Wireless Access

I have an AP275 that's mounted in a very awkward place.  The controller sees it very quickly, however, it gets removed as a mesh point I believe due to having an old certificate.  It was powered off when an OS upgrade happened on the controller.  How can I get a new certificate in this AP without having to take it down and plugging it into a network connection?

None of Aruba's APs use certs for mesh, it's all based on WPA2-PSK or Open. Was there a config change where the mesh config changed in any way? Is it coming up in recovery mode? Was the controller itself replaced at some point? If you leave it up does it eventually come up in recovery mode? Are you using CPSec?

1. There was no config change in the mesh at all.

2. It's coming up on the MESH.  VERy very briefly.  It actually appears as connect in the controller GUI, then changes to disconnected, then appears as an unprovisioned AP, then connects, .... in a loop.

3. Controller was not replaced.

4. I am using CPSec.

If you look in the CPSec whitelist, if you are finding it is getting denied in the CPSec whitelist, you can enable temporarily auto-cert provisioning to allow it to come back in. Otherwise open a TAC case to have them look at the logs and figure out what changed that would have either changed the mesh point config or determine what happened during the upgrade.

Also as a separate question, is your portal on Ch165? If so, move it to 149 temporarily and see if it comes up.

Where do I go to see if it's getting denied?  and how do I enable "temporarily auto-cert provisioning"?  Right now I see the cert-type as factory-cert and the state is "Approved-ready-for-cert"

See screenshot. What is the macaddr of your 275 point and where is it in your whitelist? Also if you want to PM me your show-tech, I can look it over. Otherwise, open a TAC case and they can likely get your covered. Also, is your portal on Ch 165?

So I would recommend opening a TAC case to get them to look it over.

OK, Thank you Jerrod!

My control plane security looks like this:

Control Plane Security Profile
------------------------------
Parameter                    Value
---------                    -----
Control Plane Security       Enabled
Auto Cert Provisioning       Enabled
Auto Cert Allow All          Enabled
Auto Cert Allowed Addresses  N/A

Because I'm already allow all enabled, do I still have to enter in the IP address of that specific AP that's giving me grief?  could this break others connectivity?

It did just reboot and come up with the status " UMY "

UMY is 'Unprovisioned' 'Mesh' 'Recovery Mode', so if you log in to the CLI and run a 'show ap mesh topology long', what is the output? And if this mesh point shows up in the AP provisioning page, you can always try to provisin it again into the group it should be in (usually in the same group as the portal) and see if it comes up then.

Name            Mesh Role    Parent  Path Cost  Node Cost  Link Cost  Hop Count  RSSI  Rate Tx/Rx  Last Update  Uplink Age  #Children  Children
----            ---------    ------  ---------  ---------  ---------  ---------  ----  ----------  -----------  ----------  ---------  --------
MESH-AP275-9AD0  Portal (AC)  -       3          1          0          0          0     -           3m:20s       2h:54m:33s  1          "MESH-AP275-51BA"

51BA is the problematic one

Is it up and provisionable in the 'AP Installation' page? And the channel of the portal?

It does appear as a provisionable AP, briefly.  Even though you tell it ro provision again, it is still unreachable, as in, connects - disconnects - appears as an unprovisioned AP - then appears as a provisioned AP all on it's own.  As for the MESH portal channel, how can I find that?

from CLI you can do a 'show ap active' or from the GUI, go to 'Monitoring > Access Points' and it will tell you there what that portal's 5Ghz radio channel is.

It says the following:

MPP+AP:VHT:132E/26/26

OK, work with TAC then, something has gotten messed up somewhere during the upgrade and they will need to help you directly run it down.

Thanks Bud!  I appreciate all your help!

Yea man, sorry I'm not able to do more remotely through the boards. Once TAC gets it solved, please come back to fill us in on the fix. Good luck!