Wireless Access

Reply
Occasional Contributor II

Cannot Roam?!

Hi everyone!

 

I could use a bit of help here ...

 

Our users have been reporting frequent disconnections, which seem random, for a long time now.  Unfortunately we have never been able to get a reliable reproduce scenario.

 

Today, amazingly, I found one and can reproduce their exact issue on demand every time.  I've tracked it down to a failure to roam and it looks like the failure may be coming from the Aruba side.   I've taken the two involved access points out of service and set them up to lab this scenario.  Unfortunately this creates a minor outage but thankfully the users are tolerating it in hopes of finally fixing this issue.

 

Our controller is an Aruba7030 running 8.3.0.0.  All access points through the entire enterprise, including the two affected units, are 205's.

 

The client test devices are an iPad and an iPhone (Others client devices may be affected as well - we just don't know - these were chosen as they represent our user base and are also the most modern available from this major vendor - Apple.. so they simply must be made to work).  The iPad is an iPad Pro and the iPhone is an iPhone X.  Both run the latest iOS version.

 

Our controller is an Aruba7030 running 8.3.0.0.  All access points through the entire enterprise, including the two affected units, are 205's.

 

 

To reproduce the failure, all I need to do is walk from one office to the adjacent office.  The offices are separated by a type of wall which the RF does not penetrate (I dont know why) and so each area has its own AP.  This was determined during the initial install by the RF site survey.  

 

When walking from one office to the other I will see the wifi signal indicator on the iPad (iPhone) drop markedly and any network activity that may have been going on usually slows or stops.  Next I see the wifi indicator jump up to full strength (presumably indicating that the better AP has been seen and it has, or is, doing a roam).  After a few moments the wifi indicator will disappear and the device will raise a popup informing me that my cellular data is turned off and I should go into settings to enable it. (.. it is turned off specifically for this test).

 

After this event, returning to my console to view syslog data output resulting from a "logging level debugging user-debug <client-mac>" setting I find the following (below).   Notably I see what appears to be my client attempting to associate with the better (the "roam to") AP, herein called "TestAP2" and then seemingly being rejected by an  "deauth_reason 30" from the Aruba system.  Seemingly the client device accepts this and makes no more attempts.

 

Looking up deauth code 30 I see that it has something to do with the client not being permitted, or permitted to use some service.  This is all a bit nebulous.

 

On separate tests, I can associate initially to this TestAP2 just fine, and then walk to the first office ("TestAP1") and the same pattern happens.. just in reverse.

 

After spending several hours on this today I have made zero progress other than to isolate this item.  Could this be a bug?

 

Can anyone suggest anything I can try?

 

Thanks!

-J

 

-- log excerpt --

 

Sep 12 17:41:43 2018 Aruba7030 authmgr[4509]: <522260> <5390> <DBUG> <Aruba7030 192.168.0.6>  "VDR - Cur VLAN updated 78:7b:8a:a4:a7:ac mob 0 inform 1 remote 1 wired 0 defvlan 1 exportedvlan 0 curvlan 1.

Sep 12 17:41:43 2018 Aruba7030 authmgr[4509]: <522301> <5390> <DBUG> <Aruba7030 192.168.0.6>  Auth GSM : USER publish for uuid 000b86b4e4e70000000e0109 mac 78:7b:8a:a4:a7:ac name  role authenticated devtype  wired 0 authtype 0 subtype 0  encrypt-type 9 conn-port 0 fwd-mode 1 roam 0 repkey -1

Sep 12 17:41:43 2018 Aruba7030 authmgr[4509]: <522287> <5390> <DBUG> <Aruba7030 192.168.0.6>  Auth GSM : MAC_USER publish for mac 78:7b:8a:a4:a7:ac bssid ac:a3:1e:a5:3e:11 vlan 1 type 1 data-ready 0 HA-IP n.a

Sep 12 17:41:43 2018 Aruba7030 authmgr[4509]: <522096> <5390> <DBUG> <Aruba7030 192.168.0.6>  78:7b:8a:a4:a7:ac: Sending STM new Role ACL : 79, and Vlan info: 1, action : 10, AP IP: 192.168.0.136, flags : 0 idle-timeout: 300

Sep 12 17:41:43 2018 Aruba7030 authmgr[4509]: <522308> <5390> <DBUG> <Aruba7030 192.168.0.6>  Device Type index derivation for 78:7b:8a:a4:a7:ac : dhcp (0,0,0) oui (0,0) ua (21,5,35) derived iPad(5):iOS

Sep 12 17:41:43 2018 Aruba7030 authmgr[4509]: <522242> <5390> <DBUG> <Aruba7030 192.168.0.6>  MAC=78:7b:8a:a4:a7:ac Station Created Update MMS: BSSID=ac:a3:1e:a5:3e:11 ESSID=TestESSID VLAN=1 AP-name=TestAP2

Sep 12 17:41:43 2018 192.168.0.134 stm[1257]:  <501000> <DBUG> |TestAP2@192.168.0.134 stm|  Station 78:7b:8a:a4:a7:ac: Clearing state

Sep 12 17:41:52 2018 Aruba7030 authmgr[4509]: <522296> <5390> <DBUG> <Aruba7030 192.168.0.6>  Auth GSM : USER_STA delete event for user 78:7b:8a:a4:a7:ac age 0 deauth_reason 30

Sep 12 17:41:52 2018 Aruba7030 stm[4526]: <501000> <4526> <DBUG> <Aruba7030 192.168.0.6>  Station 78:7b:8a:a4:a7:ac: Clearing state

Sep 12 17:41:52 2018 Aruba7030 authmgr[4509]: <522152> <5390> <DBUG> <Aruba7030 192.168.0.6>  station free: bssid=ac:a3:1e:a5:3e:11, mac=78:7b:8a:a4:a7:ac.

Guru Elite

Re: Cannot Roam?!

It could be something simple and the deauth reason could be masking it.  (deauth reason30 does not match anything specifically).

 

- What is the transmit power of the two access points in question?

- How far apart are the access points?

- How high are they mounted?

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor II

Re: Cannot Roam?!

The power level on 5ghz is set to 12 to 18.  The 2.4ghz radio is disabled to simplify this testing.

 

Between them is what was once a demising wall and each AP cannot reliably be RF-seen from the opposite side.  Technically they can be seen but the signal is so weak these iOS devices don't reliably pick it up and when they do, they cant associate.  The reason for the second AP's existance is that the first cannot penetrate this wall successfully.  The distance, as the crow flies, is about 20 feet.

 

Both units are about 25 feet above the finished floor.  This is a single storey building.

 

-J

Guru Elite

Re: Cannot Roam?!

If the signal is too weak, I don't know if roaming will be smooth, as a result.  The client really determines when to roam, and what we can control is the transmit power of the access point to influence when the client tries to roam.  If a client sees an access point as very strong and another one as weak, the roam will be poor, unless you try to make the signal seem more "even" in the middle of the roam.

 

If the client sees the signal as poor, the roam will be poor, so you will need to increase the transmit power.

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor II

Re: Cannot Roam?!

Indeed.  What I see from the clients UI and the Aruba debug syslog is that the client has made the determination to roam but the roam-to AP (the AP it wants to move to) rejects it with the 30 cause reason.

 

All of the syslog messages I posted in the earlier message are from the roam-to AP.  In those messages we can see that the test client (78:7b:8a:a4:a7:ac) has made contact with the roam-to AP (bssid ac:a3:1e:a5:3e:11).  Authenticates, the AP seems to correctly fingerprint the client as an iPad, and then... we get a deauth with a reason code of 30.  So clearly the client has decided to roam -- its not hanging on to the old AP with a low signal strength.

 

Given that the client has clearly already decided to roam (... which is why we see these log messages about the roam-to AP).. what else could cause this?  Particulartly what could cause the de-auth?  What are typical reasons for reason code 30?  I'd imagine, being one of the most popular devices in the world, that the iPad and iPhone are well characterized -- is there anything unique or telling about them, specifically, that might point in a direction?  And/or how might one troubleshoot (.. determine who is at fault) for the de-auth - is there a way to monitor the management traffic on the air to see who is requesting the deauth, perhaps, or something else?

 

I can post more complete (longer) logs if that would be helpful; just didnt want to spam for forum! :)

 

-J

Guru Elite

Re: Cannot Roam?!

Simulate your experience and then on the controller commandline, type:

 

show ap client trail-info <mac address of client>


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor II

Re: Cannot Roam?!

Nice functionality, show ap cclient trail-info, I did not know about this one!

 

So, I just cleared the history, and repeated the exact fail case.  I associated in the first office (TestAP1) and then walked to the second office (TestAP2) and watched the fail.   This was captured in the trail-info, and it seems there may be some helpful info in there (about a flood).  Here is the output:

 

Thanks

-J

 

(Aruba7030) [mynode] #show ap client trail-info 78:7b:8a:a4:a7:ac

 

Client Trail Info

-----------------

MAC                BSSID              ESSID      AP-name     VLAN  Deauth Reason                       Alert

---                -----              -----      -------     ----  -------------                       -----

78:7b:8a:a4:a7:ac  ac:a3:1e:a5:3e:11  TestESSID  TestAP2  1     Denied; Association Flood Detected  STA has roamed to another AP

 

Deauth Reason

-------------

Reason                              Timestamp

------                              ---------

Denied; Association Flood Detected  Sep 13 11:35:47

Num Deauths:1

 

Alerts

------

Reason                        Timestamp

------                        ---------

STA has roamed to another AP  Sep 13 11:35:38

Num Alerts:1

 

Mobility Trail

--------------

BSSID              ESSID      AP-name     VLAN  Timestamp

-----              -----      -------     ----  ---------

ac:a3:1e:a5:3e:11  TestESSID  TestAP2  1     Sep 13 11:35:47

ac:a3:1e:a5:3e:11  TestESSID  TestAP2  1     Sep 13 11:35:38

04:bd:88:98:37:f1  TestESSID  TestAP1   1     Sep 13 11:35:38

ac:a3:1e:a5:3e:11  TestESSID  TestAP2  1     Sep 13 11:35:38

Num Mobility Trails:4

(Aruba7030) [mynode] #

Occasional Contributor II

Re: Cannot Roam?!

So, this one got everyone stumped?!

 

-J

Guru Elite

Re: Cannot Roam?!

It looks like you have Association Flood configured too low.  I would open a TAC case to make sure.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor II

Re: Cannot Roam?!

Indeed, that would make sense, is that a tunable I can adjust?  If so, where would I look for that in the CLI?   This may truely be a simple solution!

 

Thanks

-J

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: