I have an ArubaMM-VA (pri/backup) on version 18.104.22.168 LSR orchestrating two Physical 7210 controllers. I am trying to get some remote APs going, but am hitting a snag and I haven't been able to find the cause. The traffic is coming from a typical home user network with a NAT to the public Internet over to the corporate Palo firewall. There are two NAT addresses configured both in the firewall and the profile for the RAP in the controller, and a corresponding policy to allow "any" traffic from the home location ip address to the two NAT addresses on the controller. The controllers have private IP addresses, but the NAT rule points to those IPs. I don't think I should have to include specific ports, but I can do that (I'm testing now with wide open settings to get it working).
The AP is an AP-303, it's in the allow list, and I can see it connect to the controller, but it will never come all the way online. I'm unsure what I have missed, but I did see the AP go Up, then Down a few times
The message is:AP is down since 2023-12-07 02:01:02 because of the following reason: Auth Request.
On the controller:
show datapath session table 10.200.200.51
I'm not sure what else to check. I'm sure I missed a step, as the RAP configuring isn't as well documented as I hoped. Where do I go next?
Are your controllers in a cluster? In that case you would need to configure the public IPs in your configuration as well... and there is a separate allow list for remote APs (from normal / Campus APs).
If the controllers are not in a cluster, the NAT should be enough.
This page seems to have a good summary... a bit down from the top there is the cluster configuration.
Thanks Herman! I was hoping it was something simple. I had followed that guide, but somehow missed the remote AP tab. I'll try that and see if it comes online.
I did have the AP in the wrong list (Campus)
I do have the LMS ip set for both controllers in the cluster here in the IP address and Backup IP address field. This is the public NAT address (which is surely working since I can see the RAP trying to connect.
I'm not in the same area as the AP right now but I'll give it another reset this eve and see if it will come online if it doesn't before that.
Did you set the RAP Public IP in your cluster?
With controller clusters, most of LMS configuration is ignored and an AP will connect directly to the controller IP as configured in the cluster, or when in RAP mode to the RAP Public IP.
The Auth Request message suggests an authentication problem, but it may be that the RAP just cannot reach its anchor or user controllers.
If this is not your issue, it may be more effective to work with your partner or Aruba Support as there are many things to look at and verify.
Thanks for checking back. Yes – I believe that's what the issue was. I had followed that guide mostly but I missed both the Remote AP (in the previous post) and the RAP IP for the cluster.
For those following along, you can not change the entry for the cluster, and deleting a single device and adding it back won't allow you to use the RAP IP. But you can re-create a new cluster, in the GUI; MD/Config/Services/Clusters, add a new cluster profile with the proper values, then go to the actual devices and move them to the new profile.
Remove existing profile, then add them to the new profile, and that may or may not cause a blip on some of the APs connected.. But not many people notice at 2AM.
Create new profile:
Change the profile for each controller:
Now I just have to remember how to activate the ports on the 303H.. Thanks for the help!
Network and Systems Engineer
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.