Location Services

 View Only
last person joined: 7 days ago 

Location-based mobile app development and Bluetooth-based asset tracking with Meridian. Gathering analytics and business intelligence from Wi-Fi with Analytics and Location Engine (ALE).
Back to discussions
Expand all | Collapse all

Meridian and AOS vs 8.9.0.1 vs 8.8.0.1 vs 8.7.0.0

This thread has been viewed 46 times

  • 1.  Meridian and AOS vs 8.9.0.1 vs 8.8.0.1 vs 8.7.0.0

    Posted Jan 07, 2022 06:39 AM
    Hi,

    we upgraded our controller from version 8.8.0.1 to 8.9XX and Meridian Beacon management stopped working.
    We than reversed to 8.8XX and controller connected to Meridian, but it does not recognise APs as Access points, but as beacons.

    I tried on demo environment with 8.7, which works perfectly. 
    Is there any change in newer versions that i would need to tweak in order to have latest versions working?

    best regards,

    Mladen

    ------------------------------
    Mladen Vukadinovic
    ------------------------------


  • 2.  RE: Meridian and AOS vs 8.9.0.1 vs 8.8.0.1 vs 8.7.0.0

    EMPLOYEE
    Posted Jan 07, 2022 08:20 AM
    The IoT system has had some changes in 8.9. And I don't see the updated documentation on https://docs.meridianapps.com/hc/en-us/sections/360006480194-Configure-Aruba-Hardware

    The best is probably to work with support.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 3.  RE: Meridian and AOS vs 8.9.0.1 vs 8.8.0.1 vs 8.7.0.0

    EMPLOYEE
    Posted Jan 10, 2022 03:55 AM
    Hi,

    Starting with 8.8 the default advertisement for AP-5xx series changed form iBeacon to an Aruba specific format if the default beacon config have never been modified and is still at factory defaults, AP-3xx haven't been changed. Furthermore we added beacon custom payload and multi-advertisements for AP-5xx with 8.9. Unfortunately, this introduced a but with the Meridian Beacon Management. This bug should be addresses with 8.9.0.1.

    If 8.9.0.1 does not solve you problem, please open a TAC case.

    Regards,

    Jens



    ------------------------------
    Jens Fluegel
    ------------------------------

    Original Message


  • 4.  RE: Meridian and AOS vs 8.9.0.1 vs 8.8.0.1 vs 8.7.0.0

    Posted Jan 10, 2022 10:03 AM
    Hi Jens.

    We did test with 8.9.0.1 with the same result as of 8.9.0.0. Maybe we miss something very basic that is now different from 8.7 and 8.8. We opened TAC case.

    Any hints what we should look at?

    In 8.9.0.x the Management communication simply timeout and is never established.

    Best, Gorazd

    ------------------------------
    Gorazd Kikelj
    ------------------------------

    Original Message


  • 5.  RE: Meridian and AOS vs 8.9.0.1 vs 8.8.0.1 vs 8.7.0.0

    EMPLOYEE
    Posted Jan 10, 2022 10:19 AM
    Hi,

    if the management communication is not established, please check via AP or controller CLI the possible root cause.
    The commands are:

    AOS controller: 
    show ble_relay iot-profile
    show ble_relay ws-log <profile>
    Aruba Instant:
    show ap debug ble-relay iot-profile
    show ap debug ble-relay ws-log <profile>

    I is very likely that the certificate check that fails. Did you installed the current trusted root CA required for the Meridian backend?

    I assume you configured IoT transport profiles for Meridian Beacon Management as well as Asset Tracking as described here?:
    https://docs.meridianapps.com/hc/en-us/articles/360049798094-ArubaOS-8-7-x-Meridian-Beacons-Management-and-Asset-Tracking-Configuration-Guide
    https://docs.meridianapps.com/hc/en-us/articles/360053927734-Aruba-Instant-8-6-0-x-Meridian-Beacons-Management-And-Asset-Tracking-Configuration-Guide

    Regards,

    Jens


    ------------------------------
    Jens Fluegel
    ------------------------------

    Original Message


  • 6.  RE: Meridian and AOS vs 8.9.0.1 vs 8.8.0.1 vs 8.7.0.0

    Posted Jan 10, 2022 10:38 AM
    Hi Jens.

    We did upload the correct certificate and it is working on 8.8.0.x. When I boot the controller from 8.9.0.1 partition, I get the following from show ble_relay iot-profile

    (ArubaMC-01) [MDC] #show ble_relay iot-profile

    ConfigID : 8

    ---------------------------Profile[BLE-Beacon-Management]---------------------------

    serverURL : https://edit.meridianapps.com/api/beacons/manage
    serverType : Meridian Beacon Management
    deviceClassFilter : Aruba Beacons
    reportingInterval : 600 second
    authentication-mode : none
    accessToken : ...
    rssiReporting : Average
    environmentType : office
    include_ap_group : MP-Tower10-11,MP-Tower3,MP-Tower5,MP-Tower6,MP-Tower8
    Server Connection State
    --------------------------
    TransportContext : Failed
    Fail Reason : no response (timeout...etc)
    Last Data Update : 2021-12-23 12:16:50
    Last Send Time : 2021-12-23 12:16:50
    TransType : Https


    Management transport profile looks like this:
    show iot trans BLE-Beacon-Management

    IoT Data Profile "BLE-Beacon-Management"
    ----------------------------------------
    Parameter Value
    --------- -----
    Server Type Meridian-Beacon-Management
    Server URL https://edit.meridianapps.com/api/beacons/manage
    Access Token ...
    Client Id N/A
    Username N/A
    Password N/A
    Reporting interval 600
    Device Class Filter aruba-beacons
    UUID Filter N/A
    Movement Filter 0
    Cell Size Filter 0
    Vendor Filter N/A
    USB serial device type Filter N/A
    Age Filter 0
    Authentication URL N/A
    Authentication Mode none
    UID Namespace Filter N/A
    URL Filter N/A
    Access ID N/A
    Client Secret N/A
    Zigbee Socket Device Filter N/A
    RSSI Reporting Format average
    choose an environment type office
    Custom Fading Factor 20
    Iot Proxy Server N/A
    Iot Proxy User N/A
    AP Group MP-Tower10-11
    AP Group MP-Tower3
    AP Group MP-Tower5
    AP Group MP-Tower6
    AP Group MP-Tower8
    Send device counts only Disabled
    Enable bleData forwarding for known devices Disabled
    Enable filtering for each frame received Disabled
    RTLS Destination MAC Address N/A
    Data Filter N/A
    Azure DPS Id Scope N/A
    Azure DPS Auth Type N/A
    Service UUID Filter N/A
    Company Identifier Filter N/A
    MAC OUI Filter N/A
    Local Name Filter N/A

    And certificate is there

    (Demo7005-02) *#show crypto-local pki trustedCA

    Certificates
    ------------
    Name Original Filename Reference Count Expired
    -------------- ----------------- --------------- -------
    DigiCert-Meridian DigiCertGlobalRootCA.crt 0 No


    Best, Gorazd

    ------------------------------
    Gorazd Kikelj
    ------------------------------

    Original Message


  • 7.  RE: Meridian and AOS vs 8.9.0.1 vs 8.8.0.1 vs 8.7.0.0

    EMPLOYEE
    Posted Jan 10, 2022 12:22 PM
    Hi Gorazd,

    I am seeing the same issue in my lab with Aruba Instant.

    ap505h# show ap debug ble-relay iot-profile

---------------------------Profile[MBM]---------------------------

serverURL                               : https://edit.meridianapps.com/api/beacons/manage
serverType                              : Meridian Beacon Management
deviceClassFilter                       : Aruba Beacons
reportingInterval                       : 600 second
authentication-mode                     : none
accessToken                             : <access token>
rssiReporting                           : Average
environmentType                         : office
Server Connection State
--------------------------
TransportContext                        : Failed
Fail Reason                             : no response (timeout...etc)
Last Data Update                        : 2022-01-10 20:40:24
Last Send Time                          : 2022-01-10 20:40:24
TransType                               : Https
ap505h#
ap505h# show ap debug ble-relay report MBM


---------------------------Profile[MBM]---------------------------

Last Send Time: 2022-01-10 20:50:25

Sent report to Endpoint server (42s) ago: success 0, failed 3, last curl result code 0

Timeout(-1):20 Jobs added: 3

Server: https://edit.meridianapps.com/api/beacons/manage with proxy: NA

Proxy username: NA, password: NA

Vlan Interface                          : Not Configured
Request to Server:
{"meta": {"AP": {"mac": "204C03BAC7B0", "apb_mac": "204C03BB798D", "hw_type": "AP-505H", "software_version": "8.9.0.1-8.9.0.1", "software_build": "82154", "ipv4-addr": "192.168.100.10", "name": "ap505h", "clients": 0}, "timestamp": 1641833425}, "beacons": [{"mac": "204C03BB798D", "uuid": "4152554E-F99B-4A3B-86D0-947070693A78", "major": 0, "minor": 0, "cal_pwr": -69, "battery_level": 100, "rssi": 0, "txpower": 15, "timestamp": 1641833416, "hw_type": "BT-AP505H", "local_apb": true, "firmware": {"B": {"version": "1.4-95"}}}, {"mac": "204C03A5675C", "battery_level": 100, "rssi": -62, "timestamp": 1641833423, "hw_type": "BT-AP500", "local_apb": false, "firmware": {"B": {"version": "1.4-94"}}}]}

Last Curl logs:
*   Trying 142.250.186.83:443...
* Connected to edit.meridianapps.com (142.250.186.83) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /aruba/cacertrehash/
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0

Server response:
Response time: 2022-01-10 20:50:25
▒▒T6

ap505h#​


    As you can see in the log it is an SSL certificate validation problem. 

    I could solve it by adding the full trusted ca chain to my instant access point. Adding just the root CA cert is not enough, neither on Aruba Instant, nor on ArubaOS.

    After adding the complete trusted CA chain it works.

    Meridian Beacon Management trusted root CA chain


    I have attached for you the certificate chain files for ArubaOS (dedicated cert/pem files) and Aruba Instant (single PEM file).

    After the installation of the complete certificate chain on your controller it should look like this:

    ap505h# show ap debug ble-relay report MBM


---------------------------Profile[MBM]---------------------------

Last Send Time: 2022-01-10 21:10:26

Sent report to Endpoint server (466s) ago: success 2, failed 4, last curl result code 200

Timeout(-1):20 Jobs added: 6

Server: https://edit.meridianapps.com/api/beacons/manage with proxy: NA

Proxy username: NA, password: NA

Vlan Interface                          : Not Configured
Request to Server:
{"meta": {"AP": {"mac": "204C03BAC7B0", "apb_mac": "204C03BB798D", "hw_type": "AP-505H", "software_version": "8.9.0.1-8.9.0.1", "software_build": "82154", "ipv4-addr": "192.168.100.10", "name": "ap505h", "clients": 0}, "timestamp": 1641834626}, "beacons": [{"mac": "204C03BB798D", "uuid": "4152554E-F99B-4A3B-86D0-947070693A78", "major": 0, "minor": 0, "cal_pwr": -69, "battery_level": 100, "rssi": 0, "txpower": 15, "timestamp": 1641834616, "hw_type": "BT-AP505H", "local_apb": true, "firmware": {"B": {"version": "1.4-95"}}}, {"mac": "204C03A5675C", "battery_level": 100, "rssi": -56, "timestamp": 1641834623, "hw_type": "BT-AP500", "local_apb": false, "firmware": {"B": {"version": "1.4-94"}}}]}

Last Curl logs:
*   Trying 142.250.186.83:443...
* Connected to edit.meridianapps.com (142.250.186.83) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /aruba/cacertrehash/
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=edit.meridianapps.com
*  start date: Nov 29 09:17:19 2021 GMT
*  expire date: Feb 27 09:17:18 2022 GMT
*  subjectAltName: host "edit.meridianapps.com" matched cert's "edit.meridianapps.com"
*  issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1D4
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x1747f4)
> POST /api/beacons/manage HTTP/2
Host: edit.meridianapps.com
content-type: application/json
authorization: MERIDIAN <access token removed>
accept: application/vnd.meridian.v1+json
content-length: 698

* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
* We are completely uploaded and fine
< HTTP/2 200
< x-ratelimit-remaining: 99999
< x-xss-protection: 1; mode=block
< content-security-policy: script-src 'self' 'unsafe-eval' 'unsafe-inline' *.googleapis.com www.googletagmanager.com www.google-analytics.com www.google.com cdnjs.cloudflare.com files.meridianapps.com; style-src 'self' 'unsafe-inline' *.googleapis.com www.google.com cdnjs.cloudflare.com; default-src 'self'; img-src 'self' data: blob: files.meridianapps.com edit.meridianapps.com www.google-analytics.com storage.googleapis.com edit-eu.meridianapps.com maps.gstatic.com *.googleusercontent.com http://*.googleusercontent.com http://*.ggpht.com *.ggpht.com http://*.googleapis.com *.googleapis.com; connect-src 'self' api.keen.io sentry.io wss: www.google-analytics.com tags.meridianapps.com *.appspot.com; object-src 'self' blob:; font-src 'self' data: *.googleapis.com *.gstatic.com
< content-language: en
< strict-transport-security: max-age=3600
< vary: Accept, Accept-Language, Cookie
< x-ratelimit-limit: 100000/second
< etag: "129386107711ec622a3919d9eedbf5c2"
< allow: POST, OPTIONS
< access-control-allow-credentials: false
< x-frame-options: SAMEORIGIN
< access-control-allow-origin: *
< x-content-type-options: nosniff
< content-type: application/json
< x-meridian-media-type: version=v1
< x-cloud-trace-context: 85333e277ce97fa4eee7ee1e03efec43
< date: Mon, 10 Jan 2022 17:10:26 GMT
< server: Google Frontend
< content-length: 31
<
* Connection #0 to host edit.meridianapps.com left intact

Server response:
Response time: 2022-01-10 21:10:26
{"next_sync":3600,"updates":[]}

ap505h#


    Let me know if that solves your problem.

    Regards,

    Jens



    ------------------------------
    Jens Fluegel
    ------------------------------

    Original Message


  • 8.  RE: Meridian and AOS vs 8.9.0.1 vs 8.8.0.1 vs 8.7.0.0

    Posted Jan 11, 2022 02:45 AM
    Hi Jens. 

    Finally some progress :-)

    Next question is, do I need a separate access tokens for each MD managed by MM? I have 4 MDs managed with one MM and only one is able to establish connection with Meridian. As not all MDs are in the same cluster, this could be an issue.
     
    (ArubaMC-02) #show ble_relay report


    ---------------------------Profile[BLE-Asset-Tracking]---------------------------

    WebSocket Connect Status : Connection Established
    WebSocket Connection Established : Yes
    Handshake Address : https://tags.meridianapps.com/api/v1beta1/streams/ingestion.start
    Handshake Token :<>
    Location Id : 6725489585553408
    Websocket Address : wss://tags.meridianapps.com/streams/v1beta1/ingestion/tags/websocket/<>
    WebSocket Host : tags.meridianapps.com
    WebSocket Path : streams/v1beta1/ingestion/tags/websocket/<>
    Vlan Interface : Not Configured
    Current WebSocket Started at : 2022-01-11 08:29:06
    Last Send Time : 2022-01-11 08:33:59
    Websocket Write Stats : 6 (14373B)
    Websocket Write WM : 0B (0)
    Websocket Read Stats : 0 (0B)

    ---------------------------Profile[BLE-Beacon-Management]---------------------------

    Last Send Time: 2022-01-11 08:32:09

    Sent report to Endpoint server (111s) ago: success 3, failed 0, last curl result code 200

    Timeout(-1):20 Jobs added: 3

    Vlan Interface : Not Configured
    Server response:
    Response time: 2022-01-11 08:32:09
    {"next_sync":3600,"updates":[]}

    (ArubaMC-02) #show crypto-local pki trustedCA

    Certificates
    ------------
    Name Original Filename Reference Count Expired
    -------------- ----------------- --------------- -------
    DigiCert-Meridian DigiCertGlobalRootCA.crt 0 No
    Meridian_GlobalSign_Root_CA GlobalSign_Root_CA.crt 0 No
    Meridian_GTS_Root_R1 GTS_Root_R1.crt 0 No
    (ArubaMC-02) #show crypto-local pki intermediateCA

    Certificates
    ------------
    Name Original Filename Reference Count Expired
    -------------- ----------------- --------------- -------
    Meridian_GTS_CA_1D4 GTS_CA_1D4.crt 0 No

    (ArubaMC-02) #show ble_relay iot-profile

    ConfigID : 22

    ---------------------------Profile[BLE-Asset-Tracking]---------------------------

    serverURL : https://tags.meridianapps.com/api/v1beta1/streams/ingestion.start
    serverType : Meridian Asset Tracking
    deviceClassFilter : Aruba Tags
    reportingInterval : 600 second
    authentication-mode : none
    accessToken : <>
    clientID : 6725489585553408
    rssiReporting : Average
    environmentType : office
    include_ap_group : MP-Tower10-11,MP-Tower3,MP-Tower5,MP-Tower6,MP-Tower8
    Server Connection State
    --------------------------
    TransportContext : Connection Established
    Last Data Update : 2022-01-11 08:38:46
    Last Send Time : 2022-01-11 08:39:34
    TransType : Websocket

    ---------------------------Profile[BLE-Beacon-Management]---------------------------

    serverURL : https://edit.meridianapps.com/api/beacons/manage
    serverType : Meridian Beacon Management
    deviceClassFilter : Aruba Beacons
    reportingInterval : 600 second
    authentication-mode : none
    accessToken : <>
    rssiReporting : Average
    environmentType : office
    include_ap_group : MP-Tower10-11,MP-Tower3,MP-Tower5,MP-Tower6,MP-Tower8
    Server Connection State
    --------------------------
    TransportContext : Ready
    Last Data Update : 2022-01-11 08:38:46
    Last Send Time : 2022-01-11 08:38:47
    Last Receive Time : 2022-01-11 08:38:47
    TransType : Https



    ------------------------------
    Gorazd Kikelj
    ------------------------------

    Original Message


  • 9.  RE: Meridian and AOS vs 8.9.0.1 vs 8.8.0.1 vs 8.7.0.0

    EMPLOYEE
    Posted Jan 11, 2022 03:37 AM
    Gorazd,

    You can have just a single token per Meridian location; and you can use that for multiple controllers. BTW, it may be good to refresh your tokens as you just posted them on-line. Not sure what the security consequences are of that, but it should be easy to generate a new token.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 10.  RE: Meridian and AOS vs 8.9.0.1 vs 8.8.0.1 vs 8.7.0.0

    EMPLOYEE
    Posted Jan 11, 2022 04:07 AM
    Hi Gorazd, 

    Great! There is only a single token per Meridian location as described by Herman.

    Please don't post you tokes in you posts for security reasons ;-). You should change them as suggested.

    Regards,

    Jens

    ------------------------------
    Jens Fluegel
    ------------------------------

    Original Message


  • 11.  RE: Meridian and AOS vs 8.9.0.1 vs 8.8.0.1 vs 8.7.0.0

    Posted Jan 11, 2022 04:10 AM
    It is changed :)

    thank you!
    Original Message


  • 12.  RE: Meridian and AOS vs 8.9.0.1 vs 8.8.0.1 vs 8.7.0.0

    Posted Jan 11, 2022 04:18 AM
    Hi Jens, Herman.

    Many thx. It was my oversight. I did change Tokens as soon I see Herman's post. 

    So the problem is still there. Only one MD get a connection to Meridian, others are waiting in " Null Context -- Syncing Config..." state.

    Best, Gorazd

    ------------------------------
    Gorazd Kikelj
    ------------------------------

    Original Message


  • 13.  RE: Meridian and AOS vs 8.9.0.1 vs 8.8.0.1 vs 8.7.0.0

    EMPLOYEE
    Posted Jan 11, 2022 04:24 AM
    Hi Gorazd,

    this is not an issue. I assume that all your APs are only active on this one controller and the others have not APs or no APs in the APs groups you activated Meridian Beacon Management on. 
    Because Meridian Beacon Management is an HTTPS POST only, the connection is only made in case there are Beacons/BLE radios to be reported.

    Therefore don't worry. Just make sure the configuration the same on all MDs (using the Mobility Conductor) and that all MDs have the correct cert chain installed. 

    Regards,

    Jens

    ------------------------------
    Jens Fluegel
    ------------------------------

    Original Message


  • 14.  RE: Meridian and AOS vs 8.9.0.1 vs 8.8.0.1 vs 8.7.0.0

    Posted Jan 11, 2022 04:46 AM
    Hi Jens.

    Great. Yes, I see it now. And many thx for this help. It's now working as expected.

    Best, Gorazd

    ------------------------------
    Gorazd Kikelj
    ------------------------------

    Original Message