Government and Military

While time consuming, we manually assign static IP addresses to our AP's. We have a single IP address that won't pull an image from the controller. I can Ping the DG and Controller from the CLI on the AP, but when I go to "boot" I get a timeout. Does the controller have the ability to block a single AP IP address?

apboot> ping xxx.xxx.xxx.201
eth0: link down
eth1 up: 1 Gb/s full duplex
Using eth0 device
host xxx.xxx.xxx.201 is alive

apboot> ping xxx.xxx.xxx.202

eth0: link down
eth1 up: 1 Gb/s full duplex
Using eth0 device
host xxx.xxx.xxx.202 is alive

Hit <Enter> to stop autoboot:  0
Booting OS partition 0
Checking image @ 0x0
Invalid image format version: 0xffffffff
Checking image @ 0x3000000
Invalid image format version: 0xffffffff
Net:     eth0, eth1
eth0: link down
eth1 up: 1 Gb/s full duplex
Using eth0 device
TFTP from server xxx.xxx.xxx.201; our IP address is xxx.xxx.xxx.63; sending through gateway xxx.xxx.xxx.254
Filename 'arm64emmc.ari'.
Load address: 0x50500000
Loading: T T T T T T T T T T
Retry count exceeded; starting again
eth0: link down
eth1 up: 1 Gb/s full duplex
Using eth0 device
TFTP from server xxx.xxx.xxx.201; our IP address is xxx.xxx.xxx.63; sending through gateway xxx.xxx.xxx.254
Filename 'arm64emmc.ari'.
Load address: 0x50500000
Loading: T T T T T T T T T T
Retry count exceeded; starting again
eth0: link down
eth1 up: 1 Gb/s full duplex
Using eth0 device
TFTP from server xxx.xxx.xxx.201; our IP address is xxx.xxx.xxx.63; sending through gateway xxx.xxx.xxx.254
Filename 'arm64emmc.ari'.
Load address: 0x50500000
Loading: T T T T T T T T T T
Retry count exceeded; starting again

Hi.

Not a lot of information to go for. First try with eth0 port. Looks like you have AP with 2 eth ports. Usually eth0 is primary and eth1 is secondary. Depend on the AP model it can matter.

There can also be a problem with MTU size, At least I have some problems doing console upggrades from ArubaOS-S switches with default 1500 MTU size,

Or you have something in between that block UDP traffic.

Controller usually won't deny AP access to FW files. But for the completeness check the free license count. It should not matter so early in the AP boot process but anyway. 

Best, Gorazd 

------------------------------
Gorazd Kikelj
MVP Guru 2024

Original Message:
Sent: Jan 14, 2025 11:24 AM
From: NickMtz
Subject: Unable to update AP firmware using a specific IP

While time consuming, we manually assign static IP addresses to our AP's. We have a single IP address that won't pull an image from the controller. I can Ping the DG and Controller from the CLI on the AP, but when I go to "boot" I get a timeout. Does the controller have the ability to block a single AP IP address?

apboot> ping xxx.xxx.xxx.201
eth0: link down
eth1 up: 1 Gb/s full duplex
Using eth0 device
host xxx.xxx.xxx.201 is alive

apboot> ping xxx.xxx.xxx.202

eth0: link down
eth1 up: 1 Gb/s full duplex
Using eth0 device
host xxx.xxx.xxx.202 is alive

Hit <Enter> to stop autoboot:  0
Booting OS partition 0
Checking image @ 0x0
Invalid image format version: 0xffffffff
Checking image @ 0x3000000
Invalid image format version: 0xffffffff
Net:     eth0, eth1
eth0: link down
eth1 up: 1 Gb/s full duplex
Using eth0 device
TFTP from server xxx.xxx.xxx.201; our IP address is xxx.xxx.xxx.63; sending through gateway xxx.xxx.xxx.254
Filename 'arm64emmc.ari'.
Load address: 0x50500000
Loading: T T T T T T T T T T
Retry count exceeded; starting again
eth0: link down
eth1 up: 1 Gb/s full duplex
Using eth0 device
TFTP from server xxx.xxx.xxx.201; our IP address is xxx.xxx.xxx.63; sending through gateway xxx.xxx.xxx.254
Filename 'arm64emmc.ari'.
Load address: 0x50500000
Loading: T T T T T T T T T T
Retry count exceeded; starting again
eth0: link down
eth1 up: 1 Gb/s full duplex
Using eth0 device
TFTP from server xxx.xxx.xxx.201; our IP address is xxx.xxx.xxx.63; sending through gateway xxx.xxx.xxx.254
Filename 'arm64emmc.ari'.
Load address: 0x50500000
Loading: T T T T T T T T T T
Retry count exceeded; starting again

Thanks Gorazd,

We have a cluster of 2 9200 series controllers running AOS 8.10. Using the same AP, I can use a different IP address to provision the AP, also I can repeat the issue using a secondary AP 635 series. 

Also looking the log on the controller I'm seeing this message: We are using CPSEC. 

Dec 15 21:12:05 2024  amon_sender_proc[8072]: PAPI_Security: Denying message 24301 received from unauthenticated source xxx.xxx.xxx.63:8514 for PAPI port 8444
Dec 17 22:48:46 2024  stm[8043]: PAPI_Security: Denying message 16200 received from unauthenticated source xxx.xxx.xxx.63:17103 for PAPI port 8222
Dec 17 22:49:46 2024  stm[8043]: PAPI_Security: Denying message 16200 received from unauthenticated source xxx.xxx.xxx.63:17103 for PAPI port 8222
Dec 17 22:51:46 2024  stm[8043]: PAPI_Security: Denying message 16200 received from unauthenticated source xxx.xxx.xxx.63:17103 for PAPI port 8222

It issue seems to be specific to the IP address i'm using. A workaround was to use a .66 IP address, but I wanted to make sure I understook why this single IP address was being blocked.  We don't have anything in between that would block UDP. I wasn't concerned with MTU since I was able to use a different IP on the same port.

Also wanted to mention we have enough licenses available.

Thank you for your help

Nick

Original Message:
Sent: Jan 14, 2025 03:17 PM
From: GorazdKikelj
Subject: Unable to update AP firmware using a specific IP

Hi.

Not a lot of information to go for. First try with eth0 port. Looks like you have AP with 2 eth ports. Usually eth0 is primary and eth1 is secondary. Depend on the AP model it can matter.

There can also be a problem with MTU size, At least I have some problems doing console upggrades from ArubaOS-S switches with default 1500 MTU size,

Or you have something in between that block UDP traffic.

Controller usually won't deny AP access to FW files. But for the completeness check the free license count. It should not matter so early in the AP boot process but anyway. 

Best, Gorazd 

------------------------------
Gorazd Kikelj
MVP Guru 2024

Original Message:
Sent: Jan 14, 2025 11:24 AM
From: NickMtz
Subject: Unable to update AP firmware using a specific IP

While time consuming, we manually assign static IP addresses to our AP's. We have a single IP address that won't pull an image from the controller. I can Ping the DG and Controller from the CLI on the AP, but when I go to "boot" I get a timeout. Does the controller have the ability to block a single AP IP address?

apboot> ping xxx.xxx.xxx.201
eth0: link down
eth1 up: 1 Gb/s full duplex
Using eth0 device
host xxx.xxx.xxx.201 is alive

apboot> ping xxx.xxx.xxx.202

eth0: link down
eth1 up: 1 Gb/s full duplex
Using eth0 device
host xxx.xxx.xxx.202 is alive

Hit <Enter> to stop autoboot:  0
Booting OS partition 0
Checking image @ 0x0
Invalid image format version: 0xffffffff
Checking image @ 0x3000000
Invalid image format version: 0xffffffff
Net:     eth0, eth1
eth0: link down
eth1 up: 1 Gb/s full duplex
Using eth0 device
TFTP from server xxx.xxx.xxx.201; our IP address is xxx.xxx.xxx.63; sending through gateway xxx.xxx.xxx.254
Filename 'arm64emmc.ari'.
Load address: 0x50500000
Loading: T T T T T T T T T T
Retry count exceeded; starting again
eth0: link down
eth1 up: 1 Gb/s full duplex
Using eth0 device
TFTP from server xxx.xxx.xxx.201; our IP address is xxx.xxx.xxx.63; sending through gateway xxx.xxx.xxx.254
Filename 'arm64emmc.ari'.
Load address: 0x50500000
Loading: T T T T T T T T T T
Retry count exceeded; starting again
eth0: link down
eth1 up: 1 Gb/s full duplex
Using eth0 device
TFTP from server xxx.xxx.xxx.201; our IP address is xxx.xxx.xxx.63; sending through gateway xxx.xxx.xxx.254
Filename 'arm64emmc.ari'.
Load address: 0x50500000
Loading: T T T T T T T T T T
Retry count exceeded; starting again

Hi Nick.

