Wireless Access

I cannot seem to find a definitive answer on this.  We have Aruba AP-225s setup as campus APs using forward mode of tunneling.  I can ping the APs from the controller and when connected wirelessly, but I cannot wired.  I have seen several posts where this is expected behavior.  I also also talked and seen information where this can be fixed through a configuration change.  However I am unable to find what exactly I need to change to fix this.  I also think this is possible because I worked with TAC before on another issue and they had me try and ping the AP from my computer and I told them I could not and that I could only ping from the controller or via wireless.  They seemed surprised to hear this.  If anyone could give me a definite answer on this that would be great.  Thanks.

Hi Friend,

It is very simple. by default the eth port of the AP will be untrusted hence you are not able to ping over wired port.

when you are tring to reach the AP through the controller . traffic comes through GRE hence you are able to ping the AP from the controller.

Any way through wireless you are not reaching the AP through the eth port hence you are able to ping the AP.

inorder to reach the AP over the wired port, you need to enable the eth port and make it trusted as shown bellow.

Hope you got more clarity on this.

Please feel free for any furhter help on this.

Hey apologies friend.

From the controller to AP traffic will not come through GRE, it is able to ping because by default eth0 will be enabled hence you are able to ping.

We had a vendor partner come in and do the initial setup on our system.  So some of the settings i am unsure as to why they were set one way or another.  Is there any issues to enabling port 0 as you described?  Thanks.

duslan1812,

Please don't make any changes.

What version of ArubaOS is this?

6.4.1.0_44233

I don't plan on making any changes to our production environment until I understand and test settings and determining what our best configuration going forward needs to be.  So any further information you could provide would be great.  Thanks.

duslan1812,

If you have control plane security enabled ("show control-plane-security "), there is an ipsec tunnel built between the access point and the controler for management traffic.  Historically  there was an issue where if a management device is on the same VLAN as the controller, the access point would respond to the ping from that device through the controller's tunnel and the traffic would be dropped.  If you ping the access point from a different subnet, it would not send it through the tunnel, so it would work.

Ping is not essential for the access point to work,  because an access points is never managed externally from anything besides the controller's ip address.  Turning off control plane security would fix your issue, but it involves some downtime and it does nothing but allow you to ping your access points from the subnet of the controller, which is not important.

I understand that ping is not essential for an access point to work.  But when you moving from a system where this was part of the troubleshooting process for the Tier 1 and Tier 2 support it is helpful if as much of the system and available troubleshooting methods can be migrated from one system to the next.  If that is not possible with Aruba, which I find odd, then we will just have to convey to them that Aruba doesn't support that kind of troubleshooting method.

I still find it odd that when I had another TAC case not related to this, that the first thing the TAC person asked me to do was ping the AP from my PC.  Sounds like there is a bit of a disconnect there.

duslan1812,

That issue was resolved in ArubaOS 6.4.2.1.  From the 6.4.2.1 release notes:

The bug symptom is generic and all-encompassing, but the bug was opened because access points could not be pinged in the manner you suggested.

I would upgrade directly to 6.4.2.3 after reviewing the release notes, however, since it just went GA this week and you would benefit from other fixed issues.

That is very helpful.  I will look into this update.  Thanks for your help.