Environment Product & Software : This article applies to Aruba OS 3.4 and above.
When the Aruba AP's get stuck in the dirty 'D' flag which means configuration is getting pushed to the AP. It could be related to IP fragmentation and reassembly problems in the network.
This can be verified by enabling log-icmp-error on the stateful firewall and check for ICMP errors in “show log security”
Execute the below command to enable log-icmp-error from cli:
(Aruba) (config) #firewall log-icmp-error
To enable log-icmp-error from webui:
Navigate to Configuration> Advanced Services> Stateful Firewall> Global Settings
An ICMP error from the AP with code 11 would mean that the AP is missing IP fragments and it cannot re-construct the config message.
Here is the sample from show log security.
(Aruba) #show log security 50 | include "type=11"
Aug 27 18:53:28 :124006: <WARN> |authmgr| {167} ICMP srcip=10.13.32.11 dstip=119.82.106.146, type=11, code=1, action=deny
Aug 27 18:53:44 :124006: <WARN> |authmgr| {168} ICMP srcip=10.13.32.11 dstip=119.82.106.146, type=11, code=1, action=deny
Aug 27 18:54:53 :124006: <WARN> |authmgr| {169} ICMP srcip=10.13.32.11 dstip=119.82.106.146, type=11, code=1, action=deny
Aug 27 19:12:46 :124006: <WARN> |authmgr| {170} ICMP srcip=10.13.32.11 dstip=101.222.228.207, type=11, code=1, action=deny
Aug 27 19:13:17 :124006: <WARN> |authmgr| {171} ICMP srcip=10.13.32.11 dstip=101.222.228.207, type=11, code=1, action=deny
Aug 27 19:13:41 :124006: <WARN> |authmgr| {172} ICMP srcip=10.13.32.11 dstip=101.222.228.207, type=11, code=1, action=deny
Aug 27 19:13:45 :124006: <WARN> |authmgr| {173} ICMP srcip=10.13.32.11 dstip=101.222.228.207, type=11, code=1, action=deny
Aug 27 19:13:57 :124006: <WARN> |authmgr| {174} ICMP srcip=10.13.32.11 dstip=101.222.228.207, type=11, code=1, action=deny
Aug 27 19:14:05 :124006: <WARN> |authmgr| {175} ICMP srcip=10.13.32.11 dstip=101.222.228.207, type=11, code=1, action=deny
Aug 27 19:14:08 :124006: <WARN> |authmgr| {176} ICMP srcip=10.13.32.11 dstip=101.222.228.207, type=11, code=1, action=deny
Aug 27 19:14:14 :124006: <WARN> |authmgr| {177} ICMP srcip=10.13.32.11 dstip=101.222.228.207, type=11, code=1, action=deny
Aug 27 19:14:28 :124006: <WARN> |authmgr| {178} ICMP srcip=10.13.32.11 dstip=101.222.228.207, type=11, code=1, action=deny