Wireless Access

I've tried enabling CPSEC on our 7220, but due to network issues on a couple of our MPLS locations I had to disable it again. While that's an acceptable workaround until our ISP fixes their issues, the APs still try to set up an IPSEC tunnel when they boot. After the tunnel attempt finally times out, it reboots and connects normally, but by then almost half an hour has gone by. Each AP logs one error message after connecting:

An internal system error has occurred at file sapd_redun.c function redun_retry_tunnel line 4529 error redun_retry_tunnel: Switching to clear. Error:RC_ERROR_IKEV2_TIMEOUT. Ipsec not successful after reboot.

When I reset an AP to factory default, or provision a new one, it connects in a couple of minutes. Physically resetting 900 APs at 100 locations is not an option, though...

For the record; all APs, an unholy mix of 100, 200 and 300 series, behave exactly the same. I was running AOS 8.1 when I tried enabling CPSEC several months back, and was up to AOS 8.3 when our ISP finally told me to try again, and both versions gave the same result.

Is there any way to make the APs "forget" CPSEC, other than physically resetting them?

sapd|  An internal system error has occurred at file sapd_redun.c function redun_retry_tunnel line 4529 error redun_retry_tunnel: Switching to clear. Error:RC_ERROR_IKE_XAUTH_AUTHORIZATION_FAILED. Ipsec not successful after reboot.

 
+AOS 8.9
+CPSEC enabled
   -AutoCert Provision disabled
   -Auto Cert Allow All enabled
+AP is in Denied status despite being in the CPSEC allowlist.
+Have tried rebooting the AP, removing/adding to the whitelist. 

I've tried enabling CPSEC on our 7220, but due to network issues on a couple of our MPLS locations I had to disable it again. While that's an acceptable workaround until our ISP fixes their issues, the APs still try to set up an IPSEC tunnel when they boot. After the tunnel attempt finally times out, it reboots and connects normally, but by then almost half an hour has gone by. Each AP logs one error message after connecting:

An internal system error has occurred at file sapd_redun.c function redun_retry_tunnel line 4529 error redun_retry_tunnel: Switching to clear. Error:RC_ERROR_IKEV2_TIMEOUT. Ipsec not successful after reboot.

When I reset an AP to factory default, or provision a new one, it connects in a couple of minutes. Physically resetting 900 APs at 100 locations is not an option, though...

For the record; all APs, an unholy mix of 100, 200 and 300 series, behave exactly the same. I was running AOS 8.1 when I tried enabling CPSEC several months back, and was up to AOS 8.3 when our ISP finally told me to try again, and both versions gave the same result.

Is there any way to make the APs "forget" CPSEC, other than physically resetting them?

sapd|  An internal system error has occurred at file sapd_redun.c function redun_retry_tunnel line 4529 error redun_retry_tunnel: Switching to clear. Error:RC_ERROR_IKE_XAUTH_AUTHORIZATION_FAILED. Ipsec not successful after reboot.

 
+AOS 8.9
+CPSEC enabled
   -AutoCert Provision disabled
   -Auto Cert Allow All enabled
+AP is in Denied status despite being in the CPSEC allowlist.
+Have tried rebooting the AP, removing/adding to the whitelist. 

I've tried enabling CPSEC on our 7220, but due to network issues on a couple of our MPLS locations I had to disable it again. While that's an acceptable workaround until our ISP fixes their issues, the APs still try to set up an IPSEC tunnel when they boot. After the tunnel attempt finally times out, it reboots and connects normally, but by then almost half an hour has gone by. Each AP logs one error message after connecting:

An internal system error has occurred at file sapd_redun.c function redun_retry_tunnel line 4529 error redun_retry_tunnel: Switching to clear. Error:RC_ERROR_IKEV2_TIMEOUT. Ipsec not successful after reboot.

When I reset an AP to factory default, or provision a new one, it connects in a couple of minutes. Physically resetting 900 APs at 100 locations is not an option, though...

For the record; all APs, an unholy mix of 100, 200 and 300 series, behave exactly the same. I was running AOS 8.1 when I tried enabling CPSEC several months back, and was up to AOS 8.3 when our ISP finally told me to try again, and both versions gave the same result.

Is there any way to make the APs "forget" CPSEC, other than physically resetting them?