Wireless Access

Reply
Highlighted
Frequent Contributor I

Re: CPSec issue?

Any update whit this problem?. I have the same issue.

 

Two AP 225 working fine, and if I try to enable CPSec is there no way for the AP to connect to controller.

 

Regards,

Highlighted
MVP Guru

Re: CPSec issue?

Hi,


Are you able paste the output of the below command?

 

#show control-plane-security

 

You'll need to check if the AP is in the whitelist and if the certificate has been approved or not. I believe the controller will approve the ceritifcate after a few minutes which will then cause the AP to reboot.

 

What version of code are you running?


ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
Highlighted
Frequent Contributor I

Re: CPSec issue?

Hi,

 

(Aruba7210) (config) #show control-plane-security

Control Plane Security Profile
------------------------------
Parameter Value
--------- -----
Control Plane Security Enabled
Auto Cert Provisioning Enabled
Auto Cert Allow All Enabled
Auto Cert Allowed Addresses N/A

 

AP is in the white list but in "hold" state. I have tried to set approved state manually but I still have the same error

 

Regards

Highlighted
Frequent Contributor I

Re: CPSec issue?

Forget to say code version: 6.4.2.13

 

Regards

Highlighted
Contributor II

Re: CPSec issue?

Any update on this?

 

I have the same issue. 90 APs out 100 were shown hold in the whitelist. Rebooting APs didn't help. Manually changed APs to factory certified state, still not up. APs are 104 and 135. Controller is 6.1.3.6.

 

Then upgraded controller to 6.4.2.12. Same. Deleting AP entry in the whitelist and rebooting AP, same issue. Controller keeps saying:

 

Nov 18 17:48:10 stm[2366]: <305048> <WARN> |stm| Dropping unsecure AP message code 16121 from AP at 192.168.17.253 (MAC address 6c:f3:7f:c2:a6:16)

 

Nov 18 17:47:52 sapd[832]: <311020> <ERRS> |AP TMPB01WA02@192.168.17.253 sapd| An internal system error has occurred at file sapd_redun.c function redun_retry_tunnel line 3233 error redun_retry_tunnel: Switching to clear. Error:RC_ERROR_IKEP1. Ipsec not successful after reboot.

 

 

Highlighted
Guru Elite

Re: CPSec issue?


@pydiao wrote:

Any update on this?

 

I have the same issue. 90 APs out 100 were shown hold in the whitelist. Rebooting APs didn't help. Manually changed APs to factory certified state, still not up. APs are 104 and 135. Controller is 6.1.3.6.

 

Then upgraded controller to 6.4.2.12. Same. Deleting AP entry in the whitelist and rebooting AP, same issue. Controller keeps saying:

 

Nov 18 17:48:10 stm[2366]: <305048> <WARN> |stm| Dropping unsecure AP message code 16121 from AP at 192.168.17.253 (MAC address 6c:f3:7f:c2:a6:16)

 

Nov 18 17:47:52 sapd[832]: <311020> <ERRS> |AP TMPB01WA02@192.168.17.253 sapd| An internal system error has occurred at file sapd_redun.c function redun_retry_tunnel line 3233 error redun_retry_tunnel: Switching to clear. Error:RC_ERROR_IKEP1. Ipsec not successful after reboot.

 

 


How many controllers do you have?  At a maintenence window, you should try turning off control plane security, or opening a TAC case.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Contributor II

Re: CPSec issue?

Only one controller. M3.

 

I tried disabling CPSEC. However, from the wired packet capture from AP port, it still shows the AP sending ISAKMP to the controller. The controller doesn't reply at all. And AP still shown as down.

 

Just a question: does the AP keep the CPSEC config even after reboot? What's the AP startup procedure? Say it was CPSEC to controller before, then always CPSEC? I think this is not right.

 

Highlighted
Guru Elite

Re: CPSec issue?

When the AP comes out of the box, it tries to connect without CPSEC.  The controller will tell it to use CPSEC and then it will have to accept a certificate and then use CPSEC.  This process takes about 15 minutes.  When you turn off CPSEC, the APs will continue to try with CPSEC, and then fall back to unencrypted.  Please give it 15 minutes for this to complete.  CPSEC is really only needed if you want to bridge AP traffic using Campus APs.  If all of you traffic is tunneled, you do not need CPSEC.  Give it 15 or 20 minutes until all of your APs come up without CPSEC, and you could sidestep whatever issue you are having.

 

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Contributor II

Re: CPSec issue?

Thanks.

 

Sounds more logical. After disabling CPSEC, it's been hours and the down APs couldn't be up. Then I did the wire capture and found the AP still used ISAKMP. (I didn't clear the APs from the whitelist)

 

Maybe should do this: 1) disable CPSEC; 2) clear all AP entries in whitelist; 3) reboot the APs? 4) wait for 15 mins?

Highlighted
Guru Elite

Re: CPSec issue?

Yes.  If that doesn't work, you should contact TAC.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: