Wireless Access

Have a RAP connecting from outside a firewall interface for a client.  Alll we opened was udp 4500, and it failed.  When we opened it all the way with no restrictions, it works.

Waiting on the engineer to come back.  Initially it was all PAPI/UDP 8211.

Dumb question:  when the RAP first comes up, I do the conversion using the actual controller IP.  It reboots, and joins, and then I provision it with the client's external public firewall IP interface.

Now the AP is up but it is bouncing.  I just wonder if it is bouncing between the two IPs?

Ok so I provisioned the AP utilizing the Master IP config on the provision page, and input the client's firewall interface.  I hit apply and reboot, and the AP rebooted and is back, but bounces like said before.  I looked at the tech support of the ap, and the firewall IP address I just configured it with is not in the AP.

Does the AP-Group that the AP is in have an LMS-IP?  If it does, please remove it.

For the RAP, you provision it on the RAP end...not the controller.  On the controller, you need the RAP to be whitelisted and the approprate AP group defined.  Like was mentioned, in the AP Group, make sure that the AP system profile that's defined does NOT have an LMS IP address. Also note that if you are using the "default" AP system profile WITH an IP address, please create another one for your RAPs.  If you don't and you remove this IP, then you may end up with provisioning issues in the future internally.

Now...on the RAP end...when you convert, you use the firewall EXTERNAL IP address in the conversion process on the RAP.  You do NOT use the controller's internal IP.

Hope this helps!

THe AP System Profile in the GUI doesn't have an LMS assigned.  This current AP was the test AP, and was originally assigned the controller's IP in the conversion process so we could validate our configs.  With everything working ok, I provisioned it from the GUI, added the IP of the firewall external address in the provisioning page, then hit reboot and apply.

Now it is bootstrapping constantly.  The AP system profile still doesn't have a LMS, but a glance at the ap tech-support shows that LMS of the controller.

Can you reset the RAP to defaults and redo the conversion process?

Trying that exact thing with another AP.

Had to open a TAC case.  What we discovered is the RAPs come up in the correct role as a RAP, then after a minute or two they bootstrap and come up as campus APs.  Was on a call 4 hours yesterday, escalated and no resolution.  Sent them the flash and they are trying to lab it to see if it behaves the same way on their controller.  

System is a new 7030 on 6.4.2.3 code.  APs are RAP-3WNP converted to RAPs controlled by Controller.  APs act the same way whether they are converted to the controller IP, or firewall IP.  I tried going back to the 6.4.1.0 code that came on the controller, but had the same result.  I almost wonder if the cert is bad on the controller?

How would a RAP-3WNP connected outside a firewall, converted to a RAP using firewall's public IP display a LMS of the controller's IP when there is not a LMS IP configured in the AP Group > AP System profile?

Wifi_Willie,

When you convert an AP, the ip address you  point it to, is saved into flash, and the AP uses that ip address forever, unless you reprovision it with another ip address.

I understand that.  The IP I pointed the RAP to in the conversion process is not the controller's IP, but the firewall's IP.  The AP comes up as a RAP with a non-routable IP, plus the actual IP, and then bootstraps and shows back up with the routabkle IP and in the details lists the controller's IP.

Weird.

wifi_willie,

The AP is pointed to the firewall's address, but that is just port forwarded to the controller via static NAT, right?  Do you have the RAP in the whitelist?  What ap-group is it in?

in the RAP whitelist, pointing to RAP AP Group

Does the RAP ap group have an ap system profile?

It does.  There is no LMS configured.

What is the output of:

show rights ap-role

show rights sys-ap-role

Attached

Attachment(s)

show rights.txt   12 KB 1 version

While the RAP is rebooting, you should type "show log system 50" to see if there are any clues why the RAP is doing that.

Just shows the AP bootstrappping.  No info given.

Jan 16 11:48:04 :311004: <WARN> |AP Kraton_RAP_03@192.168.16.4 sapd| Missed 20 heartbeats; rebootstrapping
Jan 16 11:48:48 :311004: <WARN> |AP Kraton_RAP_03@192.168.16.4 sapd| Missed 20 heartbeats; rebootstrapping

We should let TAC do their job.  They have much more information than I could have.  It could be a bug.

Thanks for helping.  I just escalate the ticket.