Controllerless Networks

 My DC powered AP-225 (external power supply)  is coming up with I Flag. I can see PWR and ENET0 LEDs steady green, and 5G as well as 2.4G LEDs steady amber. Any idea why it is Inactive on controller ?

(Aruba-7210) #show ap database inactive

 AP Database

-----------

Name             Group          AP Type  IP Address     Status     Flags  Switch IP     Standby IP

----             -----          -------  ----------     ------     -----  ---------     ----------

REP-AP:213E-POC  Aruba-POC-REP  225      x.x.x.x  Up 32m:1s  I      y.y.y.y  0.0.0.0

Inactive means that an access point does not have its configuration for one reason or another.  It could be that traffic is blocked between the controller and the access point or the configuratoin is wrong for some reason.  I would do a "show ap tech-support ap-name <name of ap>" and see if there are any obvious errors.

Haven't found anything obvious in show tech, but maybe I Flag is relataed to the fact that AP is conencted to Controller thru IPsec tunnel (IPsec tunnels between two firewalls) , I can see some frag drops on firewall

[Expert@Irek-11]# fw ctl zdebug drop | grep x.x.x.x

;fw_log_drop: Packet proto=17 y.y.y.y:8211 -> x.x.x.x:8211 dropped by fwchain_frag Reason: wait for more fragments;

;fw_log_drop: Packet proto=17 y.y.y.y:513 -> x.x.x.x:1024 dropped by fwchain_frag Reason: wait for more fragments;

Wait, is this a regular campus AP and you have a firewall between the controller and the AP?  Are you allowing GRE?  Are you sure there is no NAT involved?  GRE does not survive NAT...

Yes, there is firewall between AP and Controller ( I updated subject of this post , sorry for confusion;). Basically AP is at my home office connected to DC thru VPN (two firewall in between: home and DC firewall). But no issue with GRE, there is active session between AP and Controller

see on DC firewall

15:28:27.663722 IP 10.199.107.10 > 10.29.1.202: GREv0, length 68: gre-proto-0x9000
15:28:27.663771 IP 10.29.1.202 > 10.199.107.10: GREv0, length 68: gre-proto-0x9000

also on controller

(Aruba-7210) #show datapath session table 10.199.107.10 | begin Source
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
--------------- --------------- ---- ----- ----- ----- ---- --- --- ----------- ---- --------- --------- ---------------
10.29.1.202 10.199.107.10 47 0 0 0/0 0 0 0 0/0/0 8fe 1111 104828 F
10.199.107.10 10.29.1.202 17 8211 8222 0/0 0 0 1 0/0/0 1a 0 0 FYCI
10.29.1.202 10.199.107.10 17 8222 8211 0/0 0 0 1 0/0/0 1a 3 312 FI
10.29.1.202 10.199.107.10 17 514 50354 0/0 0 0 0 0/0/0 2 0 0 FY
10.199.107.10 10.29.1.202 17 50354 514 0/0 0 0 1 0/0/0 2 1 81 FC
10.199.107.10 10.29.1.202 47 0 0 0/0 0 40 0 0/0/0 8fe 1124 105972 FC

If you type "show ap bss-table ap-name <name of ap>" and you see nothing, that means it is not broadcasting anything...but we already know that.  There could be a problem with the MTU.  In the AP system profile, you could try entering an MTU of 1100 to see if that changes anything.  

Either way, provisioning the access point as a remote AP (where everything occurs over the ipsec tunnel) could possibly allow you to sidestep your issue.

Looks for that AP system profile and MTU, I noticed that I've not applied any virtual AP profile to AP group (not firsyt when I actually forgot to click Apply;). Now it's applied and all is up and running. Appreciate your help!

(Aruba-7210) #show ap active | include REP
REP-AP:213E-POC Aruba-POC-REP 10.199.107.10 0 AP:HT:1/21/21 1 AP:VHT:48E/18/21 225 Aa 58m:36s N/A