UUID Filter N/A
Movement Filter 0
Cell Size Filter 0
Vendor Filter N/A
USB serial device type Filter N/A
Age Filter 0
Authentication URL N/A
Authentication Mode none
UID Namespace Filter N/A
URL Filter N/A
Access ID N/A
Client Secret N/A
Zigbee Socket Device Filter N/A
RSSI Reporting Format average
choose an environment type office
Custom Fading Factor 20
Iot Proxy Server N/A
Iot Proxy User N/A
AP Group MP-Tower10-11
AP Group MP-Tower3
AP Group MP-Tower5
AP Group MP-Tower6
AP Group MP-Tower8
Send device counts only Disabled
Enable bleData forwarding for known devices Disabled
Enable filtering for each frame received Disabled
RTLS Destination MAC Address N/A
Data Filter N/A
Azure DPS Id Scope N/A
Azure DPS Auth Type N/A
Service UUID Filter N/A
Company Identifier Filter N/A
MAC OUI Filter N/A
Local Name Filter N/A
And certificate is there
(Demo7005-02) *#show crypto-local pki trustedCA
Certificates
------------
Name Original Filename Reference Count Expired
-------------- ----------------- --------------- -------
DigiCert-Meridian DigiCertGlobalRootCA.crt 0 No
Best, Gorazd
------------------------------
Gorazd Kikelj
Original Message:
Sent: Jan 10, 2022 10:18 AM
From: Jens Fluegel
Subject: Meridian and AOS vs 8.9.0.1 vs 8.8.0.1 vs 8.7.0.0
Hi,
if the management communication is not established, please check via AP or controller CLI the possible root cause.
The commands are:
AOS controller:
show ble_relay iot-profile
show ble_relay ws-log <profile>
Aruba Instant:
show ap debug ble-relay iot-profile
show ap debug ble-relay ws-log <profile>
I is very likely that the certificate check that fails. Did you installed the current trusted root CA required for the Meridian backend?
I assume you configured IoT transport profiles for Meridian Beacon Management as well as Asset Tracking as described here?:
https://docs.meridianapps.com/hc/en-us/articles/360049798094-ArubaOS-8-7-x-Meridian-Beacons-Management-and-Asset-Tracking-Configuration-Guide
https://docs.meridianapps.com/hc/en-us/articles/360053927734-Aruba-Instant-8-6-0-x-Meridian-Beacons-Management-And-Asset-Tracking-Configuration-Guide
Regards,
Jens
------------------------------
Jens Fluegel
Original Message:
Sent: Jan 10, 2022 10:03 AM
From: Gorazd Kikelj
Subject: Meridian and AOS vs 8.9.0.1 vs 8.8.0.1 vs 8.7.0.0
Hi Jens.
We did test with 8.9.0.1 with the same result as of 8.9.0.0. Maybe we miss something very basic that is now different from 8.7 and 8.8. We opened TAC case.
Any hints what we should look at?
In 8.9.0.x the Management communication simply timeout and is never established.
Best, Gorazd
------------------------------
Gorazd Kikelj
Original Message:
Sent: Jan 10, 2022 03:54 AM
From: Jens Fluegel
Subject: Meridian and AOS vs 8.9.0.1 vs 8.8.0.1 vs 8.7.0.0
Hi,
Starting with 8.8 the default advertisement for AP-5xx series changed form iBeacon to an Aruba specific format if the default beacon config have never been modified and is still at factory defaults, AP-3xx haven't been changed. Furthermore we added beacon custom payload and multi-advertisements for AP-5xx with 8.9. Unfortunately, this introduced a but with the Meridian Beacon Management. This bug should be addresses with 8.9.0.1.
If 8.9.0.1 does not solve you problem, please open a TAC case.
Regards,
Jens
------------------------------
Jens Fluegel
Original Message:
Sent: Jan 07, 2022 06:39 AM
From: Mladen Vukadinovic
Subject: Meridian and AOS vs 8.9.0.1 vs 8.8.0.1 vs 8.7.0.0
Hi,
we upgraded our controller from version 8.8.0.1 to 8.9XX and Meridian Beacon management stopped working.
We than reversed to 8.8XX and controller connected to Meridian, but it does not recognise APs as Access points, but as beacons.
I tried on demo environment with 8.7, which works perfectly.
Is there any change in newer versions that i would need to tweak in order to have latest versions working?
best regards,
Mladen
------------------------------
Mladen Vukadinovic
------------------------------