Whenever you upgrade a controller with a newer version of code it will push out a file to each RAP and CAP, This file is approx about 3 - 4 MB in size depending on the model of the AP and if there are too many APs deployed it may take a while for all the APs to get upgraded over a slower uplink
But if we see a RAP struck in upgrading state for a long time although connectivity to the controller is good, it could be due to the fact that the FTP & TFTP is not allowed on the role "ap-role". The "ap-role" is the default role in which a RAP falls in.
Note: - If CPsec enabled, RAP's will come up in sys-ap-role
Environment:
This article applies to Aruba Mobility Controllers running ArubaOS version 5.0.0.0 and Above.
The configuration and verification steps mentioned in this article are tested on Aruba 3200XM Mobility Controller running AOS version 6.3.0.0.
Symptoms of this issue are as follows:
Aruba(3200XM) # show ap database | include RAP3
RAP3 RAP_ap_group RAP-5WN 192.168.10.15 Upgrading Rc2I 172.24.205.106
Check the Datapath Session for the Flags:
Aruba (3200XM) # show datapath session | include 192.168.250.175
192.168.10.15 172.24.205.106 6 54598 21 0/0 0 0 0 tunnel 228 b FDYC
If you see D Flag, it may be due to blocked FTP in the AP role ACL
The RAPs eventually use TFTP to upgrade if FTP is not allowed but TFTP is the slowest transfer method, and is not very resilient over WAN links.
Verify the role "ap-role" for FTP and TFTP :
(Aruba3200XM) # show rights ap-role
Derived Role = 'ap-role'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 4/0
Max Sessions = 65535
access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 ra-guard session
2 control session
3 ap-acl session
4 v6-control session
5 v6-ap-acl session
ra-guard
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any icmpv6 rtr-adv deny Low 6
control
-------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any udp 68 deny Low 4
2 any any svc-icmp permit Low 4
3 any any svc-dns permit Low 4
4 any any svc-papi permit Low 4
5 any any svc-sec-papi permit Low 4
6 any any svc-cfgm-tcp permit Low 4
7 any any svc-adp permit Low 4
8 any any svc-tftp permit Low 4
9 any any svc-dhcp permit Low 4
10 any any svc-natt permit Low 4
ap-acl
------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any svc-gre permit Low 4
2 any any svc-syslog permit Low 4
3 any user svc-snmp permit Low 4
4 user any svc-snmp-trap permit Low 4
5 user any svc-ntp permit Low 4
6 user any svc-ftp permit Low 4
If the ACL for FTP is present, then ensure that connectivity from the Controller to the RAP is solid and verify if the Controller uplink bandwidth can handle all the traffic when all RAPs upgrade at a time and Its worth to mention that starting from AOS 6.3 a new feature called " ap image preload" is introduced in order to minimize the load on the controller while the RAP upgrades, only a certain number of APs will be allowed to download the new image at a time (this value is configurable).
But if you dont find an ACL for FTP then add an ACL for FTP on the role "ap-role"
To open ACL for FTP on role "ap-role" :
(Aruba3200XM) # config term
(Aruba3200XM) (config) #ip access-list session ap-acl
(Aruba3200XM) (config-sess-ap-acl)#any any svc-ftp permit position 8 queue low
(Aruba3200XM) # show rights ap-role -----------------> To verify the above ACL appears on the list
(Aruba3200XM) # write memory
Note: - user-role "ap-role" is an internal role used by RAP’s and should be edited with caution.