Wireless Access

Hello,

I would like to check something with my configuration.
I have one OAW-6000 Aruba controller (firmware : ArubaOS 5.0.4.2) connected in my datacenter. In an other place, i have 11 AP61 connected to a router with a vpn Ipsec connection to the datacenter. AP61 have never been connected with this controller in the same LAN network.
The Aruba 6000 Controller is configured with control plane security enable and auto cert provisioning enable. Virtual AP is configured with bridge mode.
When i connect an AP61, i can see it in my controller but the AP is not able to install it's certificate.
My question is : is it possible to manage access points like that with Aruba or if i had to install a local controller?
Is there a way to install manualy a certificate on AP61?
I know that if i connect an AP on the same lan of my controller, then the certificate will be installed and then i'm able to install it in the other site. But sites are not close from each others!

Many thanks for your answers.

Try trying "show log system 50" at the command prompt to see if there is anything noticeable.

With that being said, an ap could possibly not come up over a site to site VPN tunnel due to the MTU.  If you edit that ap group and then go into the ap system profile, change the MTU to 1200 and see if that fixes it.

Hi

First of all, many thanks for your quick answer.

With your command line, i get this log :

Apr 2 10:37:37 :305048: <WARN> |stm| Dropping unsecure AP message code 16121 from AP at 10.0.2.1 (MAC address 00:1a:1e:c4:dd:11)
Apr 2 10:39:05 :305048: <WARN> |stm| Dropping unsecure AP message code 16121 from AP at 10.0.2.1 (MAC address 00:1a:1e:c4:dd:11)
Apr 2 10:41:05 :305048: <WARN> |stm| Dropping unsecure AP message code 16121 from AP at 10.0.2.1 (MAC address 00:1a:1e:c4:dd:11)
Apr 2 10:43:05 :305048: <WARN> |stm| Dropping unsecure AP message code 16121 from AP at 10.0.2.1 (MAC address 00:1a:1e:c4:dd:11)
Apr 2 10:45:05 :305048: <WARN> |stm| Dropping unsecure AP message code 16121 from AP at 10.0.2.1 (MAC address 00:1a:1e:c4:dd:11)
Apr 2 10:47:05 :305048: <WARN> |stm| Dropping unsecure AP message code 16121 from AP at 10.0.2.1 (MAC address 00:1a:1e:c4:dd:11)
Apr 2 10:49:05 :305048: <WARN> |stm| Dropping unsecure AP message code 16121 from AP at 10.0.2.1 (MAC address 00:1a:1e:c4:dd:11)
Apr 2 10:51:05 :305048: <WARN> |stm| Dropping unsecure AP message code 16121 from AP at 10.0.2.1 (MAC address 00:1a:1e:c4:dd:11)

I don't undestand why it's recognized as an unsecure AP because control plane security is enable and auto-cert provisioning is on for all ip addresses?

And i have already tried to switch the SAP MTU to 1200 but with the same result.

If you have any other idea, it will be great!

Many thanks again.

That message certainly means that the access point does not have a certificate when it needs to be cause CPSEC is on.  What version of code is this, and is this access point new to this network?

Hi cjoseph,

"That message certainly means that the access point does not have a certificate when it needs to be cause CPSEC is on.  What version of code is this, and is this access point new to this network?"

In red : i don't understand your question? You mean :  what's theArubaOS version?

For the AP, it's a new one to this network. It was connected to another Aruba controller. I have made on it a "purgeenv" command and i have configured all ip and master configuration manualy.

What version of Aruba code is this on the current controller?  What was the code of the controller that the AP61 was used with before?

Now : 

Aruba OS version  :5.0.4.2 build 30773

compiled : 2011-10-20 at 22:53:13 PDT (build 30773) by p4build

rom : System Bootstrap, Version CPBoot 1.1.6 (Aug 9 2004 - 11:56:58)
  

Before :

ArubaOS : 

AOS-W 3.1.0.13 build 15591

Do you have any other AP61s from that other controller that you can bring up at your corporate main site, and not a remote site to see if it works?

I have already tried to take one of these AP61 and connect it localy to my Aruba 6000 controller. In this case, the controller generate a CSR and then install it on the AP and everything is working. And if i take this AP and connect it to my remote site through the VPN, it works! But i can't install the CSR through the VPN!
The process, config and AP are the same but the controller never want to install the CSR remotely!

Okay,

First things, first:  Alcatel APs connecting to Aruba controllers and vice versa is not supported because there is no formal testing, so it is not guaranteed to work, even though it does.  

Secondly, the mechanism that is used to distribute certificates to non-cpsec devices does not get the MTU parameter until after it has connected to the controller successfully WITH a certificate, so you probably need to first provision access points local to the controler, get the certificate and then send them to be installed on the other side of the VPN; but you probably already know that...

Ok!

First thing : If i really understand, there is no way to make AP61 Alcatel provisioning through a VPN to an Aruba controller!

Secondly, there is no way to change MTU settings unless it has already got the certificate locally?

Because i have more than 30 sites to connect to my Aruba controller with this configuration! If i have to unmount all APs in all the 30 sites and connect them locally to my controller in order to install certificate then send them back and mount them again, it will be a huge work!!!

There is absolutely no way to install certificate remotely or manualy in the AP?
Is it only a MTU issue or it's an Aruba license issue?

---

@aruba_newbie wrote:

Ok!

 

First thing : If i really understand, there is no way to make AP61 Alcatel provisioning through a VPN to an Aruba controller!

 

Secondly, there is no way to change MTU settings unless it has already got the certificate locally?

 

Because i have more than 30 sites to connect to my Aruba controller with this configuration! If i have to unmount all APs in all the 30 sites and connect them locally to my controller in order to install certificate then send them back and mount them again, it will be a huge work!!!

There is absolutely no way to install certificate remotely or manualy in the AP?
Is it only a MTU issue or it's an Aruba license issue?

---

- I am just guessing that that YOUR specific VPN tunnel MTU makes it so that the certificate process cannot complete initially using the VPN.  You should open a support case to ensure that this is the case.  I am only guessing this, since across the VPN, the process does not complete

- The MTU settings are a parameter in the AP-Group, which is not obtained by the AP until after it receives its certificate

- Are you migrating access points at all of these sites from one Alcatel Controller to an Aruba Controller?  

- It is NOT a license issue, if you have enough licenses.  I am only guessing that it is an MTU issue since you have a VPN in place.  You should open a case with TAC to determine what your true issue is.

Thank you for your reply! I will open a case with TAC.

Just a last question : in your opinion, do you think i should update the Aruba Controller towards the ArubaOS v.6.x? 

---

@aruba_newbie wrote:

Thank you for your reply! I will open a case with TAC.

 

Just a last question : in your opinion, do you think i should update the Aruba Controller towards the ArubaOS v.6.x? 

---

Not yet.  You should consider that after you migrate all of your AP61 access points, or resolve your current issue.

Upgrading to 6.x introduces another migration step that might complicate your existing issue.

Many thanks for your help, i really appreciated it!

One another question (sorry!) : do you think it should be possible to configure public ip adress of the Aruba controller inside the AP and open a DMZ on my router in my datacenter? With this solution, only in order to install certificate, there will be no more vpn connection but just a direct connection through internet. The master ip configuration in the AP61 will be the public ip of my datacenter router.
What do you think about that?