Check AP allow list on the controller for this IP/mac address. Also check if you have setup a limit IP address range for allowed APs on the controller. If you have allow list defined it is possible that this IP is out of allowed range.

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Guru 2024

Original Message:
Sent: Jan 14, 2025 04:51 PM
From: NickMtz
Subject: Unable to update AP firmware using a specific IP

Thanks Gorazd,

We have a cluster of 2 9200 series controllers running AOS 8.10. Using the same AP, I can use a different IP address to provision the AP, also I can repeat the issue using a secondary AP 635 series. 

Also looking the log on the controller I'm seeing this message: We are using CPSEC. 

Dec 15 21:12:05 2024  amon_sender_proc[8072]: PAPI_Security: Denying message 24301 received from unauthenticated source xxx.xxx.xxx.63:8514 for PAPI port 8444
Dec 17 22:48:46 2024  stm[8043]: PAPI_Security: Denying message 16200 received from unauthenticated source xxx.xxx.xxx.63:17103 for PAPI port 8222
Dec 17 22:49:46 2024  stm[8043]: PAPI_Security: Denying message 16200 received from unauthenticated source xxx.xxx.xxx.63:17103 for PAPI port 8222
Dec 17 22:51:46 2024  stm[8043]: PAPI_Security: Denying message 16200 received from unauthenticated source xxx.xxx.xxx.63:17103 for PAPI port 8222

It issue seems to be specific to the IP address i'm using. A workaround was to use a .66 IP address, but I wanted to make sure I understook why this single IP address was being blocked.  We don't have anything in between that would block UDP. I wasn't concerned with MTU since I was able to use a different IP on the same port.

Also wanted to mention we have enough licenses available.

Thank you for your help

Nick

Original Message:
Sent: Jan 14, 2025 03:17 PM
From: GorazdKikelj
Subject: Unable to update AP firmware using a specific IP

Hi.

Not a lot of information to go for. First try with eth0 port. Looks like you have AP with 2 eth ports. Usually eth0 is primary and eth1 is secondary. Depend on the AP model it can matter.

There can also be a problem with MTU size, At least I have some problems doing console upggrades from ArubaOS-S switches with default 1500 MTU size,

Or you have something in between that block UDP traffic.

Controller usually won't deny AP access to FW files. But for the completeness check the free license count. It should not matter so early in the AP boot process but anyway. 

Best, Gorazd 

------------------------------
Gorazd Kikelj
MVP Guru 2024

Original Message:
Sent: Jan 14, 2025 11:24 AM
From: NickMtz
Subject: Unable to update AP firmware using a specific IP

While time consuming, we manually assign static IP addresses to our AP's. We have a single IP address that won't pull an image from the controller. I can Ping the DG and Controller from the CLI on the AP, but when I go to "boot" I get a timeout. Does the controller have the ability to block a single AP IP address?

apboot> ping xxx.xxx.xxx.201
eth0: link down
eth1 up: 1 Gb/s full duplex
Using eth0 device
host xxx.xxx.xxx.201 is alive

apboot> ping xxx.xxx.xxx.202

eth0: link down
eth1 up: 1 Gb/s full duplex
Using eth0 device
host xxx.xxx.xxx.202 is alive

Hit <Enter> to stop autoboot:  0
Booting OS partition 0
Checking image @ 0x0
Invalid image format version: 0xffffffff
Checking image @ 0x3000000
Invalid image format version: 0xffffffff
Net:     eth0, eth1
eth0: link down
eth1 up: 1 Gb/s full duplex
Using eth0 device
TFTP from server xxx.xxx.xxx.201; our IP address is xxx.xxx.xxx.63; sending through gateway xxx.xxx.xxx.254
Filename 'arm64emmc.ari'.
Load address: 0x50500000
Loading: T T T T T T T T T T
Retry count exceeded; starting again
eth0: link down
eth1 up: 1 Gb/s full duplex
Using eth0 device
TFTP from server xxx.xxx.xxx.201; our IP address is xxx.xxx.xxx.63; sending through gateway xxx.xxx.xxx.254
Filename 'arm64emmc.ari'.
Load address: 0x50500000
Loading: T T T T T T T T T T
Retry count exceeded; starting again
eth0: link down
eth1 up: 1 Gb/s full duplex
Using eth0 device
TFTP from server xxx.xxx.xxx.201; our IP address is xxx.xxx.xxx.63; sending through gateway xxx.xxx.xxx.254
Filename 'arm64emmc.ari'.
Load address: 0x50500000
Loading: T T T T T T T T T T
Retry count exceeded; starting again