Wireless Access

Hello,

I have a couple of 7030 controllers at one warehouse and all those APs are working fine. I recently brought up another warehouse that is connected by two T1 lines and is routeable to/from the controllers. Two T1 lines only provides about 3Mbps bandwidth and the link is frequently congested with security video on another VLAN. Sometimes a group of 2-3 and even 6 APs at this other warehouse will be disconnected from the controller. I have found that I cannot ping them from the same network as the controllers, but I can login to a switch at the other warehouse network and they all ping. I have also noticed that when these APs loose connectivity to the controllers there is a sapd log message that says the APs at the new warehouse that stayed up had classified the APs that went down as rouge and the reason is that they had associated MAC address xx:xx:xx:xx:xx:xx (default router MAC address where the controllers reside) with IP address 000.000.000.000. This happens once or twice a day and it seems to be when the T1s are congested. If I reclassify the APs as authorized they all come back up in about 15-30 minutes at the exact same time.  So my first question is, why does the default router at the controller site get associated with IP 000.000.000.000 at the other site?  Second question, when a previously "Authorized"  AP gets reclassified as "Rouge" does the AP refuse ping requests from outside it's LAN?  Third question, how do I prevent this from happening?  I am working on getting a T3 line to this other site.  Thanks for any insight you may have.

Just wanted to add that we are running:

"Aruba7030-US,8.6.0.4-FIPS"

Yesterday, all APs at new warehouse lost connectivity to the controllers and I could not ping them from outside their LAN, but I could login to a switch inside their LAN and ping them all. This time there was no sapd rouge AP classification message on the controller logs. The APs were not pingable from outside their LAN for about 40 minutes.

I would open a Technical Support case with Aruba/HPE.  It is service impacting and I would get help immediately to isolate your issue.

cjoseph, I may do that. I have seen you here a few times before and I believe you are very knowledgeable on the Aruba wireless systems. I may have an idea what might be going on. As far as you know, is there any reason that an AP would not respond to a ping request from outside it's own LAN as long as the path is routeable?

When CPSEC is enabled, that is what happens.

https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-AP-s-respond-to-ICMP-traffic-when-CPSEC-is-enabled/ta-p/253025

The solution to this is to always ping the AP from the controller.

So, my ping request goes to the AP through the routers and the response comes back through the controller if the CPSEC tunnel is still connected. Congestion/dropped packets might cause the CPSEC tunnel to drop out interrupting the return route. How long does the AP wait to reconnect or attempt a new CPSEC tunnel?

APs connecting to controllers with CPSEC successfully have nothing to do with the path that ping packets take.  CPSEC is directly from the AP to the controller.

Maybe I misinterpreted the document you referenced "How does AP's respond to ICMP traffic when CPSEC is enabled?". 

Requirement:

How does AP's respond to ICMP traffic when CPSEC is enabled?

Solution:

1. Ping Request

PC(subnet B) ---ping req---> AP(subnet A) ===>Does not go through Controller

1. Ping Reply

AP(subnet A) ---ping reply---> tun0(default route) ---ESP(ipsec)---> Controller ---ping reply---> PC(subnet B)

When we have CPSEC enabled, AP add a default route on themselves (tun 0). This default route points to the IP address of the controller.

Hence, the ping reply goes via the controller.

?

That is what the document says in your second response above.

What is your question?  This post is about the system classifying APs as rogues.

That's what I assumed was the issue, but last Friday I stated that it happened again, but this time there was no sapd message that the AP were classified as rouge. They just stopped responding to ping requests from outside their LAN. I was able to ping them from inside their LAN, so I was asking if you knew of any reason why the AP's would not respond to ping requests from outside their LAN and you sent the "How does AP's respond to ICMP traffic when CPSEC is enabled?" response and told me to always ping through the controller. I think that the low bandwidth connection to this other warehouse is congested and causing dropped packets, thus causing the CPSEC links to drop out for 15-30 minutes at a time. When the AP's start responding to ping requests from outside their LAN they all seem to start working at the same time, but as I said, I can ping them from a switch inside their LAN.  So my question was, If the CPSEC tunnel drops out, how long does it take for the APs to try to reconnect or for the controllers to allow them to reconnect, because when this happens it takes 15-30 minutes for them to come back up on the controller and they all come back up at the same time. 

I will work on getting a T3 line and more bandwidth. If it's still happening I will contact Aruba support.  Thanks for responding.