Network Management

Reply
Occasional Contributor I

Instant ap zero touch provisioning via Airwave

Hello all

 

I am experiencing some issues getting ZTP to work with Airwave using Aruba Activate. I have a test AP added to aruba activate which belong to a folder with a provisioning rule: IAP to Airwave pointing to the public IP of the Airwave server. When booting this factory new AP, it's getting its Airwave settings configured (the public IP of the airwave server is visible in the airwave settings of the gui)

The problem however is on the Airwave server.

I was expecting the new instant AP to be visible under 'new devices', but for some reason it's not showing up at all.

 

Capturing traffic I can see the instant AP communicating via https with the public IP of the Airwave server (3-way-handshake).

 

Does anyone have any experience with this?

MVP Guru

Re: Instant ap zero touch provisioning via Airwave

Does status show as connected when you run

 

#show ap airwave 

#show datapath session - filter with airwave IP

 

Did you tried with any other factory IAP, any ACL is been enabled in under AMPSetup > Genearl> authorization section?

 

Check for nginx log under system>status page for any errors and have you set PSK or certificate auth under AMP setup > General > IAP Section

 

community.PNG

Regards,
Pavan
If my post address your queries, give kudos and accept as solution!
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: Instant ap zero touch provisioning via Airwave

Hello Pavan

 

XXX.XXX.XXX.XXX = public ip of the airwave server

 

b0:b8:67:c8:6d:98# show ap debug airwave

Airwave Server List
-------------------
Domain/IP Address Type Mode Config-only Status
----------------- ---- ---- ----------- ------

XXX.XXX.XXX.XXX Primary - - Not connected

 

b0:b8:67:c8:6d:98# show datapath session
Datapath Session Table Entries

------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
I - Deep inspect, U - Locally destined
s - media signal, m - media mon, a - rtp analysis
E - Media Deep Inspect, G - media signal
A - Application Firewall Inspect
L - ALG session
O - Session is programmed through SDN/Openflow controller
p - Session is marked as permanent
RAP Flags: 0 - Q0, 1 - Q1, 2 - Q2, r - redirect to master, t - time based

Source IP Destination IP Prot SPort Dport Cntr Prio ToS Age Destination TAge Packets Bytes Flags
---------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- ------- ----- -----
10.160.129.15 172.29.23.58 6 49882 22 0 0 0 0 dev2 133 4b 1e02 C
172.29.23.58 XXX.XXX.XXX.XXX 6 59741 443 0 0 0 1 local 62 0 0 FC
172.29.23.58 10.160.129.15 6 22 49882 0 0 4 0 dev2 133 31 20e9
XXX.XXX.XXX.XXX 172.29.23.58 6 443 59741 0 0 0 1 local 62 0 0

 

I tried with another AP as well, same result.

Authorize Aruba Instant APs & Aruba Switches to AirWave is set to all on the Airwave server.

 

AMP setup > General > IAP Section is set to PSK

 

No errors are visible under system>status

MVP Guru

Re: Instant ap zero touch provisioning via Airwave

so we are not seeing any error or log entry related to IAP in nginx.log under system>status page?

 

Does IAP able to reach device.arubanetworks.com site?

 

https://community.arubanetworks.com/t5/Controller-less-WLANs/Add-a-device-to-Aruba-Activate/ta-p/185620

 

If it is reachable then try change the VC key once and check the connection status

 

1) # show running | include virtual

2) copy the virtual-controller key

3) # conf t

4) type in virtual-controller-key and paste the copied kay

5) change th last 2 digit of the key

6) # commit apply.

Regards,
Pavan
If my post address your queries, give kudos and accept as solution!
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: Instant ap zero touch provisioning via Airwave

Hello Pavan

 

The IAP has fulll internet access so it is able to reach the website you mentioned. The IAP is imported in Activate.

 

The only errors in the nginx log is:

 

2019/09/11 11:58:18 [error] 12856#12856: *2 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 172.29.126.80, server: , request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:8008/", host: "192.0.2.52"
2019/09/11 11:58:18 [error] 12856#12856: *2 connect() failed (111: Connection refused) while connecting to upstream, client: 172.29.126.80, server: , request: "GET /favicon.ico HTTP/1.1", upstream: "http://127.0.0.1:8008/favicon.ico", host: "192.0.2.52"
2019/09/11 13:57:14 [error] 17344#17344: *6 upstream prematurely closed connection while reading response header from upstream, client: 172.29.126.80, server: , request: "GET /nf/amp_status?confirmed_action=reboot HTTP/1.1", upstream: "http://127.0.0.1:8008/nf/amp_status?confirmed_action=reboot", host: "192.0.2.52", referrer: "https://192.0.2.52/amp_status?confirmed_action=reboot

 None of these errors seem related. Because I would expect to see the public IP of the IAP in these logs.

 

I changed the VC key as you specified.

 

b0:b8:67:c8:6d:98# show ap debug airwave

Airwave Server List
-------------------
Domain/IP Address Type Mode Config-only Status
----------------- ---- ---- ----------- ------

X.X.XX Primary - - Connected

 

b0:b8:67:c8:6d:98# show datapath session | include X.X.X.X

172.29.23.58 X.X.X.X 6 59830 443 0 0 0 1 local 7b 0 0 FC
X.X.X.X 172.29.23.58 6 443 59830 0 0 0 1 local 7b 0 0 F

 

Highlighted
Occasional Contributor I

Re: Instant ap zero touch provisioning via Airwave

Hello Pavan

 

The IAP has fulll internet access so it is able to reach the website you mentioned. The IAP is imported in Activate.

 

The only errors in the nginx log is:

 

2019/09/11 11:58:18 [error] 12856#12856: *2 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 172.29.126.80, server: , request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:8008/", host: "192.0.2.52"
2019/09/11 11:58:18 [error] 12856#12856: *2 connect() failed (111: Connection refused) while connecting to upstream, client: 172.29.126.80, server: , request: "GET /favicon.ico HTTP/1.1", upstream: "http://127.0.0.1:8008/favicon.ico", host: "192.0.2.52"
2019/09/11 13:57:14 [error] 17344#17344: *6 upstream prematurely closed connection while reading response header from upstream, client: 172.29.126.80, server: , request: "GET /nf/amp_status?confirmed_action=reboot HTTP/1.1", upstream: "http://127.0.0.1:8008/nf/amp_status?confirmed_action=reboot", host: "192.0.2.52", referrer: "https://192.0.2.52/amp_status?confirmed_action=reboot

 None of these errors seem related. Because I would expect to see the public IP of the IAP in these logs.

 

I changed the VC key as you specified.

 

b0:b8:67:c8:6d:98# show ap debug airwave

Airwave Server List
-------------------
Domain/IP Address Type Mode Config-only Status
----------------- ---- ---- ----------- ------

X.X.XX Primary - - Connected

 

b0:b8:67:c8:6d:98# show datapath session | include X.X.X.X
172.29.23.58 X.X.X.X 6 59830 443 0 0 0 1 local 7b 0 0 FC
X.X.X.X 172.29.23.58 6 443 59830 0 0 0 1 local 7b 0 0 F

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: