Default Passphrase alert

  • 8
  • Question
  • Updated 8 months ago
  • Answered
I upgraded to 6.1r1 this week and pushed out a full fresh config (and rebooted). I logged in just now and a handful of APs had a major alert:

Default DTLS passphrase is in use. Push a complete config to update the passphrase automatically, or set it manually and push a complete or delta config. CAPWAP

What would cause this to happen?
Photo of Bradley Chambers

Bradley Chambers, Champ

  • 302 Posts
  • 53 Reply Likes

Posted 5 years ago

  • 8
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
If you clear the alert and reboot an affected access point is the alert raised again?

I have found the same issue after a firmware upgrade when using non-standard CAPWAP timeouts. If I clear, or remove, the alert and reboot the access point the alert does not occur again. The alert only appears immediately after a firmware upgrade.
Photo of Edward Nice

Edward Nice

  • 19 Posts
  • 6 Reply Likes
Since the upgrade to Hivemanager 6.1r1 we have continued to have this problem on meshed APs running 5.1r4a. No matter how many times we push full configs, or clear the alarm and reboot the Ap, it always returns to the same alarm after a few hours.
Photo of Kurt Kidder

Kurt Kidder

  • 25 Posts
  • 1 Reply Like
I continue to see this as well. I have upgraded to 6.1r1 on the AP170,s (Meshed) and AP141's and a handful of AP's report the alarm above. I have pushed complete configs as it was recommended above. I use standard timeouts. How can I resolve this? To be specific, 3 141's and 4 Ap170's out of 19 total on this site.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I have seen this too.

Regards,

Nick
Photo of William Lambert

William Lambert

  • 4 Posts
  • 2 Reply Likes
I've started to see this after upgrading to 6.1r1 as well. Anyone from Aerohive have a fix?
Photo of William Lambert

William Lambert

  • 4 Posts
  • 2 Reply Likes
I've changed the CAPWAP passphrase in the configs for all of my APs. I just pushed out the update. I'll post back with the results though it might take several hours before the alert is raised again (if it is raised again).
Photo of William Lambert

William Lambert

  • 4 Posts
  • 2 Reply Likes
So far so good. Is this check something new in 6.1? I can't remember. If anyone is still having this issue you might want to edit all of your APs and change the CAPWAP password. I just used an md5 hash of a password we use here then pushed the new config to all of my units.
Photo of Rick Parrish

Rick Parrish

  • 1 Post
  • 0 Reply Likes
I noticed in my 6.1 upgrade from 5.1 that the passphrase was not migrated along (aka, the global password). As such when we pushed out updates to make sure the new server was fully in control of our AP's their passwords were set back to the default.

Solution was to go to the Home menu, choose Device Manager Settings and "Other Global Settings" type in a new password for managing all the Aerohives. Then I had to push out a config change.

I know this is the case (the lack of migration of the password) as I had SSH'd into these AP's previously under the password in question and had to use the default to open them.

I am betting this is the same issue most of the people here are having. Hope this helps.
Photo of Edward Nice

Edward Nice

  • 19 Posts
  • 6 Reply Likes
Thanks William and Rick.
Photo of Haydn St

Haydn St

  • 17 Posts
  • 1 Reply Like
So just a quick recap both the CAPWAP credentials in the AP and the Global Password need to be changed for the issue to be resolved?

And this is done for just the APs with the Meshpoint issue?
Photo of CAA Scans

CAA Scans

  • 1 Post
  • 0 Reply Likes
Ditto here. Seeing this problem after clearing and rebooting several times. I will try to update the password as well.
Photo of Edward Nice

Edward Nice

  • 19 Posts
  • 6 Reply Likes
OK, This is getting tiresome. Still seeing the error recurring over and over again, even after changing the password and push config changes (8x in 4 days!) as per Rick's post.

"Default DTLS passphrase is in use. Push a complete config to update the passphrase automatically, or set it manually and push a complete or delta config."

The issue only seems to affect 'Mesh' connected APs. We had the same issue when we tried to upgrade to 6.1r1, and ended up rolling all of the meshed APs back to 5.1r4 which seems to be the last firmware to reliably support meshing.

Photo of Gary Babin

Gary Babin

  • 21 Posts
  • 5 Reply Likes
We were experiencing this pass-phrase alarm phenomena too. To solve another problem (dropping connections) we reverted to v5.1 and all issues went away.
Photo of Edward Nice

Edward Nice

  • 19 Posts
  • 6 Reply Likes
Gary, were the dropped connections you experienced in a 'meshed' back haul?
Photo of Gary Babin

Gary Babin

  • 21 Posts
  • 5 Reply Likes
We were intermittently dropping client connections. This occurred after upgrading the Hive and APs to v6. The issue was connected to a known bug with the radio buffers (more likely to appear in a high traffic site).

v5 code has a workaround to this which was not included in v6 (apparently, it was believed the bug had been squashed). Support said the fix is not included in the upcoming release, either, so I'll stick with 5 until it is.
Photo of Edward Nice

Edward Nice

  • 19 Posts
  • 6 Reply Likes
Is there an ID or case number I can use to reference this bug?

Are you using meshed APs? Most of our issues in 6.0r1-6.1r2 seem to be with meshed APs, particularly AP170s. 5.1r4 was the last stable release for our meshed APs. We updated Hivemanager (VM), and all the APs to the 6.1r2, then downgraded the meshed APs to 5.1r4 to get a stable (mostly) environment.
Photo of Patrick Gibbons

Patrick Gibbons

  • 6 Posts
  • 0 Reply Likes
We are seeing the same problem with 25-30 of our 65 APs. None of them are mesh points. I update the password, do a full config and the alarms come back. Aerohive says it doesn't affect connectivity but I don't like having to check them everyday (2x or 3x) to find out if there is a different reason for the alarm.
Why would AH even release something that is not prime time ready? If I have a HMOL (Hive Manager Online) can I go back to the 5.x code?
Photo of Edward Nice

Edward Nice

  • 19 Posts
  • 6 Reply Likes
"Aerohive says it doesn't affect connectivity'!? This appears to be the second or third release with this issue. How about a fix!? Nobody wants to wrestle with buggy infrastructure. Network, wired, wireless or otherwise needs to be rock solid.

The issue seems to coincide with mesh link and connectivity issues in our meshed environment. Cause or symptom, I can not say.

Interestingly we never see it the issue on the hardwired APs.

Based on my experience with AP170, this issue, and Gary's comment above (we also have had to roll back to 5.1r4a), there seems to be real issues with regression testing and version control.
Photo of Patrick Gibbons

Patrick Gibbons

  • 6 Posts
  • 0 Reply Likes
Yes, this is what I was told by a level 3/third tier support person. He said it was an issue with the Default Passphrase and should not affect connectivity. I'm not saying this is true. When 33% of APs are exhibiting non-standard behavior something must be going on. We have no mesh links. I rolled five APs back to 5.1r5 to see what happens.
Photo of Haydn St

Haydn St

  • 17 Posts
  • 1 Reply Like
I checked the AP itself to see what was happening,

After SSH into the AP I ran the command:

show int eth0

and found that the Admin state for eth0 was active, but the operational state was down.

Not sure why this was the case, but I moved ports uploaded the config again and it is now working fine, have since moved it back to the original port it was operating on and it all working currently.

Touch wood.
Photo of Patrick Gibbons

Patrick Gibbons

  • 6 Posts
  • 0 Reply Likes
What do you mean, you "moved the ports?" Did you physically connect the Ethernet cable to the Eth1 port? Thanks.
Photo of Haydn St

Haydn St

  • 17 Posts
  • 1 Reply Like
Hi Patrick,

 Yeah I moved the port physically on the switch. Actually I physically removed the AP from its location bought it back to the office, plugged it into a port there and set it all up.
Photo of Enrique Ramírez

Enrique Ramírez

  • 1 Post
  • 0 Reply Likes
I am seeing the exact same issue, I am going back to 5.1r5 on our Hive 330s, where we do not use mesh but we do see the same DTLS passphrase issue.
Photo of Patrick Gibbons

Patrick Gibbons

  • 6 Posts
  • 0 Reply Likes
I went back to 5.1r5 and most of the passphrase issues stopped. Still not 100% clean on the Monitor tab.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
This is apparently a HiveManager issue an not a HiveOS issue. It was resolved in HiveManager 6.1r2a.

I am not sure why you would want to revert to HiveOS 5.1r5 therefore on the APs... It should have nothing to do with it.

You should request an update via your support channel where HMOL is being used or perform an update yourself where you have a local deployment.

Nick
Photo of Patrick Gibbons

Patrick Gibbons

  • 6 Posts
  • 0 Reply Likes
I went back because it fixed the alarm issue for a few folks and worked on most of my APs. I was constantly checking the alarms because I had to make sure that they were not something different than the passphrase issue. And...

6.1r2a was not available at the time. No one from Aerohive told me that this was available and included at fix for the issue. Thanks for letting me know. I'll bang on this after hours.