Wireless Access

This community is currently in a read-only state due to a maintenance window. For more info click here
Reply
Highlighted
Occasional Contributor II

System classifying own APs as rouge.

Hello,

I have a couple of 7030 controllers at one warehouse and all those APs are working fine. I recently brought up another warehouse that is connected by two T1 lines and is routeable to/from the controllers. Two T1 lines only provides about 3Mbps bandwidth and the link is frequently congested with security video on another VLAN. Sometimes a group of 2-3 and even 6 APs at this other warehouse will be disconnected from the controller. I have found that I cannot ping them from the same network as the controllers, but I can login to a switch at the other warehouse network and they all ping. I have also noticed that when these APs loose connectivity to the controllers there is a sapd log message that says the APs at the new warehouse that stayed up had classified the APs that went down as rouge and the reason is that they had associated MAC address xx:xx:xx:xx:xx:xx (default router MAC address where the controllers reside) with IP address 000.000.000.000. This happens once or twice a day and it seems to be when the T1s are congested. If I reclassify the APs as authorized they all come back up in about 15-30 minutes at the exact same time.  So my first question is, why does the default router at the controller site get associated with IP 000.000.000.000 at the other site?  Second question, when a previously "Authorized"  AP gets reclassified as "Rouge" does the AP refuse ping requests from outside it's LAN?  Third question, how do I prevent this from happening?  I am working on getting a T3 line to this other site.  Thanks for any insight you may have.


Accepted Solutions
Highlighted
Occasional Contributor II

Re: System classifying own APs as rouge.

That's what I assumed was the issue, but last Friday I stated that it happened again, but this time there was no sapd message that the AP were classified as rouge. They just stopped responding to ping requests from outside their LAN. I was able to ping them from inside their LAN, so I was asking if you knew of any reason why the AP's would not respond to ping requests from outside their LAN and you sent the "How does AP's respond to ICMP traffic when CPSEC is enabled?" response and told me to always ping through the controller. I think that the low bandwidth connection to this other warehouse is congested and causing dropped packets, thus causing the CPSEC links to drop out for 15-30 minutes at a time. When the AP's start responding to ping requests from outside their LAN they all seem to start working at the same time, but as I said, I can ping them from a switch inside their LAN.  So my question was, If the CPSEC tunnel drops out, how long does it take for the APs to try to reconnect or for the controllers to allow them to reconnect, because when this happens it takes 15-30 minutes for them to come back up on the controller and they all come back up at the same time. 

View solution in original post


All Replies
Occasional Contributor II

Re: System classifying own APs as rouge.

Just wanted to add that we are running:

"Aruba7030-US,8.6.0.4-FIPS"

 

Highlighted
Occasional Contributor II

Re: System classifying own APs as rouge.

Yesterday, all APs at new warehouse lost connectivity to the controllers and I could not ping them from outside their LAN, but I could login to a switch inside their LAN and ping them all. This time there was no sapd rouge AP classification message on the controller logs. The APs were not pingable from outside their LAN for about 40 minutes.

Highlighted
Guru Elite

Re: System classifying own APs as rouge.

I would open a Technical Support case with Aruba/HPE.  It is service impacting and I would get help immediately to isolate your issue.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Occasional Contributor II

Re: System classifying own APs as rouge.

, I may do that. I have seen you here a few times before and I believe you are very knowledgeable on the Aruba wireless systems. I may have an idea what might be going on. As far as you know, is there any reason that an AP would not respond to a ping request from outside it's own LAN as long as the path is routeable?

Highlighted
Guru Elite

Re: System classifying own APs as rouge.

When CPSEC is enabled, that is what happens.

https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-AP-s-respond-to-ICMP-traffic-when-CPSEC-is-enabled/ta-p/253025

 

The solution to this is to always ping the AP from the controller.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Occasional Contributor II

Re: System classifying own APs as rouge.

So, my ping request goes to the AP through the routers and the response comes back through the controller if the CPSEC tunnel is still connected. Congestion/dropped packets might cause the CPSEC tunnel to drop out interrupting the return route. How long does the AP wait to reconnect or attempt a new CPSEC tunnel?

Highlighted
Guru Elite

Re: System classifying own APs as rouge.

APs connecting to controllers with CPSEC successfully have nothing to do with the path that ping packets take.  CPSEC is directly from the AP to the controller.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Occasional Contributor II

Re: System classifying own APs as rouge.

Maybe I misinterpreted the document you referenced "How does AP's respond to ICMP traffic when CPSEC is enabled?". 

 

Requirement:

How does AP's respond to ICMP traffic when CPSEC is enabled?



Solution:

  1. Ping Request

 

PC(subnet B) ---ping req---> AP(subnet A) ===>Does not go through Controller

 

  1. Ping Reply

 

AP(subnet A) ---ping reply---> tun0(default route) ---ESP(ipsec)---> Controller ---ping reply---> PC(subnet B)

 

 

When we have CPSEC enabled, AP add a default route on themselves (tun 0). This default route points to the IP address of the controller.

 

Hence, the ping reply goes via the controller.

 

Highlighted
Guru Elite

Re: System classifying own APs as rouge.

?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: