Wireless Access

When my cpsec is disabled mesh aps are working fine but when i enable cpsec none of them are working. 

whitelist database cpsec status is certified-factory-cert.

in the error log i am able to see this error message :- 

"Jan 21 17:57:51 <stm 399803> <3818> <ERRS> |stm| An internal system error has occurred at file sapm_ap_mgmt.c function sapm_override_ap_radio_prof line 2985 error sapm_override_ap_radio_prof: from_ap_group AP 80:8d:b7:c7:a0:6e radio 0 using chan 149+ : ARM channel is invalid. "

Are these mesh portals or mesh points with the problem?

What version of ArubaOS and when model access points are these?

Some of them are mesh points and some of them are mesh portals.

Aruba 7005 - 6.5.4.15

AP-105,315,303H

These are indoor APS?  Depending on the strength of the mesh connection, mesh APs might take longer to come up.  I would wait just a little longer or type "show log system 50" to see if there are any problems with those specific access points.

Beyond that, I would open a Technical Support case to get to the bottom of this:

https://www.arubanetworks.com/support-services/contact-support/

Yes its indoor and here is the error which i have found :-

" Jan 21 17:57:51 <stm 399803> <3818> <ERRS> |stm| An internal system error has occurred at file sapm_ap_mgmt.c function sapm_override_ap_radio_prof line 2985 error sapm_override_ap_radio_prof: from_ap_group AP 80:8d:b7:c7:a0:6e radio 0 using chan 149+ : ARM channel is invalid.
Jan 21 17:57:51 <stm 399803> <3818> <ERRS> |stm| An internal system error has occurred at file sapm_ap_mgmt.c function sapm_override_ap_radio_prof line 2985 error sapm_override_ap_radio_prof: from_ap_group AP 80:8d:b7:c7:a0:6e radio 0 using chan 149+ : ARM channel is invalid.
Jan 21 17:57:51 <stm 399803> <3818> <ERRS> |stm| An internal system error has occurred at file sapm_ap_mgmt.c function sapm_override_ap_radio_prof line 2985 error sapm_override_ap_radio_prof: from_ap_group AP 80:8d:b7:c7:a0:6e radio 0 using chan 149+ : ARM channel is invalid. "

One more thing if it is coming up in cpsec disabled why it is not coming up with cpsec enabled ? CPSEC doesn't have anything related to dirty config ?

---

@joxor wrote:

Yes its indoor and here is the error which i have found :-

" Jan 21 17:57:51 <stm 399803> <3818> <ERRS> |stm| An internal system error has occurred at file sapm_ap_mgmt.c function sapm_override_ap_radio_prof line 2985 error sapm_override_ap_radio_prof: from_ap_group AP 80:8d:b7:c7:a0:6e radio 0 using chan 149+ : ARM channel is invalid.
Jan 21 17:57:51 <stm 399803> <3818> <ERRS> |stm| An internal system error has occurred at file sapm_ap_mgmt.c function sapm_override_ap_radio_prof line 2985 error sapm_override_ap_radio_prof: from_ap_group AP 80:8d:b7:c7:a0:6e radio 0 using chan 149+ : ARM channel is invalid.
Jan 21 17:57:51 <stm 399803> <3818> <ERRS> |stm| An internal system error has occurred at file sapm_ap_mgmt.c function sapm_override_ap_radio_prof line 2985 error sapm_override_ap_radio_prof: from_ap_group AP 80:8d:b7:c7:a0:6e radio 0 using chan 149+ : ARM channel is invalid. "

 

One more thing if it is coming up in cpsec disabled why it is not coming up with cpsec enabled ? CPSEC doesn't have anything related to dirty config ?

---

I have no idea why.  I would open up a Technical Support Case.

Check to make sure auto-cert provision is enabled. If not you would have to whitelist the APs before they would be allowed to come up. If the mesh APs have never been cert provisioned, they will come up, pull the cert, reload, and come up again so it WILL take some time, but auto-cert provision should be enabled, or you will need to find those APs and allow them in the whitelist.

As Colin notes though, TAC would be a good next step, we don't do much with 6.4 in the field anymore so I don't know if there's some latent issues. But generally it's not usually an issue.

I have checked the cpsec and aut-cert is allowed also i manually factory-certified-cert the APs.

nly other thing I can think of is if you are on old code and new APs come out with a new OUI we are not aware of, that can happen as well. 

Command to add new OUI, where you add the first six digits of the OUI. 

configure terminal

    valid-network-oui-profile

        oui e8:26:89 end

You could try that on one of the AP's OUI that is showing D. Outside of that, I don't know.

joxor, 

The company I work for had a similar issue, for us our APs would broadcast but would randomly fallout. We consoled into one of them and TAC notice that the issue was with CPSEC and that it was somehow braking the tunnel communication. To make the long story short, they had us disable CPSEC and the issues stopped. 

TAC is the correct answer in this situation.  It is possible that the OP is experiencing your situation or a different one.  Thank you for relaying your experience with this.

Thank you all for your response. 

Let me do it in this weekend and will let you know with an update.

After adding valid oui profile I flag got removed, then i checked the datapath session table and the packet was going to wrong master ip so changed the lms ip and the issue got resolve.

Thanks every one for troubleshooting.