Wireless Access

Has anyone ever come across an ap in the ap database that says denied?

#show ap database

AP Database
-----------
Name               Group    AP Type  IP Address     Status  Flags  Switch IP
----               -----    -------  ----------     ------  -----  ---------
00:0b:86:cf:d1:15  default  105      10.20.100.208  Denied         10.20.0.180
00:0b:86:cf:d1:17  default  105      10.20.100.210  Denied         10.20.0.180

Flags: U = Unprovisioned; N = Duplicate name; G = No such group; L = Unlicensed
       I = Inactive; H = Using 802.11n license; D = Dirty or no config
       X = Maintenance Mode; P = PPPoE AP; B = Built-in AP
       R = Remote AP; R- = Remote AP requires Auth; C = Cellular RAP; c = CERT-based RAP; 2=Using IKE version 2
       M = Mesh node; Y = Mesh Recovery

Total APs:2

I am going to guess that has something to do with CPS (Control Plane Security). Do you have CPS enabled?

Out of the box controller.

All that was done is:

initial config (ip, mask, gw)

licenses installed.
Code upgraded to 6.1.2.5

So no I don't have CPS unless it was turned on by default. 

Pretty sure it is enabled by default.

If the controller had 6.x code on it from the factory then CPSec IS on by DEFAULT

I have fixed the issue.
Cleared the ap from the database. Rebooted the ap.

Up acts normal now.

Ok so in 6.1 CPS is on.

Nope no denied here:

Flags: U = Unprovisioned; N = Duplicate name; G = No such group; L = Unlicensed
       I = Inactive; H = Using 802.11n license; D = Dirty or no config
       X = Maintenance Mode; P = PPPoE AP; B = Built-in AP
       R = Remote AP; R- = Remote AP requires Auth; C = Cellular RAP; c = CERT-based RAP; 2=Using IKE version 2
       M = Mesh node; Y = Mesh Recovery

Would be helpful if DEV is going to use a flag to give us an idea what it does.

Agreed.

---

@ddipert wrote:

I have fixed the issue.
Cleared the ap from the database. Rebooted the ap.

Up acts normal now.

 

Ok so in 6.1 CPS is on.

Nope no denied here:

 

Flags: U = Unprovisioned; N = Duplicate name; G = No such group; L = Unlicensed
       I = Inactive; H = Using 802.11n license; D = Dirty or no config
       X = Maintenance Mode; P = PPPoE AP; B = Built-in AP
       R = Remote AP; R- = Remote AP requires Auth; C = Cellular RAP; c = CERT-based RAP; 2=Using IKE version 2
       M = Mesh node; Y = Mesh Recovery

Would be helpful if DEV is going to use a flag to give us an idea what it does.

---

You get much more than a flag.  You get a big denied when an AP is denied:

(host) #show ap database

AP Database
-----------
Name               Group    AP Type  IP Address     Status     Flags  Switch IP
----               -----    -------  ----------     ------     -----  ---------
00:0b:86:66:97:46  default  RAP-5WN  192.168.1.248  Down              192.168.1.3
00:24:6c:c2:97:1b  default  105      192.168.1.240  Down              192.168.1.3
00:24:6c:cb:30:89  default  105      192.168.1.238  Down              192.168.1.3
00:24:6c:cb:30:94  default  105      192.168.1.239  Down              192.168.1.3
00:24:6c:cb:30:ba  default  105      192.168.1.245  Down              192.168.1.3
AP105              default  105      192.168.1.251  Down       M      192.168.1.3
AP135              default  135      192.168.1.251  Up 10m:8s  2      192.168.1.3
d8:c7:c8:c1:66:ab  default  105      192.168.1.242  Down              192.168.1.3
GOC-SHP1-AP125     default  125      192.168.1.243  Denied            192.168.1.3

Flags: U = Unprovisioned; N = Duplicate name; G = No such group; L = Unlicensed
       I = Inactive; H = Using 802.11n license; D = Dirty or no config
       X = Maintenance Mode; P = PPPoE AP; B = Built-in AP
       R = Remote AP; R- = Remote AP requires Auth; C = Cellular RAP; c = CERT-based RAP; 1 = 802.1x authenticated AP; 2 = Using IKE version 2
       M = Mesh node; Y = Mesh Recovery

Total APs:9

Hi,

 Denied is not a Flag, it is Status like up or down or upgrading.

I had same problem, I disabled CPSec and My APs came back up

Me too did the same... I disabled CPSec and My APs came back up... is it normal?

If you have CPSEC enabled, you need to allow all certs or you have to manually certify each AP into the CAP whitelist.

Actually I have a Controller 7205 with image version ArubaOS 6.4.3.4

And the state is DENIED

(Controller_Aruba7205) #show ap database

AP Database
-----------
Name Group AP Type IP Address Status Flags Switch IP Standby IP
---- ----- ------- ---------- ------ ----- --------- ----------
AUDITORIO default 225 172.16.0.2 Down 172.16.0.254 0.0.0.0
PRESIDENCIA default 215 172.16.0.3 Denied 172.16.0.254 0.0.0.0

So the Option CPsec was disable on the Controller, but the FLAG is I (Inactive). Then the AP was provisioned and the AP is not ACTIVE, with the command SHOW AP ACTIVE (AP = 0)

Thanks for your help. 

You should reboot the denied AP, because it will not resolve itself unless you reboot it.

Thanks Colin. 

However, the problem continues. 

Aruba Controller has version: ArubaOS 6.4.3.4

AP  225: 6.4.2. 

Disable the CPSEC option on the controller and then the AP will reboot.

Then provision the AP with the WIZARD. I have everything in VLAN 1 and the default IP address 172.16.0.0/24.

And I still have the Flag of I:

_Aruba7205) #show ap database

AP Database
-----------
Name Group AP Type IP Address Status Flags Switch IP Standby IP
---- ----- ------- ---------- ------ ----- --------- ----------
AUDITORIO default 225 172.16.0.2 Up 11m:22s I 172.16.0.254 0.0.0.0

Therefore the AP does not appear to me active:

_Aruba7205) #show ap active

Active AP Table
---------------
Name Group IP Address 11g Clients 11g Ch/EIRP/MaxEIRP 11a Clients 11a Ch/EIRP/MaxEIRP AP Type Flags Uptime Outer IP
---- ----- ---------- ----------- ------------------- ----------- ------------------- ------- ----- ------ --------

Num APs:0

Thanks for your help. 

Regards

Do you have any other ip addresses configured on controller interfaces?

Do you have an LMS-IP configured anywhere?

Hi Colin

It is a new implementation, the computers are new, they have a default configuration.

Aruba7205 #show ip interface brief

Interface IP Address / IP Netmask Admin Protocol
vlan 1 172.16.0.254 / 255.255.255.0 up up
loopback unassigned / unassigned up up
mgmt unassigned / unassigned up down

Aruba7205#show controller-ip

Switch IP Address: 172.16.0.254

Switch IP is from Vlan Interface: 1

Switch IPv6 address is not configured.

The AP is on the Port Gi0/0/2, in VLAN 1 for Administration. 

Aruba7205) #show vlan

VLAN CONFIGURATION
------------------
VLAN Description Ports AAA Profile
---- ----------- ----- -----------
1 Default GE0/0/0-0/3 GE0/0/4-0/5 Pc0-7 N/A

That AP has an "I", not a D flag.  An I could mean that you have not defined any WLAN so it is inactive, or you have a profile issue that is keeping the AP from coming up.  I would type "show profile-errors" to see if you have anything that could be a problem.  I would also type "show log system 50" to see if there is anything else obvious.

Thanks Colin. 

I attach the outputs on file. 

Additionally the LEDs of both radios are in amber.

Regards

Attachment(s)

DeploymentAruba7205.txt   5 KB 1 version

Is CPSEC enabled or disabled?

May 30 02:15:49 :311020:  <ERRS> |AP AUDITORIO@172.16.0.2 sapd|  An internal system error has occurred at file sapd_redun.c function redun_retry_tunnel line 4488 error redun_retry_tunnel: Switching to clear. Error:RC_ERROR_CPSEC_DENIED. Ipsec not successful after reboot.

Disable in the Controller. 

https://community.arubanetworks.com/t5/tkb/articleprintpage/tkb-id/ControllerBasedWLANs/article-id/867

Where does it say on your controller that it is disabled?  Screenshot please.

By default CPsec was enabled, however I did it as a test. 

In Configuration / AP Installation / Whitelist / Control Plane Sec / Disabled 

I would open a tac case to see what other things could be causing your issue.

Just one further step you can try whilst waiting for TAC is to console into the AP and perform a "clear os, save, boot" to factory reset the AP.

Muchas gracias a todos por sus aportes. 

Les comparto los resultados con otra Controladora 7010

1. Venía con un reset default, le configure los parámetros por defecto, VLAN 1, 172.16.0.254/24 (IP Controller), y adicionalmente habilite el DHCP Server con el Pool 172.16.0.0/24

2. Todos los puertos en VLAN

3. Así que conecte con un cable de conexión directa del puerto 0 del Controller hacia el Puerto ENET del AP 215. (Previamente, había pasado el IAP a CAP, validando desde CLI que se tuviera conectividad hacia el IP 172.16.0.254

4. Una vez conectado, revise con el comando SHOW AP DATABASE, y se indicaba el Status DENIED. (Investigue y explicaban que ese estado se debe a que esta habilitado por defecto CPsec)

 Referencia Item 4.

https://community.arubanetworks.com/t5/tkb/articleprintpage/tkb-id/ControllerBasedWLANs/article-id/867

5. Así que en la Controladora aplique la recomendación del URL, que es dejar habilitado CPsec y luego agregar manualmente el AP a lista blanca: (AP tiene MAC terminada en: BB 3A)

Configuration / AP Instala / Whitelist. Agregue el AP con Cert Type: Factory-cert & State: Certified-factory-cert.

6. El AP se reinicia y posteriormente ya aparece el

(Controller_Aruba7010) #show ap database

AP Database

-----------

Name         Group    AP Type  IP Address  Status      Flags  Switch IP     Standby IP

----         -----    -------  ----------  ------      -----  ---------     ----------

PRESIDENCIA  default  215      172.16.0.2  Up 12m:40s  2I     172.16.0.254  0.0.0.0

7. Luego procedi a aprovisionarlo via GUI

Configuration / AP Installation / Provision

8. Una vez aprovisionado y que se aplica y manda a reiniciar, valide con el comando SHOW AP ACTIVE, para validar que estuviera activo, sin embargo no lo esta.

(Controller_Aruba7010) #show ap active

Active AP Table

---------------

Num APs:0

Additionally the LEDs of both radios are in amber.

Did you open a TAC case?  It has been over a month..