Wireless Access

last person joined: 13 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Verify if ports are open between AP and controller?

This thread has been viewed 7 times

  • 1.  Verify if ports are open between AP and controller?

    Posted Aug 10, 2017 09:43 AM

    Hi,

     

    I have an installation with a HQ and several sub locations. The HQ is the only one with an internet connection and all sub locations have leased lines towards the HQ. My access points at the HQ show up normally and work fine, whereas the sub locations would only join in the default group, but nothing more, I couldn't provision them.

     

    So I attached the AP for the sub locations at the HQ and configured them and installed them at the sub locations. On the controller they now appear in the right group, but with the flag ID (Inactive, Dirty or no config). Even a reboot or provision command from the controller won't do anything.

     

    Is there a way to check what's causing this issue or is it just checking every option and hope for the best?

     

    Tom

     

     



  • 2.  RE: Verify if ports are open between AP and controller?

    EMPLOYEE
    Posted Aug 10, 2017 09:44 AM

     

    You can type "show datapath session table <ip address of AP>" to see what ports are being sent back and forth between the AP and the controller.



  • 3.  RE: Verify if ports are open between AP and controller?

    Posted Aug 10, 2017 09:56 AM

    The first 2 results are from AP connected at HQ, the others are from the sub locations.

     

    (Controller) #show datapath session table 90.0.0.81


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       r - Route Nexthop
       A - Application Firewall Inspect


Source IP       Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
90.0.0.226      90.0.0.81       17   8494  8211   0/0     0    0   1   0/0/0       15   2          424        FI
90.0.0.81       90.0.0.226      17   8211  8224   1/0     0    0   0   local       2    0          0          FYI
90.0.0.226      90.0.0.81       17   8421  8211   0/0     0    0   0   0/0/0       2    0          0          FYI
90.0.0.81       90.0.0.226      17   8211  8419   0/0     0    0   1   0/0/0       9    0          0          FYCI
90.0.0.81       90.0.0.226      17   8211  8222   0/0     0    0   0   0/0/0       3    0          0          FYCI


90.0.0.226      90.0.0.81       17   8222  8211   0/0     0    0   1   0/0/0       3    0          0          FYI
90.0.0.226      90.0.0.81       47   0     0      0/0     0    0   0   0/0/0       3169 12207      1218422    F
90.0.0.226      90.0.0.81       17   8224  8211   0/0     0    0   0   local       2    1          387        FCI
90.0.0.226      90.0.0.81       17   8211  8211   0/0     0    0   1   0/0/0       1e   0          0          FYI
90.0.0.81       90.0.0.226      17   8211  8494   0/0     0    0   1   0/0/0       15   0          0          FYCI


90.0.0.81       90.0.0.226      47   0     0      0/0     0    40  0   0/0/0       3169 27686      4549703    FC
90.0.0.81       90.0.0.226      17   8211  8211   0/0     0    0   0   0/0/0       1e   24         13667      FCI
90.0.0.81       90.0.0.226      17   8211  8421   0/0     0    0   0   0/0/0       2    0          0          FYCI
90.0.0.226      90.0.0.81       17   8419  8211   0/0     0    0   0   0/0/0       9    0          0          FYI
    (Controller) #show datapath session table 90.0.0.58


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       r - Route Nexthop
       A - Application Firewall Inspect


Source IP       Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
90.0.0.58       90.0.0.226      17   8211  8211   1/0     0    0   0   0/0/0       7    12         6575       FCI
90.0.0.58       90.0.0.226      47   0     0      0/0     0    40  1   0/0/0       2ee8 12087      1201599    FC
90.0.0.58       90.0.0.226      17   8211  8494   1/0     0    0   0   0/0/0       2    0          0          FYCI
90.0.0.226      90.0.0.58       17   8494  8211   0/0     0    0   0   0/0/0       2    2          256        FI
90.0.0.226      90.0.0.58       17   8419  8211   0/0     0    0   0   0/0/0       1    1          508        FI


90.0.0.58       90.0.0.226      17   8211  8419   1/0     0    0   0   0/0/0       1    0          0          FYCI
90.0.0.58       90.0.0.226      17   8211  8224   0/0     0    0   1   local       18   0          0          FYI
90.0.0.226      90.0.0.58       17   8211  8211   0/0     0    0   0   0/0/0       7    0          0          FYI
90.0.0.58       90.0.0.226      17   8211  8222   1/0     0    0   0   0/0/0       7    0          0          FYCI
90.0.0.226      90.0.0.58       17   8224  8211   0/0     0    0   0   local       18   2          774        FCI


90.0.0.226      90.0.0.58       47   0     0      0/0     0    0   0   0/0/0       2ee8 11590      1157157    F
90.0.0.226      90.0.0.58       17   8222  8211   0/0     0    0   0   0/0/0       7    2          208        FI
    (Controller) #show datapath session table 90.0.1.80


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       r - Route Nexthop
       A - Application Firewall Inspect


Source IP       Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
90.0.1.80       90.0.0.226      17   8211  8211   0/0     0    0   0   0/0/0       c    3          3952       FCI
90.0.0.226      90.0.1.80       17   8211  8211   0/0     0    0   1   0/0/0       c    0          0          FYI
90.0.0.226      90.0.1.80       17   8222  8211   0/0     0    0   1   0/0/0       c    0          0          FYI
90.0.1.80       90.0.0.226      17   8211  8222   0/0     0    0   1   0/0/0       c    0          0          FYCI
    (Controller) #show datapath session table 90.0.2.81


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       r - Route Nexthop
       A - Application Firewall Inspect


Source IP       Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
90.0.2.81       90.0.0.226      17   8211  8222   0/0     0    0   1   0/0/0       11   0          0          FYCI
90.0.0.226      90.0.2.81       17   8222  8211   0/0     0    0   1   0/0/0       11   0          0          FYI
    (Controller) #show datapath session table 90.0.3.82
    
Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       r - Route Nexthop
       A - Application Firewall Inspect


Source IP       Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
90.0.3.82       90.0.0.226      17   8211  8222   0/0     0    0   1   0/0/0       11   0          0          FYCI
90.0.0.226      90.0.3.82       17   8211  8211   0/0     0    0   4   0/0/0       49   0          0          FYI
90.0.0.226      90.0.3.82       17   8222  8211   0/0     0    0   1   0/0/0       11   0          0          FYI
90.0.3.82       90.0.0.226      17   8211  8211   0/0     0    0   1   0/0/0       49   10         13206      FCI

     



  • 4.  RE: Verify if ports are open between AP and controller?

    EMPLOYEE
    Posted Aug 10, 2017 10:11 AM

    Protocol 47 (GRE) does not look like it is being passed.  Typicallty GRE packets have larger sizes and get dropped in some WAN environments.  I would Edit the AP System Profile in that ap-group and set the SAP MTU to something like 1400, to start.



  • 5.  RE: Verify if ports are open between AP and controller?

    Posted Aug 10, 2017 10:16 AM

    I'll get them to check that and make sure port 47 is allowed. If I edit the SAP MTU size, will the AP actually receive those details? Because when I click provision or AP reboot from the controller GUI, nothing happens to the AP.



  • 6.  RE: Verify if ports are open between AP and controller?

    EMPLOYEE
    Posted Aug 10, 2017 10:19 AM

    Not port 47, PROTOCOL 47, which is GRE..



  • 7.  RE: Verify if ports are open between AP and controller?

    Posted Aug 10, 2017 10:19 AM

    MY BAD! I meant protocol :)



  • 8.  RE: Verify if ports are open between AP and controller?

    EMPLOYEE
    Posted Aug 10, 2017 10:22 AM

    9/10 times, GRE gets blocked due to MTU on a WAN link.