Wireless Access

Hi,

I'm expecting strange issue with RAPs fllaping - below log:

Mar 19 06:02:07 stm[3735]: <305027> <3735> <ERRS> |stm| AP 9c:1c:12:c9:5e:95: No valid instances of required profile "ids signature-matching-profile"
Mar 19 06:02:15 stm[3735]: <305004> <3735> <ERRS> |stm| AP 9c:1c:12:c9:5e:95: ids signature-matching-profile "default" is invalid.
Mar 19 06:02:15 stm[3735]: <305027> <3735> <ERRS> |stm| AP 9c:1c:12:c9:5e:95: No valid instances of required profile "ids signature-matching-profile"

Mar 19 06:02:23 AP Database
-----------
Name Group AP Type IP Address Status Flags Switch IP Standby IP
---- ----- ------- ---------- ------ ----- --------- ----------
9c:1c:12:c9:5e:95 default 105 10.1.1.233 Up 12m:49s Rc2ID 213.241.33.26 0.0.0.0

Flags: 1 = 802.1x authenticated AP use EAP-PEAP; 1+ = 802.1x use EST; 1- = 802.1x use factory cert; 2 = Using IKE version 2
B = Built-in AP; C = Cellular RAP; D = Dirty or no config
E = Regulatory Domain Mismatch; F = AP failed 802.1x authentication
G = No such group; I = Inactive; J = USB cert at AP; L = Unlicensed
M = Mesh node
N = Duplicate name; P = PPPoe AP; R = Remote AP; R- = Remote AP requires Auth;
S = Standby-mode AP; U = Unprovisioned; X = Maintenance Mode
Y = Mesh Recovery
c = CERT-based RAP; e = Custom EST cert; f = No Spectrum FFT support
i = Indoor; o = Outdoor; s = LACP striping; u = Custom-Cert RAP; z = Datazone AP
p = In deep-sleep status
4 = WiFi Uplink
stm[3735]: <305004> <3735> <ERRS> |stm| AP 9c:1c:12:c9:5e:95: ids signature-matching-profile "default" is invalid.
Mar 19 06:02:23 stm[3735]: <305027> <3735> <ERRS> |stm| AP 9c:1c:12:c9:5e:95: No valid instances of required profile "ids signature-matching-profile"
M

I was using mig tool to mirate I did not change any default IDS, roles, policy etc...
There is ID flag - sth wrong ?

Does anybody have the same issue?

The 'D' flag means that there is either dirty or no config. Have you reviewed your configuration for errors with 'show profile-errors'. 

Do you have any more information about your environment, such as a cluster, MM's involved, have you added the NAT IPs etc?

Hi,

(7205-WARSC006) [MDC] *#show profile-errors Invalid Profiles ---------------- Profile Error ------- ----- ids signature-matching-profile "default" IDS Signature Profile "Deauth-Broadcast" does not exist

No RAP Cluster just single 7205+VMM (soft 8.5.0)

I did not touched any IDS profile after migration....

Do you have an RFP License? If so have you enabled it and the feature bit after the migration? It is advising that the IDS Signature Profile "Deauth-Broadcast" does not exist. If the RFP License isn't causing the issue, set the IDS Signature Profile to 'default' as a test and see if the RAP comes up. You then may need to re-create the IDS Signature Profile "Deauth-Broadcast".

IDS Profile "default"
---------------------
Parameter                        Value
---------                        -----
IDS General profile              default
IDS Signature Matching profile   default
IDS DOS profile                  default
IDS Impersonation profile        default
IDS Unauthorized Device profile  default

Building Configuration...
ids management-profile
ids wms-general-profile
ids wms-local-system-profile
ids ap-rule-matching
ids general-profile "default"
ids rate-thresholds-profile "default"
ids rate-thresholds-profile "probe-request-response-thresholds"
ids signature-profile "AirJack"
ids signature-profile "ASLEAP"
ids signature-profile "Deauth-Broadcast-From-Valid-AP"
ids signature-profile "default"
ids signature-profile "Disassoc-Broadcast"
ids signature-profile "Disassoc-Broadcast-From-Valid-AP"
ids signature-profile "Netstumbler Generic"
ids signature-profile "Netstumbler Version 3.3.0x"
ids signature-profile "Null-Probe-Response"
ids signature-profile "Wellenreiter"
ids impersonation-profile "default"
ids unauthorized-device-profile "default"
ids signature-matching-profile "default"
ids dos-profile "default"
ids profile "default"
wids-event-info-enable
logging security subcat ids level warnings
logging security subcat ids-ap level warnings

Nothing changes

Licensing:

License Summary
---------------
License Description Status Expiration Total Installed
------- ----------- ------ ---------- ---------------
AP Access Points Partially Expiring - Expires in 22 days 2020-04-10 09:26:13 2052
PEFNG Policy Enforcement Firewall Partially Expiring - Expires in 22 days 2020-04-10 09:26:26 2052
RFP RF Protect(WIP,Spectrum,Multi-zone) Not Licensed Not Licensed 0
ACR Advanced Cryptography Not Licensed Not Licensed 0
WebCC Web Content Classification Not Licensed Not Licensed 0
MM Mobility Master Virtual Appliance Active Never 100
MC-VA-RW Controller Virtual Appliance(RW) Not Licensed Not Licensed 0
MC-VA-EG Controller Virtual Appliance(EG) Not Licensed Not Licensed 0
MC-VA-IL Controller Virtual Appliance(IL) Not Licensed Not Licensed 0
MC-VA-JP Controller Virtual Appliance(JP) Not Licensed Not Licensed 0
MC-VA-US Controller Virtual Appliance(US) Not Licensed Not Licensed 0
VIA VIA VPN Client(Session-based) Not Licensed Not Licensed 0

RPF is not active but in the logs I do not see that there is problem with platform limits

Do you have an LMS-IP to a private ip address in the AP system profile of that ap-group?  If yes, create a new ap-group with a new AP system profile that does not have anything in the lms-ip.

I do not have LMS IP config in my AP System Profile:

(7205-WARSC006) [MDC] *# show ap system-profile New_APsystem

AP system profile "New_APsystem"
--------------------------------
Parameter Value
--------- -----
RF Band g
Recovery Mode auto
RF Band for AM mode scanning all
Native VLAN ID 1
WIDS AMPDU Optimization Enabled
Tunnel Heartbeat Interval 1
Session ACL ap-uplink-acl
Corporate DNS Domain N/A
SNMP sysContact N/A
LED operating mode (11n/11ac APs only) normal
LED override Disabled
Driver log level warnings
Console log level emergencies
SAP MTU N/A
RAP MTU 1100 bytes
LMS IP N/A
Backup LMS IP N/A
LMS IPv6 N/A
Backup LMS IPv6 N/A
LMS Preemption Disabled
LMS Hold-down Period 600 sec
LMS ping interval 20
Remote-AP DHCP Server VLAN N/A
Remote-AP DHCP Server Id 192.168.11.1
Remote-AP DHCP Default Router 192.168.11.1
Remote-AP DHCP DNS Server N/A
Remote-AP CORP DNS Server N/A
Remote-AP CORP DNS Server IPV6 N/A
Remote-AP DHCP Pool Start 192.168.11.2
Remote-AP DHCP Pool End 192.168.11.254
Remote-AP DHCP Pool Netmask 255.255.255.0
Remote-AP DHCP Lease Time 0 days
Remote-AP uplink total bandwidth 0 kbps
Remote-AP bw reservation 1 N/A
Remote-AP bw reservation 2 N/A
Remote-AP bw reservation 3 N/A
Remote-AP Local Network Access Disabled
Flex Radio Mode 2.4GHz-and-5GHz
Dual 5GHz Mode Automatic
IPM activation Disabled
IPM power reduction steps with priorities disable_usb/priority:1
IPM power reduction steps with priorities disable_alt_eth/priority:2
IPM power reduction steps with priorities disable_pse/priority:3
IPM power reduction steps with priorities radio_2ghz_power_3dB/priority:4
IPM power reduction steps with priorities radio_5ghz_power_3dB/priority:5
IPM power reduction steps with priorities cpu_throttle_75/priority:6
IPM power reduction steps with priorities radio_2ghz_power_6dB/priority:7
IPM power reduction steps with priorities radio_5ghz_power_6dB/priority:8
IPM power reduction steps with priorities radio_2ghz_chain_3x3/priority:9
IPM power reduction steps with priorities radio_5ghz_chain_3x3/priority:10
IPM power reduction steps with priorities radio_2ghz_chain_2x2/priority:11
IPM power reduction steps with priorities radio_5ghz_chain_2x2/priority:12
IPM power reduction steps with priorities radio_2ghz_chain_1x1/priority:13
IPM power reduction steps with priorities radio_5ghz_chain_1x1/priority:14
IPM power reduction steps with priorities cpu_throttle_50/priority:15
IPM power reduction steps with priorities cpu_throttle_25/priority:16
IPM Steps delete all No
Bootstrap threshold 8
Double Encrypt Disabled
Heartbeat DSCP 0
Management DSCP N/A
IP DSCP to VLAN 802.1p priority mapping N/A
Maintenance Mode Disabled
Maximum Request Retries 10
Request Retry Interval 10 sec
Number of IPSEC retries 85
Secondary Master IP/FQDN N/A
AeroScout RTLS Server N/A
RTLS Server configuration 35.241.143.144:60000:********:2:enable
RTLS Server Compatibility Mode Enabled
SES-imagotag ESL Server IP N/A
SES-imagotag ESL Channel N/A
SES-imagotag ESL Radio Coexistence Enabled
Slow Timer Recovery by rebooting itself Enabled
Telnet Disabled
Disable RAP Tftp Image Upgrade Disabled
Image URL N/A
Spanning Tree Disabled
AP multicast aggregation Disabled
AP ARP attack protection Disabled
AP multicast aggregation allowed VLANs none
Console enable Enabled
AP Console Protection Enabled
AP Console Password ********
Password for Backup ********
AP USB Power mode auto
AP POE mode shared
RF Band for Backup all
Operation for Backup off
BLE Operation Mode Disabled
GRE offload Enabled
Bridge offload Enabled
Health Check Disabled
Health Check Parameter mode ping packet-size 32 burst-size 5 report 60 frequency 10 retries 3
AirMatch Report Period 30 minutes
AirMatch Measurement Duration 5 minutes
AirMatch Report Enabled Enabled
AP Deploy-hour N/A
Dump collection profile default

Was all of the VLANs correctly migrated over and are they all present in your VAP profiles? This can be a reason why the I flag is set, what about the regulatory domains as well. Is the AP in question matching the regulatory domain of the controller?

All VAP Profiles seems to be migrated corectly, AP group configuration, roles, policies, RAP whitelist etc...

I alreday open TAC case for this issue.

Thanks for Your time

Are you terminating the RAP on a cluster? 

There is no cluster - only 7205 + VMM

There was a problem with default IDS profile after migration using mig_tool. Problem was solved upgrading controler to newes version od software 8.6.0.2 and all RAPs are working fine.

I honestly still don't know what the IDS profile has to do with Remote APs flapping, but if that fixed it for you, good.

I dont think it is related.

We had the same issue, it was a bug in AOS8 that caused a IP-conflict between the RAPs. It should be easy to spot in cli.

If you know for sure, please circle back and tell us what that is, because it doesn't sound familiar.

To be honest, there could be a bazillion things wrong after a migration.  You might want to open a TAC case to get to the bottom of the RAP portion of it.  We are just guessing here.