Can't install new AH's - Default DTLS passphrase is in use.

  • 1
  • Question
  • Updated 2 years ago
  • (Edited)

Hi all,

I've been using AH's for 3 years now.
I currently can't install any new AH's because of this problem.

Its getting really frustrating because I've spent a lot of time trying to solve this.

Also I always loved Aerohive and the way it worked, but currently I'm not really happy about it :(

I'm running HiveOS 6.5r3 Honolulu.2530 and HiveManager Enterprise 6.6r1.

I currently have 9 AP141's.

I have the MGMT VLAN on 121 and the Native (Untagged) VLAN on 1.

I connect the AP's on the 121 VLAN.

The problem is when I want to add new AH's I can't upload and active a config correctly.

I always get this error:


"Default DTLS passphrase is in use. Push a complete config to update the passphrase automatically, or set it manually and push a complete or delta config."


The LED turns white on the AP, but I can't connect to it with my mobile phone or laptop. And often it won't even show the SSID's.


I can add them by serial number, that works fines, so the connection/CAPWAP is good (if I understand the technique a little bit correctly :P).

I've tried to change the Passphrase for one AH and do a Delta push, but that didn't solve the problem.

Also the AH's are really slow with booting. Sometimes it takes up to 30 minutes for the LED to turn white and show that it is connected.

Also when I push a configuration, because of the slow boot, it shows "timeout" at update results and it looks like won't activate the configuration.

I also tried to reset the whole AH to factory defaults, didn't work either.

Utill now I tried 2 new fresh AH's, al the same problems..


I hope someone can help me with this!

Thanks!

Photo of Jeffrey

Jeffrey

  • 8 Posts
  • 0 Reply Likes
  • frustrated

Posted 2 years ago

  • 1
Photo of Nathaniel Moore

Nathaniel Moore, Employee

  • 56 Posts
  • 16 Reply Likes
Hi Jeffrey,

I have seen this before. Basically, the passphrase on the AP is different to the one set within HM. Have you tried pushing a complete configuration push (not delta)? - This will overwrite the passphrase.
Photo of Jeffrey

Jeffrey

  • 8 Posts
  • 0 Reply Likes
Thanks!
I've now found out that I have to change the switch port settings with the correct vlans during the AP reboot (when I push out a config).
So the config is uploaded and activated succesfully (at least, the update result shows "succesfull").

But the next problem is that I can't find any SSID's on my clients?
While I pushed the exact same network policy to the AP..

[EDIT]
Sometimes the client finds the SSID, but just can't connect, it just disconnects without any error or reason..
[EDIT2] Okay this is really weird, sometimes I can connect to one of the SSID's (I've got 3) its broadcasting, but it will disconnect after a few minutes..
(Edited)
Photo of Nathaniel Moore

Nathaniel Moore, Employee

  • 56 Posts
  • 16 Reply Likes
Hi Jeffery,

Now we're opening up to a whole host of possibilities :) I am going to take a stab in the dark... do you have Cisco switches? Do you have port security enabled? If you have sticky/static MAC address security this will block the AP and result in your client connections dropping after a few seconds/minutes.

Other than that, your best bet is to run Client Monitor (Tools > Client Monitor in HiveManger 6 and Troubleshoot > Troubleshoot Now in HiveManager NG) and see what is happening between the AP and client.
Photo of Jeffrey

Jeffrey

  • 8 Posts
  • 0 Reply Likes
Okay, lets narrow the possibilties down then :)

I've connected another _working_ AP to the same networkport/cable where the other AP is failing, and this one works instantly. So its not the switch port faulting I guess?
We've got HP switches.
There's only Storm Control and Loop Protection enabled on the switch.
Link speed is set to Auto.
(Edited)
Photo of Jeffrey

Jeffrey

  • 8 Posts
  • 0 Reply Likes
I have a feeling that the AP's are jamming each other.. Or at least the clients just don't know which AP to connect to, when there are multiple AP's available / in range with the same SSID?
Is that possible? Aren't the AP's supposed to communicate with each other?
Photo of Nathaniel Moore

Nathaniel Moore, Employee

  • 56 Posts
  • 16 Reply Likes
Hi Jeffrey,

Depends, sticky MAC address security will adopt the first MAC address it detects on the port and lock down the port for only that address (not sure what options are available on HP). If you haven't specifically configured this however I doubt it is enabled by default.

The APs won't jam each other unless you have a misconfigured WIPS policy with auto mitigation enabled. The clients 'could' be getting confused if you have multiple APs in that they may be roaming to a more attractive SSID/AP which in turn may be misconfigured thus causing the client to drop connection.

As above, I would run a client monitor, this will tell you what is going wrong with the client :).
(Edited)
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
When you mention slow boots, it sounds like the APs are rolling back to default configs, which also might explain why capwap comes up, but no ssid's. I would suggest setting the switch ports with a native vlan of 121 (untagged in HP). Make sure you have connectivity to the unconfigured AP.  
Then push a complete config, and while the AP is rebooting, set the default vlan back to one during the reboot.

Best,
BJ  
Photo of Jeffrey

Jeffrey

  • 8 Posts
  • 0 Reply Likes
@BJ,

Indeed, I've tried that before and that works now.
The only problem now I that I have a problem connecting with my clients to the AP's.

@Nathan
I've did a client monitoring to my phone (Samsung Galaxy S6, latest updates) and the following came out:
http://pastebin.com/YuGUiUBx

Also on my Macbook I keep getting connected and disconnected all the time:
http://pastebin.com/qDxLAYXN

I can't figure out what's wrong.
Photo of Julian Daniel

Julian Daniel

  • 2 Posts
  • 0 Reply Likes
Jeffrey: We had a lot of issues (especially with roaming) with our AH APs and HP A-series (H3C) switches...until i discovered the firmware we rolled out on the switches was dropping DHCP packets. Clients would show as connected to the AP, but DHCP was intermittent. An update to a recent firmware (2221P02 on our HP5120s) resolved the majority of our issues.
Photo of Jeffrey

Jeffrey

  • 8 Posts
  • 0 Reply Likes
Okay, I just changed the broadcast band of a SSID from "2.4Ghz" to "2.4Ghz and 5Ghz" and the clients are connecting correctly now.

Isn't that weird? Because 2.4 is usually a band that broadcasts further only at lower rates, right? But I had my AP laying next to my desk, so that shouldn't be the problem?

Also on android devices the connection isn't really stable yet at some locations, while IOS and OSX devices are good :/
(Edited)
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
First, good job running the Client Monitor. I didn't read through due to all the probe noise in the output. Please check the "filter probes" box to reduce the noise and run again for both clients. We can get to the bottom of this.
Photo of Jeffrey

Jeffrey

  • 8 Posts
  • 0 Reply Likes
Photo of Clay

Clay

  • 2 Posts
  • 0 Reply Likes
Bump
I've been having what looks to be the same issue, Default DTLS passphrase alarm and our 2 SSIDs aren't coming up on client's devices. We've got a Netgear switch with the AP on 2 vlans. I'm able to connect to the AP and push the configuration.
I was getting the same time outs during booting, this caused my configuration to roll back to defaults. Eventually I was able to push the configuration and have somebody onsite do a manual reboot. Configuration Audit says that it matches our other 52 sites that are running. I cleared the alarm after the config loaded but it came back after 5 minutes or so. Even with the AP running the correct config my clients aren't seeing the SSIDs.
I'm also running HiveOS 6.5r3 Honolulu.2530 and HiveManager Enterprise 6.6r1. But I've got an AP121

Right now I'm going to try resetting the AP to defaults and reconfiguring. 

Update: Reboot timed out again. Going to reset to defaults, reconfigure and do a manual reboot.
(Edited)
Photo of Clay

Clay

  • 2 Posts
  • 0 Reply Likes
Update: My issue turned out to be conflicting DHCP pools after changing the subnet the AP is up and running.
I think a "This device has rolled back to default configuration" alarm would be more helpful than the Default DTLS alarm. Just a thought.