Wireless Access

Frequent Contributor I

Strange issue with Control Plane Security and CAPs going to certified hold switch cert

3200XM single master controller using CPSec for awhile now.   All of a sudden over the weekend when the corp network went down and came back up, 2 of my AP105s at the same location that have been running fine for over a year, not located in same subnet as my controller, went from being a certified switch cert to a certified hold switch cert, thus the IPSEC for the AP was not connecting to the master controller and radios were down on the AP.


I did try to manually make the cert, certified when it was stuck in a certified hold switch cert state, the AP rebooted and wound up reverting to the certified hold switch cert state again.


I purged one of the APs, deleted the certs on the controller. cleared the ap out of the gap db and  rebooted the AP.  It came back up with DHCP fine,  got a certified switch cert ok.  When it booted up, it ran ADP...it chose to use a different VLAN on my controller as the master IP, not my primary controller VLAN that I usually run all our CAPs off of.   I set the AP up as I normally would for a new AP with static IP and masters IP address hard coded into the AP, correct AP group.    


After that AP rebooted, it never came back up to the controller, showing the AP as down, and in the whitelist db the certificate for the AP once again changed to certified hold switch cert?  Strange. I could ping the AP from the controller, and saw what i would consider normal traffic on a show datapath session table of the controller between the AP and controller.


I purged the AP again, let it use DHCP and let it run ADP which again choose a secondary VLAN on the controller as its master,  I set the AP up exactly as before except I used the IP on the controller that it was discovering via ADP as the master controller's IP address.  I verfied the aruba-master is mapped to the correct IP.    AP rebooted and came up just fine and client traffic works, as does access to the primary controllers VLAN from a wireless client hanging off the AP.


Any ideas what would cause the AP to switch its certificate state and lose connecvtivity to the controller on its primary controller ip? but work just  fine when assoicated to the master controller on a secondary controller VLAN IP?


I have other CAP's setup on different subnets at differenet physial locations and did not experience any of these issues over the weekend and are working just fine.  





Re: Strange issue with Control Plane Security and CAPs going to certified hold switch cert

Please open a TAC case...that's your best bet.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
If you found my post helpful, please give kudos
Frequent Contributor I

Re: Strange issue with Control Plane Security and CAPs going to certified hold switch cert

Thanks.  I am aware of that.  I was just curious if anyone in the community had any thoughts or similiar experiences before I bother the TAC.



Search Airheads
Showing results for 
Search instead for 
Did you mean: