Wireless Access

Greetings fellows AirHeads,

I am trying to understand what can I do to make a deployment work.

I am using vsphere and I have 2 VMC installed on it, one with arubaOS 8.1 and another one with 8.3(currently 8.2), my controller with 8.2 have the definitive licenses, they are using the same vswitch, vminics e vlan labels and network adapters.

I tested in another envirioment/network and the VMC 8.2 and 8.3 was able to connect to my AP 305, using different firmwares(8.3, 6.5 and etc)

But not the controller with the definitive licenses, for some reason after the AP is converted(I do see the logs) I only receive hello-timeout logs. I do see the firewall receiving the aruba-papi from the AP, but the controller is not responding, I can ping and do ther other network test, the firewall show them, but aruba papi the controller is not responding. I first started supect that the problems was with the firmwares of the AP and VMC, but is the test showed that is not them.

Then I discovered that using different vlans (my controllers are in diferents vlan than the APs and the computers), when changing the firmware using TFTP, I am receiving time-out too.

I think this is the clue that is something on it, how to further explore the interfaces of the controller maybe they are somehow disycronized from the vspheres settings ?

Remember, the other VMC is working just fine, they have the same firewall rules because they are in the same vlan but SSIDs configurations and other parameters are diferent.

Ok, updates !
The test were wrong, only with the 8.3 version that timeout is happening, with version 8.2 and 8.1 on the same controller the APs are connecting.

Are these standalone controllers, or is there a VMM acting as the mobility master with both of these controllers?

In both cases they are Standalone.

The controller with 8.3, when downgrad it to 8.2 it works, but when upgrade to 8.3 it stops working. The aruba AP is sending aruba-papi but the controller don't respond, this behavior doesn't happen in the previos version.

Not only with the aruba-papi, with the TFTP is the same.

To summarize, you have an AP-305 to test connectivity to the VMC. When the VMC runs AOS 8.1.x or 8.2.x the AP-305 boots up, but when the VMC is upgraded to AOS 8.3.0.0 the AP-305 can not connect. Is that correct? Where do the different VLANs in the title come in to affect the testing?

The controller is able to responding in both version when the AP is in the same VLAN/subnet of the controller.

The same case with the TFTP server( or how would I be able to downgrad it back to 8.2)

The problem only happen when they are in different vlans, and no, the problem is not the gateway(firewall paloalto) I can see the traffic passing, other protocols like icmp(ping) respoding from both directions and etc.

I'm unclear on what the problem description is.

Is the problem just that with 8.3, the AP can only contact the controller when it's on the same VLAN and not traversing the PAN firewall? When using 8.2.x or 8.1.x, the AP does work when separated by the firewall?

Its almost like that, but the problem is not about traversing the firewall.

The problem is with the version 8.3 and when the controller is in differents vlan then the AP or the TFTP server(a windows machine) the controller is nos respoding the aruba-papi and for some reason is not connecting with the tftp server, the logs is like the hello-timeout and time-out.

Yes, it works when the version is 8.2 and 8.1, with the same controller or another VMC on the same hypervsor/server and both have the same networks settings.

It would be helpful to diagram the network connectivity and where the devices are connected to the network. 

Here, you can look at the attachment.

Thanks, this helps.

So the AP is on VLAN 1000, and the controller(s) are on VLAN 200. It looks like the switch in the middle of the diagram is the layer 3 router for the different VLANs?

With this topology, is the issue that the AP-305 can boot and operate from the 8.2 (.50) controller, but not the 8.3 (.40), or something else?

Again, the switch is layer 3, but its not the gateway of the vlans, the gateway that is responsable for inter-vlan routing is the firewall. In the future if the firewall don't have enough throughput, probabably the equippament responsable to do the routing between the vlans will be the switch core.

About The VMCs and the AP, it can fully connect(pass the upgrade and form the aruba-papi tunnel) to both controller(.50 and .40) if the version is is not 8.3.

I only keeping two controllers because one of them are in production and the other one I hope that help fixed this case.

Thanks for the clarifications. The firewall is handling the layer 3 routing between the AP's vlan 1000 and the controller on vlan 200. The AP can upgrade, boot, and join the controllers when running 8.1/8.2, but the AP fails to connect to the controllers when running 8.3. 

Does the 8.3 controller see any communications from the AP when it attempts to boot/upgrade/join? Where in the process after the controller is upgraded to 8.3 does the communication break down? We can use "show ap active" or "show ap database" to watch the AP when it tries to come online, or "show datapath session ip-addr <ip_of_ap>" to see the traffic from the controller's perspective.

Does the 8.3 controller see any communications from the AP when it attempts to boot/upgrade/join?

R: Yes it sees, just the upgrade but not the ''join''. And about the boot, I am not sure what its supossed to see, generally my AP is a IAP, and I click maintence --> convert, put the IP of the controller, and start the download process, after that it reboot. After everything (the ap rebooting and coming up online) the only thing that the controller have is hello-timeout. Even when ping is possible between then.

About the show ap active and database and data-path, I am dont remember how it behaves. I need to recheck it, but now, only next week with the client.

Okay, so the AP is also going through an IAP to CAP conversion process too, and not already connected/working with the controller prior to the upgrade to 8.3. 

There are lots of variables that can be affecting things, so I suggest eliminating some of these in order to better understand what's breaking. Also, if this is critical to get working the next time you're onsite with the customer, it would be good to get a case open with TAC in advance so they can work with you in real time while you're on-site. 

When trying to convert the IAP with the 8.3 controller, check the controller log "show log 50" to see if there's any log entries that might provide a hint as to what's not working.