AP350 not joining hive.

  • 1
  • Question
  • Updated 2 years ago
Hi, I have a hive that I've recently had a new entitlement key applied to, to allow a new AP350 connection into the hive. I've added some capwap settings into the new AP350 but it doesn't seem to be joining the hive correctly? Should i be adding it manually somewhere? 

I can ssh onto the current ap's and the new one and its getting IP's etc so I can see that it's online and doing somethings.

It is even appearing in the hive with a alarm/event stating "Default DTLS passphrase is in use".
So I can see it in there enough that it's getting to the hive to some extent. I'm thinking it's that it isn't connecting enough to get the full config brought down, or I am supposed to add it manually somewhere.

I found an old article somewhere that suggested you go to devices and add - but I don't have that option when I log in?

Any ideas or help?

Thanks
Edd
Photo of Edward Hartshorn

Edward Hartshorn

  • 6 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
There are a few ways to tackle this.  Are you using Aerohives HMOL mgmt platform or are you using an on-prem version (VM or physical 1U appliance)?

If you can get into the device via SSH, issue a "show capwap client" command.  This will tell us the basic CAPWAP settings that are currently set.  

TestAP#show capwap cli

CAPWAP client:   Enabled 

CAPWAP transport mode:  UDP

RUN state: Connected securely to the CAPWAP server 

CAPWAP client IP:        <Device IP here>

CAPWAP server IP:        <HM Server IP Here>

HiveManager Primary Name:

HiveManager Backup Name: 

CAPWAP Default Server Name: redirector.aerohive.com

Virtual HiveManager Name: home

Server destination Port: 12222


Do you show anything for the capwap server IP?  If it is a 54.x.x.x IP address and the Run State is connected, the AP is most likely connected to Aerohives redirector server.  

The simplest fix is to get into one of your APs that is connected and functioning properly.  Issue the same command (show capwap client) and note the CAPWAP server IP.

SSH back into the new device and issue the command: capwap client server name <insert CAPWAP server IP here>

I usually follow that with a:

no capwap cli en

capwap cli en

save config


This will stop and restart the CAPWAP process.  And with the correct server set now, when it starts polling for the new server, it should phone home correctly.  If you are using HMOL, you will also need to note the Virtual HiveManager Name and issue the following.  

capwap client vhm-name <Virtual HiveManager Name here>


After ~90 seconds, you should be able to do another show capwap client and with any luck the Run State will show connected and the capwap server IP and VHM will be where your current gear is and the device will show under the managed and unconfigured devices.

Photo of Edward Hartshorn

Edward Hartshorn

  • 6 Posts
  • 0 Reply Likes
Thanks for the quick reply Brian. Much appreciated.

I've had a look and the server IP and the hivemanager name all seem to be the same although I've just noticed the transport mode and the port are different. On the one that works its set as UDP and the one that isnt its set as HTTP.

I'm going to see if i can figure out how to change this and the port and try and see if that kicks it all into life!

It's a hivemanager online and both the working ap and the not working ap are both pointing at a 52.xx.x.x address.

Thanks - I'll let you know if the port and transport method thing works once I've figured out how to change it!!

Eddy
Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
capwap client server port <port number>
no capwap client transport http

The latter command will set the mode back to UDP.
The first will allow you to set the port number (12222 should be the default).
Photo of Edward Hartshorn

Edward Hartshorn

  • 6 Posts
  • 0 Reply Likes
Thanks Brian,
Just figured those out and tried them. Still not appearing on the hive, but the cap wap stats are saying running and connected. Here is an output from the ap that isn't working with the names removed. Weirdly it seems to be setting itself back to http on TCP and port changing by itself. -

CAPWAP client:   EnabledCAPWAP transport mode:  HTTP on TCP

CAPWAP client IP:        
CAPWAP server IP:        52.50.170.143
HiveManager Primary Name:hm-emea-126.aerohive.com
HiveManager Backup Name:
CAPWAP Default Server Name: redirector.aerohive.com
Virtual HiveManager Name:
Server destination Port: 80
CAPWAP send event:       Enabled
CAPWAP DTLS state:       Enabled
CAPWAP DTLS negotiation: Disabled
     DTLS next connect status:   Enable
     DTLS always accept bootstrap passphrase: Enabled
     DTLS session status: Connected
     DTLS key type: passphrase
     DTLS session cut interval:     5 seconds
     DTLS handshake wait interval: 60 seconds
     DTLS Max retry count:          3
     DTLS authorize failed:         0
     DTLS reconnect count:          0
Discovery interval:      5 seconds
Heartbeat interval:     30 seconds
Max discovery interval: 10 seconds
Neighbor dead interval:105 seconds
Silent interval:        15 seconds
Wait join interval:     60 seconds
Discovery count:         0
Max discovery count:     3
Retransmit count:        2
Max retransmit count:    2
Primary server tries:    0
Backup server tries:     0
Keepalives lost/sent:    18/22
Event packet drop due to buffer shortage: 0
Event packet drop due to loss connection: 77

I'll try and set them again, save config and try a restart of the AP again.
Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
You have everything good but the Virtual HiveManager name is blank.  Your HMOL account is in the cloud, meaning that there are tons of customers potentially using the same server IP.  So your device is sitting in a bucket waiting to be claimed basically.

Do the capwap client vhm-name <name> command to the device and stop/start the CAPWAP service and/or reboot the device and it should pop up under your virtual instance.
Photo of Edward Hartshorn

Edward Hartshorn

  • 6 Posts
  • 0 Reply Likes
Yeah, Sorry Brian -> I've got the name in there, Just removed it for posting out of habit!
Photo of Edward Hartshorn

Edward Hartshorn

  • 6 Posts
  • 0 Reply Likes
Now I've changed all those I can still see an amber alert with the Mac address of the AP in the hivemanager that states - Default DTLS passphrase is in use. Push a complete config to update the passphrase automatically, or set it manually and push a complete or delta config.

However I can't get it online on the hive to push out a config!
Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
CAPWAP client:   EnabledCAPWAP transport mode:  HTTP on TCP

CAPWAP client IP:        
CAPWAP server IP:        52.50.170.143

Did you remove the CAPWAP client IP?

The blank line is where the RUN State should be.  The device is not connected (which we both know).  Can you issue a CAPWAP ping 52.50.170.143 or a normal ping 52.50.170.143?  Do either of those return successful ICMP replies?  Can the AP ping 8.8.8.8?  Does it have network access at all outside of your local LAN?
Photo of Bill W.

Bill W.

  • 222 Posts
  • 35 Reply Likes
Also check your firewall settings to make sure that ports UDP 12222, TCP 22, and TCP 443 are open.
Photo of Edward Hartshorn

Edward Hartshorn

  • 6 Posts
  • 0 Reply Likes
Hi Brian,
Here is an updated export from the one that isn't there. It appears to suggest that it is up and running successfully, however it still isnt appearing. 
Both Capwap ping and ping get full working replies so I think that's ok too.

CAPWAP client:   Enabled
CAPWAP transport mode:  UDP
RUN state: Connected securely to the CAPWAP server
CAPWAP client IP:        
CAPWAP server IP:        52.50.170.143
HiveManager Primary Name:hm-emea-126.aerohive.com
HiveManager Backup Name:
CAPWAP Default Server Name: redirector.aerohive.com
Virtual HiveManager Name:
Server destination Port: 12222
CAPWAP send event:       Enabled
CAPWAP DTLS state:       Enabled
CAPWAP DTLS negotiation: Enabled
     DTLS next connect status:   Enable
     DTLS always accept bootstrap passphrase: Enabled
     DTLS session status: Connected
     DTLS key type: passphrase
     DTLS session cut interval:     5 seconds
     DTLS handshake wait interval: 60 seconds
     DTLS Max retry count:          3
     DTLS authorize failed:         0
     DTLS reconnect count:          0
Discovery interval:      5 seconds
Heartbeat interval:     30 seconds
Max discovery interval: 10 seconds
Neighbor dead interval:105 seconds
Silent interval:        15 seconds
Wait join interval:     60 seconds
Discovery count:         0
Max discovery count:     3
Retransmit count:        0
Max retransmit count:    2
Primary server tries:    0
Backup server tries:     0
Keepalives lost/sent:    1428/2526
Event packet drop due to buffer shortage: 0
Event packet drop due to loss connection: 342

I'm going to keep digging as its doing my head in! :) Thanks for all your assistance so far!
Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
Yes, that looks perfectly fine.  So long as the VHM name that you are omitting matches up with your actual VHM.


I'd be curious if you did a clear capwap client counters, if the keepalives lost/sent and the Event packet drops at the bottom would continue to increment or if those are there for some other reason.