• November 29, 2020, 05:41:59 AM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: new 5.4.4 Wing RFS6000 / AP650  (Read 10617 times)

0 Members and 1 Guest are viewing this topic.

Offline hhinfra

  • Rookie
  • **
  • Posts: 4
new 5.4.4 Wing RFS6000 / AP650
« on: September 10, 2013, 05:08:01 AM »
hello,
we are testing V5.4.4 upgraded RFS6000 which originally ran a v4.4 environment with layer 2 and layer 3 attached AP650s.

all attached APs have been successfully upgraded to 5.4.4 by the RFS6000.

we have an auto-provisioning policy which enforces rf-domain and ap-profile by ip subnet which works fine (as far as the dashboard on the RFS6000 is concerned - these are assigned correctly).

we have found that with a layer 3 adopted AP650, it appears to adopt and is listed as adopted on the RFS6000, but in stats>FS6000>Adopted Aps, the status is listed as 'error'. for layer 2 attached devices, the status is configured.

when we check the running/startup config on a layer3 adopted A650, it shows default config, so we are quite certain the config is not being transfered to the AP. The APs think they are in default rf-domain and using default ap650 profile.

is there something basic required in configuration on wing5 to allow a layer 3 adopted AP650 to recieve it's wing5 configuration from the controller that has adopted it?

thanks for any advice.



Offline noobie

  • Full Member
  • ***
  • Posts: 92
Re: new 5.4.4 Wing RFS6000 / AP650
« Reply #1 on: September 10, 2013, 03:39:48 PM »
Hi there,

if migrating from 4.4.x to 5.4.x, AP650s should be first upgraded to any release below 5.4. I assume that you have done that already, but If no, check the release notes of 5.4.4, they have a lot of details on the procedure.

Regarding L3 adoption, are you using DHCP? If yes, then use option 191 to send the adoption info to the AP, so they can find the controller.

Could you please share the config with us?

Thanks.

Offline hhinfra

  • Rookie
  • **
  • Posts: 4
Re: new 5.4.4 Wing RFS6000 / AP650
« Reply #2 on: September 11, 2013, 03:20:33 AM »
thanks for reply.
yes, we went to 5.3.1 first and verified upgraded APs before going to 5.4.4
we have option 189 in dhcp for controller ip address. We tried option 191, but this prevented AP300s from finding the controllers so removed it. the Ap650 layer 3 can find the controller using 189 as they are reloadable from the controller gui and appearing in the dashboard, just not receiving their config.
 we can see level 1 mint links between the controller and all the APs.

I'll upload our config later.


Offline hhinfra

  • Rookie
  • **
  • Posts: 4
Re: new 5.4.4 Wing RFS6000 / AP650
« Reply #3 on: September 12, 2013, 10:16:53 AM »
Hello, this is the config we are using (some info removed).
just to clarify, we use dhcp option 189 for layer 3 adoption. ap650s at 4.4 have had no problems with this. Also everything works fine with layer 2 adoption - the layer 3 ap650s appear to adopt and mint links are established, but they stay on default config. RFS6000 shows them as adopted devices but with status config error. thanks.

!
! Configuration of RFS6000 version 5.4.4.0-007R
!
!
version 2.2
!
!
ip access-list GuestNetwork
 deny ip any 10.0.0.0/8 rule-precedence 10 rule-description "Deny 10.0.0.0"
 permit ip any any rule-precedence 1000 rule-description "AllowInternetAccess"
!
!
firewall-policy default
 no ip dos tcp-sequence-past-window
 no stateful-packet-inspection-l2
 alg sip
!
!
mint-policy global-default
!
wlan-qos-policy default
 qos trust dscp
 qos trust wmm
!
radio-qos-policy default
!
aaa-policy AAA_POLICY_wlan_1
 authentication server 1 host xx.xx.xx.xx secret 0 xxxxxxxx
!
wlan 3
 description xxxxxxxxxxx
 ssid xxxxxxxxxxxxxxxxxx
 vlan 3299
 bridging-mode tunnel
 encryption-type tkip
 authentication-type none
 wpa-wpa2 psk 0 xxxxxxxxxxxxxxxx
!
wlan 9
 description xxxxxxxxxxxxxxxxxx
 ssid xxxxxxxxxxxx
 vlan 3299
 bridging-mode tunnel
 encryption-type tkip
 authentication-type none
 wpa-wpa2 psk 0 xxxxxxxxxxxxxxxxxxxxx
!
wlan E1_GLOBAL
 description xxxxxxxxxxxxxxxxxxxxx
 ssid xxxxxxxxxxxxxxx
 vlan-pool-member 3202
 vlan-pool-member 3203
 vlan-pool-member 3204
 vlan-pool-member 3205
 vlan-pool-member 3206
 vlan-pool-member 3299
 bridging-mode tunnel
 encryption-type tkip
 authentication-type none
 wpa-wpa2 psk 0 xxxxxxxxxxxxxxxxx
!
wlan E2_GLOBAL
 description xxxxxxxxxxxxxxxxx
 ssid xxxxxxxxxxxxxxxx
 vlan-pool-member 3202
 vlan-pool-member 3203
 vlan-pool-member 3204
 vlan-pool-member 3205
 vlan-pool-member 3206
 vlan-pool-member 3299
 bridging-mode tunnel
 encryption-type tkip
 authentication-type none
 no answer-broadcast-probes
 wpa-wpa2 psk 0 xxxxxxxxxxxxxxxxxxxx
!
ap300 default-ap300
 country-code gb
 interface radio1
  wlan E1_GLOBAL bss 1 primary
  wlan E2_GLOBAL bss 2 primary
 interface radio2
 preferred-controller-group GLOBAL
  controller-ip-list xxxxxxxxxxxxx
!
smart-rf-policy default
!
auto-provisioning-policy Unknown-AP-650-new
 default-adoption
 adopt ap650 precedence 2 profile L3299-AP650 rf-domain RE3299 ip 10.xx.xx.0/24
!
dhcp-server-policy default
 dhcp-pool RR_test
  network 10.xx.xx.0/24
  address range 10.xx.xx.1 10.xx.xx.10
  default-router 10.xx.xx.xx
 dhcp-pool RR_3299
  network 10.xx.xx.xx/24
  address range 10.xx.xx.1 10.xx.xx.220
  default-router 10.xx.xx.xx
  dns-server 10.xx.xx.xx 10.xx.xx.xx
!
!
management-policy default
 http server
 https server
 ssh
 user xxxxxx password 1 xxxxxxxxxxxxxxx role superuser access all

!removed!
!
l2tpv3 policy default
!
profile rfs6000 default-rfs6000
 no autoinstall configuration
 no autoinstall firmware
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 interface me1
 interface up1
  ip dhcp trust
  qos trust dscp
  qos trust 802.1p
 interface ge1
  ip dhcp trust
  qos trust dscp
  qos trust 802.1p
 interface ge2
  ip dhcp trust
  qos trust dscp
  qos trust 802.1p
 interface ge3
  ip dhcp trust
  qos trust dscp
  qos trust 802.1p
 interface ge4
  ip dhcp trust
  qos trust dscp
  qos trust 802.1p
 interface ge5
  ip dhcp trust
  qos trust dscp
  qos trust 802.1p
 interface ge6
  ip dhcp trust
  qos trust dscp
  qos trust 802.1p
 interface ge7
  ip dhcp trust
  qos trust dscp
  qos trust 802.1p
 interface ge8
  ip dhcp trust
  qos trust dscp
  qos trust 802.1p
 interface vlan333
  description "I_1 SVI"
  ip address 10.xx.xx.xx/24
 interface vlan3299
  description xxxxxxxxxxxxxxxxxx
  ip address 10.xx.xx.xx/24
 interface wwan1
 interface pppoe1
 use firewall-policy default
 use auto-provisioning-policy Unknown-AP-650-new
 cluster name GLOBAL
 controller group GLOBAL
 no auto-learn-staging-config
 service pm sys-restart
 router ospf
!
profile ap650 L3299-AP650
 no autoinstall configuration
 no autoinstall firmware
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto load-management
 interface radio1
  wlan 9 bss 1 primary
  wlan E1_GLOBAL bss 2 primary
  wlan E2_GLOBAL bss 3 primary
 interface radio2
  shutdown
 interface ge1
  ip dhcp trust
  qos trust dscp
  qos trust 802.1p
 interface pppoe1
 use firewall-policy default
 service pm sys-restart
!
!
profile ap650 default-ap650
 no autoinstall configuration
 no autoinstall firmware
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto load-management
 interface radio1
 interface radio2
 interface ge1
  ip dhcp trust
  qos trust dscp
  qos trust 802.1p
 interface pppoe1
 use firewall-policy default
 service pm sys-restart
!
rf-domain RE3299
 location xxxxxxxxxxxxx
 country-code xx
 use smart-rf-policy default
 override-wlan E2_GLOBAL vlan-pool 3299
 override-wlan E1_GLOBAL vlan-pool 3299
!
rfs6000 00-23-68-XX-XX-XX
 use profile default-rfs6000
 use rf-domain default
 hostname RFS6000XXX
 license AP xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 country-code xx
 no legacy-auto-update ap650
 spanning-tree mst cisco-interoperability enable
 ip default-gateway xx.xx.xx.xx
 ap-upgrade auto ap81xx ap71xx ap621 ap6521 ap6511 ap6532 ap622 ap6522 ap6562
 interface me1
  ip address xx.xx.xx.xx/24
 interface ge1
  switchport mode access
  switchport access vlan 1
  ip dhcp trust
 interface ge2
  switchport mode access
  switchport access vlan 1
  ip dhcp trust
 interface ge3
  switchport mode access
  switchport access vlan 1
  ip dhcp trust
 interface ge4
  switchport mode access
  switchport access vlan 1
  ip dhcp trust
 interface vlan1
  ip address xx.xx.xx.xx/22
 interface vlan3299
  description xxxxxxxxxxxxxx
  ip address 10.xx.xx.xx/24
 use dhcp-server-policy default
 cluster master-priority 255
 logging console warnings
 logging buffered warnings
 no service pm sys-restart
 vrrp 1 description VRRP GLOB
 vrrp 1 priority 100
 vrrp 1 timers advertise 1
 vrrp 1 ip xx.xx.xx.xx
 vrrp 1 preempt
 vrrp 1 interface vlan1
 no vrrp 1 sync-group
 no vrrp 1 monitor critical-resource
 no vrrp 1 delta-priority
!
!
ap650 B4-C7-99-XX-XX-XX
 use profile L3299-AP650
 use rf-domain RE3299
 hostname ap650-XXXXXX
 no configuration-persistence
!
!
end

Offline noobie

  • Full Member
  • ***
  • Posts: 92
Re: new 5.4.4 Wing RFS6000 / AP650
« Reply #4 on: September 12, 2013, 02:59:52 PM »
Hi,

the reason of all problems - option 189. You should configure option 191 for AP650s, since 189 is for legacy adoption only (ap300 and ap650 which are being migrated to 5.x). For day-to-day use, configure 191 and use level 1 mint links, since you have everything on one single rf-domain.

Mint links can be established automatically (Vlan mint links for instance), but not like they would be if option 191 would be configured (the same applies if you configure "controller host pool1=x.x.x.x level 1/2" under ap profile).

Offline hhinfra

  • Rookie
  • **
  • Posts: 4
Re: new 5.4.4 Wing RFS6000 / AP650
« Reply #5 on: October 02, 2013, 05:16:20 AM »
so this is resolved now :

problem was 2 things :

1, Mint MTU size needed to be lowered from default 1500
2. we had missed configuring vlan 1 SVI in the AP650 profile.

once these were configured everything worked fine. using legacy 189 option, but 191 works also,.

thanks