Wireless Access

Reply
Contributor I

"Retrieve Image Fail" Error Message RAP Conversion Process

I have a 7030 Controller running 6.5.4.8. The controller is setup for supporting the RAP network. I setup the rap pool on the controller. I confirmed that port 4500 and 500 are allowed through firewall to the controller external IP. I removed both LMS and BK-LMS IPs from the controller. I read that LMS IPs cause issues for RAPs. And I added the RAP MAC Address to the whitelist.

 

When I execute the conversion process, after entering the controller external ip into the 'Hostname or ip address of the mobility controller' field, the RAP successfully establishes a tunnel to the controller and starts the conversion process. About 2 to 3 minutes later, an dialog box appears 'Retrieve image failed, please save the log in the popup window".

I am using the controller's external VRRP IP address for the conversion.

During the conversion process, I see that the RAP has formed a tunnel with the controller(show crypto isakmp sa) and is assigned a Private IP address from the rap-pool. Under the IPSEC SA V2 Active Session Information, the only flags present are UT2.

 

I factory-reset the RAP109 several times and tried manually upgrading the RAP to match the controller version. Still no go. 

 

Here is the show log upgrade from the RAP

 

Executing '/aruba/bin/download_image_swarm ac-ftp://x.x.x.x/mips21.ari'

fetching ('/usr/sbin/wget -T 120 -t ftp://sap:x@x.x.x.x/mips32,ari')

Error: failed to retrieve image

cleaning up

done

 

The x.x.x.x is the master controller internal ip address.

 

 

 

 

 

 

Guru Elite

Re: "Retrieve Image Fail" Error Message RAP Conversion Process

Is there a firewall between the AP And the VRRP address?  Try the static NAT to the actual ip address of the controller.  


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos

Re: "Retrieve Image Fail" Error Message RAP Conversion Process

What I have seen a few times in the past, is that the RAP should be in a different subnet than the controller. This was specifically for the conversion process started from the Instant Web UI or CLI. After I moved the RAP to another subnet, the conversion worked like normal.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Contributor I

Re: "Retrieve Image Fail" Error Message RAP Conversion Process

There is a firewall between the RAP and the Controller. I added the controller external IP address to the ACL. Both ports 4500 and 500 are allowed.

 

When I create the static nat to the actual controller mgmt ip address, should I select the option 'Used by VPN'? 

 

Also, I read that the user-role default-vpn-role is required for the RAP conversion process. On my existing 3400 RAP Controller, the role appears under user-roles. On the new RAP Contoller, the role is not there. When I try to manually add it, error message appears indicating role is already present, even though, it's not visible. 

Guru Elite

Re: "Retrieve Image Fail" Error Message RAP Conversion Process

Question:

 

Has this ever worked?  Have you ever brought up a RAP with the current setup?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Contributor I

Re: "Retrieve Image Fail" Error Message RAP Conversion Process

Under the existing 3400 RAP Controller(6.4.4.16), the process works without an issue. The conversion process works and RAP109 connects to the controller, downloads its firmware and reboots. 

 

On the new RAP Controller(6.5.4.8), the RAP connects to the controller, forms a tunnel to the controller, gets an internal ip from the rap_pool and tries to download the firmware from the controller internal ip before crashing out. 

 

One side note, I did have a loopback interface configured on the non-working RAP Controller, which was on a different subnet than the controller mgmt ip segment. On the working controller, the loopback interface is configured with an ip from the controller mgmt ip segment. Is the loopback interface required for this process?  

Guru Elite

Re: "Retrieve Image Fail" Error Message RAP Conversion Process

loopback is not required, but a loopback should share a subnet with one of the routable VLANs on the controller.  You should try to make the non-working as close to the working controller as possible.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Contributor I

Re: "Retrieve Image Fail" Error Message RAP Conversion Process

Thanks for the recommendation. On the non-working rap controller, I matched 99% of the settings. the IPSEC Address pool is the same. The external default-gateway are the same. The IP routes setup on the new controller match that of the working controller. The VRRP settings match, along with the Master-redundancy settings. I removed the HA Group Configuration from the non-working controller, along with the LMS/BK-LMS IPs. The AP System Profiles on the non-working controller matches the working controller. The AP Provisioning profile is set to N/A, which matches the working controller too. 

 

The only difference I see is that the Loopback Interface on the working controller, is assigned an IP from the Controller Mgmt IP segment. On the non-working controller, the field is empty. 

 

TheController IP on both controllers is using the Internal Mgmt VLAN, not the Controller External VLAN.

Guru Elite

Re: "Retrieve Image Fail" Error Message RAP Conversion Process

Do you have a network diagram along with the firewall and VRRP?  A loopback address is not necessary for this to work.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Contributor I

Re: "Retrieve Image Fail" Error Message RAP Conversion Process

Question: under the Stateful Firewall/Network Services, I see that ALG protocol is not selected on the working rap controller. On the non-working controller, ALG protocol is set to tftp. Is that a factor?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: