Network Management

last person joined: yesterday 

Keep an informative eye on your network with HPE Aruba Networking network management solutions
Back to discussions
Expand all | Collapse all

IAPs not showing up in Airwave after SSL cert change

This thread has been viewed 7 times

  • 1.  IAPs not showing up in Airwave after SSL cert change

    Posted Apr 23, 2020 10:28 AM

    Hi airheads,

    I changed the SSL cert from our Airwave to a signed cert from our internal CA. Everything is fine, switches and CAPs are still online and working.

    Except of a cluster of IAPs from one site. The communication stopped and I do not find a way how to get them working again. In the meantime I deleted all IAPs from this cluster in Airwave, deleted the folder configuration etc., rebooted Airwave, but still no luck. I can see https traffic from the virtual controller to Airwave, but nothing appearing in Airwave.

    Airwave is 8.2.10.1; IAPs are 8.5.0.2

     

    Any ideas?



  • 2.  RE: IAPs not showing up in Airwave after SSL cert change

    EMPLOYEE
    Posted Apr 23, 2020 12:16 PM

    System --> Event log will be a good place to start with. We would be messages there when IAP tries to check in.

     



  • 3.  RE: IAPs not showing up in Airwave after SSL cert change

    Posted Apr 24, 2020 02:20 AM

    Thanks for your response!

     

    Nothing to see in Event Log.

    I rebooted all IAPs in the meantime. On IAP, I ran command "show ap debug airwave" and see status "Connected".

     

    "Show log ap-debug" tells me the following:

    awc_init_connection: 2550: connected to 10.xxx.xxx.xxx:443

    Failed to establish SSL connection: Error code is -1:ASN parsing error, invalid input

    awc_login: awc_init error

     

    "Show log provisioning" shows me:

    Airwave In progress Connecting to primary AMP server at 10.xxx.xxx.xxx...

    Airwave In progress Connected with primary AMP server 10.xxx.xxx.xxx, logging in...

    Airwave Debug Logging out of AMP server primary

    Airwave Failed Error establishing SSL connection to AMP server at 10.xxx.xxx.xxx: ASN parsing error, invalid input

    Airwave Failed Login aborted due to incomplete response from primary AMP server

     



  • 4.  RE: IAPs not showing up in Airwave after SSL cert change

    EMPLOYEE
    Posted Apr 24, 2020 08:28 AM
      |   view attached

    Are you using certificate based authentication in Airwave or PSK if it is certificate based then you might hitting a known security advisory.

     

    Is this issue started after installing Airwave or IAP SSL certificate?

     

    Make sure certificate have complete chain.

     

    Check attached copy of Aruba Advisory.



  • 5.  RE: IAPs not showing up in Airwave after SSL cert change

    Posted May 11, 2020 10:15 AM

    It's configured for PSK only.

    The problem started when changing the SSL certificate on Airwave. I did not upload/change anything on IAP until now. 

    In the meantime I did an update to 8.5.0.6 for the cluster, but the problem still exists with the same messages in logfile.



  • 6.  RE: IAPs not showing up in Airwave after SSL cert change

    EMPLOYEE
    Posted May 11, 2020 11:02 AM

    Check below details of certificate for proper IAP-Airwave communication.


    -Does your installed certificate have keyUsage and extKeyUsage extensions?
    -If it is not required , it can be removed since the Airwave default cert does not add them.
    -If you want to have them,you can add the keyEncipherment and keyAgreement flag while signing the certificate.
    -Also if you have configured ext-keyUsage which suggest to add the KeyEncipherment to be set in KeyUsage when extKeyUsage extension is configured.
    -The maximum policy ID length is 64
    -New items like id-smime-capabilities, id-ms-application-certificate-policies, id-ms-certificate-template are present