AJ,
Thank you for your response. As I am new to the airhead community, I was waiting for my post to be approved. I never realized it was approved.
Here is the output of those commands.
(Aruba_VMC) *[mynode] #show ap database
AP Database
-----------
Name Group AP Type IP Address Status Flags Switch IP Standby IP
---- ----- ------- ---------- ------ ----- --------- ----------
AlamedaCT-Boper-A00686 Alameda-APs 505 172.31.236.244 Down 172.25.26.50 0.0.0.0
(Aruba_VMC) *[mynode] #show datapath session table | include 172.31.236.244
172.31.236.244 172.25.26.50 17 8211 8222 0/0 0 0 2 0/0/0 1b 0 0 FYCI 2
172.31.236.244 172.25.26.50 17 8211 8515 0/0 0 0 0 0/0/0 f 0 0 FYCI 2
172.25.26.50 172.31.236.244 17 8222 8211 0/0 0 0 0 0/0/0 1b 3 402 FI 2
172.25.26.50 172.31.236.244 17 8211 8211 0/0 0 0 1 0/0/0 1b 0 0 FYI 2
172.31.236.244 172.25.26.50 17 8211 8211 0/0 0 0 0 0/0/0 1b 9 2504 FCI 2
172.25.26.50 172.31.236.244 17 8515 8211 0/0 0 0 1 0/0/0 f 0 0 FYI 2
(Aruba_VMC) *[mynode] #show whitelist-db cpsec
Control-Plane Security Allowlist-entry Details
----------------------------------------------
MAC-Address AP-Group AP-Name Enable State Cert-Type Description Revoke Text Last Updated
----------- -------- ------- ------ ----- --------- ----------- ----------- ------------
20:9c:b4:cc:f5:c8 Alameda-APs AlamedaCT-Boper-A00686 Enabled unapproved-no-cert switch-cert Fri Mar 15 07:40:54 2024
I checked the Running Config of the VMC and found that it seems to be permitted, but no enhanced-security enabled:
ip access-list session control
user any udp 68 deny
any any svc-icmp permit
any any svc-dns permit
any any svc-papi permit
any any svc-sec-papi permit
any any svc-cfgm-tcp permit
any any svc-adp permit
any any svc-tftp permit
any any svc-dhcp permit
any any svc-natt permit
any any tcp 6633 permit
.
.
ip access-list session v6-control
ipv6 user any udp 546 deny
ipv6 any any svc-v6-icmp permit
ipv6 any any svc-dns permit
ipv6 any any svc-papi permit
ipv6 any any svc-sec-papi permit
ipv6 any any svc-cfgm-tcp permit
ipv6 any any svc-adp permit
ipv6 any any svc-tftp permit
ipv6 any any svc-v6-dhcp permit
ipv6 any any svc-natt permit
ipv6 any any svc-dhcp permit
.
.
license-pool-profile-root
pefng-licenses-enable
rfp-license-enable
!
papi-security
!
est profile "default"
!
----------
I had 1 AP brought back to me, confirmed it works fine with correct static IP at HQ office. I then reprovisioned it for the Alameda Location, and had it sent down. Waiting on Staff to plug it in so I can check the logs again.
Original Message:
Sent: Feb 26, 2024 05:14 AM
From: Mr.RFC
Subject: 3 WiFi Access Points not functioning correctly - getting denied PAPI Port messages
1. The only ports you would need for the AP to function is PAPI - 8211 [ first boot ] and 8209 [ when cpsec is enabled ] to establish communication and talk to the controller.
2. What other logs do you see? I dont think this is a PAPI port issue
3. What flags do you see in " show ap database " , and what do you see in the " show datapath session table | include <IP of AP>"
4. Is the mode set to auto-cert-provision under control-plane-security?
5. Do you have papi security enabled? if its not a requirement for the network, id suggest toggling that setting to see if the APs are able to establish communication and stay that way.
" https://www.arubanetworks.com/techdocs/CLI-Bank/Content/aos8/papi-security.htm"
6. Is the AP in the whitelist section of cpsec?
show whitelist-db cpsec
7. Try removing one of the problematic APs from this list and re adding them. ( bounce your switch ports for a forced reboot ).
------------------------------
/AJ
Original Message:
Sent: Feb 23, 2024 01:49 PM
From: JohnB-Airhead
Subject: 3 WiFi Access Points not functioning correctly - getting denied PAPI Port messages
I have 3 WiFi Access Points at a remote site behind a Firewall that are able to connect to our Mobility controller, however consistently reboot within 30 minutes and the logs show getting denied by PAPI ports. After working with HPE Support, we validated that we have enough licenses. The site is 2.5 hours drive, and I'd prefer not to make the drive. Is it possible to resolve this remotely?
Here is logs:
ble_relay[6000]: PAPI_Security: Denying message 24309 received from unauthenticated source x.x.x.x:8514 for PAPI port 8515
ble_relay[6000]: PAPI_Security: Denying message 24334 received from unauthenticated source x.x.x.x:8514 for PAPI port 8515
stm[5568]: PAPI_Security: Denying message 16200 received from unauthenticated source x.x.x.x:17103 for PAPI port 8222
Checking the Console, it says these AP's are "Generating CSR" and never get past that.
In the Mobility Controller GUI, all 3 do show up, but constantly reboot.
Any thoughts on how to resolve?