New AP cannot authenticate and keeps dopping to a hidden SSID

  • 1
  • Question
  • Updated 4 years ago

Hi,

I'm completely new to Aerohive but got given a free AP to see what the performance was like.   I've setup the AP230 correctly as far as i'm aware.  I've only made a few config changes which are

SSID name change and psk and I've put a proxy in the AP itself and force the use of HTTP for Hivemanager.

The issue I have is when ever I push out the configuration changes the AP broadcasts correctly and I can use the wireless for 10 or so minutes. During this time the Hivemanager says it cannot connect to the AP and the device light is orange.

After 10 min the light goes white, I lose the SSID and connection and Hivemanager can once again see the AP. This happens every time I make an update. Under "Audit" the response is Matched.

The only error registered that I can see is "The CAPWAP connection with Hivemanager was lost."

Is anyone familiar with this issue at all as i'm completely confused at this point.


Thanks
Tom

Photo of Tom Palmer

Tom Palmer

  • 8 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
While the light is white, it has connectivity to the Hivemanager via capwap. It appears that when you push your config, the ap loses connectivity as the light turns amber. Then after a ten minute timeout, reboots and reverts back to the default configuration, where it regains capwap access to the hive manager.
Please send more details regarding your config. I would verify the plan config first.

Best,
BJ  
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
sorry for the auto-correct... I would verify the vlan config first.
Photo of Tom Palmer

Tom Palmer

  • 8 Posts
  • 0 Reply Likes
Is there any easy way to display the config so I can paste everything you need?
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
Click on the audit link, it's the exclamation point next to the ap.
Photo of Tom Palmer

Tom Palmer

  • 8 Posts
  • 0 Reply Likes

Couldn't find an exclamation point, the only thing by Audit said Matched.  But I did a config audit if that helps?

config rollback enable
config rollback capwap-disconnect
no capwap client transport
no capwap client server port
no dns server-ip 10.224.152.1
track BFBC
track BFBC enable
track BFBC default-gateway
track BFBC multi-dst-logic and
track BFBC action enable-access-console
track BFBC retry 2
track BFBC interval 6
lldp
service SMB protocol tcp port 139
service SMB protocol tcp timeout 1800
service HTTP-8080 protocol tcp port 8080
clock time-zone -5
clock time-zone daylight-saving-time 03-09 01:59:59 11-02 01:59:59
dns server-ip 208.67.222.222
dns server-ip 208.67.220.220 second
alg ftp enable
alg tftp enable
alg sip enable
alg http enable
security mac-filter BFBC default permit
security mac-filter EducationIT default permit
qos classifier-profile eth0
qos classifier-profile eth0 service
qos classifier-profile eth1
qos classifier-profile eth1 service
qos classifier-profile red0
qos classifier-profile red0 service
qos classifier-profile agg0
qos classifier-profile agg0 service
qos classifier-profile EducationIT
qos classifier-profile EducationIT service
qos classifier-map service dhcp-server qos 4
qos classifier-map service dns qos 4
qos classifier-map service tftp qos 2
qos classifier-map service ica qos 3
qos classifier-map service ica action permit
qos classifier-map service pcoip-control qos 3
qos classifier-map service pcoip-control action permit
qos classifier-map service pcoip-media qos 3
qos classifier-map service pcoip-media action permit
qos classifier-map service dhcp-client qos 4
user-profile EducationIT
user-profile EducationIT qos-policy def-user-qos
user-profile EducationIT vlan-id 1
user-profile EducationIT attribute 2
user-profile EducationIT deny-action-for-schedule ban
user-profile EducationIT cac airtime-percentage 0
user-profile EducationIT performance-sentinel enable
user-profile EducationIT performance-sentinel guaranteed-bandwidth 5000
user-profile EducationIT performance-sentinel action log
no user-profile EducationIT performance-sentinel action boost
security-object EducationIT
no security-object EducationIT security additional-auth-method mac-based-auth
security-object EducationIT security protocol-suite wpa2-aes-psk ascii-key ******
security-object EducationIT security protocol-suite wpa2-aes-psk ascii-key ****** rekey-period 0
security-object EducationIT security protocol-suite wpa2-aes-psk ascii-key ****** non-strict
security-object EducationIT security protocol-suite wpa2-aes-psk ascii-key ****** gmk-rekey-period 0
security-object EducationIT security protocol-suite wpa2-aes-psk ascii-key ****** ptk-timeout 4000
security-object EducationIT security protocol-suite wpa2-aes-psk ascii-key ****** ptk-retry 3
security-object EducationIT security protocol-suite wpa2-aes-psk ascii-key ****** gtk-timeout 4000
security-object EducationIT security protocol-suite wpa2-aes-psk ascii-key ****** gtk-retry 3
security-object EducationIT security protocol-suite wpa2-aes-psk ascii-key ****** ptk-rekey-period 0
security-object EducationIT security protocol-suite wpa2-aes-psk replay-window 0
no security-object EducationIT security private-psk
security-object EducationIT security roaming cache update-interval 60 ageout 60
security-object EducationIT security eap timeout 30
security-object EducationIT security eap retries 3
security-object EducationIT default-user-profile-attr 2
security-object EducationIT user-profile-allowed all
security-object EducationIT user-profile-sequence mac-ssid-cwp
ssid EducationIT
ssid EducationIT dtim-period 1
ssid EducationIT frag-threshold 2346
no ssid EducationIT hide-ssid
no ssid EducationIT ignore-broadcast-probe
ssid EducationIT rts-threshold 2346
no ssid EducationIT manage SNMP
ssid EducationIT manage SSH
no ssid EducationIT manage Telnet
ssid EducationIT manage ping
ssid EducationIT security-object EducationIT
ssid EducationIT security mac-filter EducationIT
no ssid EducationIT security screening tcp-syn-check
ssid EducationIT security wlan dos ssid-level frame-type probe-req
ssid EducationIT security wlan dos ssid-level frame-type probe-req threshold 12000
ssid EducationIT security wlan dos ssid-level frame-type probe-req alarm 60
ssid EducationIT security wlan dos ssid-level frame-type probe-resp
ssid EducationIT security wlan dos ssid-level frame-type probe-resp threshold 24000
ssid EducationIT security wlan dos ssid-level frame-type probe-resp alarm 60
ssid EducationIT security wlan dos ssid-level frame-type assoc-req
ssid EducationIT security wlan dos ssid-level frame-type assoc-req threshold 6000
ssid EducationIT security wlan dos ssid-level frame-type assoc-req alarm 60
ssid EducationIT security wlan dos ssid-level frame-type assoc-resp
ssid EducationIT security wlan dos ssid-level frame-type assoc-resp threshold 2400
ssid EducationIT security wlan dos ssid-level frame-type assoc-resp alarm 60
ssid EducationIT security wlan dos ssid-level frame-type auth
ssid EducationIT security wlan dos ssid-level frame-type auth threshold 6000
ssid EducationIT security wlan dos ssid-level frame-type auth alarm 60
ssid EducationIT security wlan dos ssid-level frame-type deauth
ssid EducationIT security wlan dos ssid-level frame-type deauth threshold 1200
ssid EducationIT security wlan dos ssid-level frame-type deauth alarm 60
ssid EducationIT security wlan dos ssid-level frame-type disassoc
ssid EducationIT security wlan dos ssid-level frame-type disassoc threshold 1200
ssid EducationIT security wlan dos ssid-level frame-type disassoc alarm 60
ssid EducationIT security wlan dos ssid-level frame-type eapol
ssid EducationIT security wlan dos ssid-level frame-type eapol threshold 6000
ssid EducationIT security wlan dos ssid-level frame-type eapol alarm 60
ssid EducationIT security wlan dos station-level frame-type probe-req
ssid EducationIT security wlan dos station-level frame-type probe-req threshold 1200
ssid EducationIT security wlan dos station-level frame-type probe-req alarm 60
ssid EducationIT security wlan dos station-level frame-type probe-resp
ssid EducationIT security wlan dos station-level frame-type probe-resp threshold 2400
ssid EducationIT security wlan dos station-level frame-type probe-resp alarm 60
ssid EducationIT security wlan dos station-level frame-type assoc-req
ssid EducationIT security wlan dos station-level frame-type assoc-req threshold 600
ssid EducationIT security wlan dos station-level frame-type assoc-req alarm 60
ssid EducationIT security wlan dos station-level frame-type assoc-req ban 60
ssid EducationIT security wlan dos station-level frame-type assoc-resp
ssid EducationIT security wlan dos station-level frame-type assoc-resp threshold 240
ssid EducationIT security wlan dos station-level frame-type assoc-resp alarm 60
ssid EducationIT security wlan dos station-level frame-type auth
ssid EducationIT security wlan dos station-level frame-type auth threshold 600
ssid EducationIT security wlan dos station-level frame-type auth alarm 60
ssid EducationIT security wlan dos station-level frame-type auth ban 60
ssid EducationIT security wlan dos station-level frame-type deauth
ssid EducationIT security wlan dos station-level frame-type deauth threshold 120
ssid EducationIT security wlan dos station-level frame-type deauth alarm 60
ssid EducationIT security wlan dos station-level frame-type disassoc
ssid EducationIT security wlan dos station-level frame-type disassoc threshold 120
ssid EducationIT security wlan dos station-level frame-type disassoc alarm 60
ssid EducationIT security wlan dos station-level frame-type eapol
ssid EducationIT security wlan dos station-level frame-type eapol threshold 600
ssid EducationIT security wlan dos station-level frame-type eapol alarm 60
ssid EducationIT security wlan dos station-level frame-type eapol ban 60
ssid EducationIT qos-classifier EducationIT
ssid EducationIT wmm
no ssid EducationIT uapsd
ssid EducationIT 11a-rate-set 6-basic 9 12-basic 18 24-basic 36 48 54
ssid EducationIT 11g-rate-set 1-basic 2-basic 5.5-basic 11-basic 6 9 12 18 24 36 48 54
ssid EducationIT 11n-mcs-expand-rate-set mcs0/1,mcs1/1,mcs2/1,mcs3/1,mcs4/1,mcs5/1,mcs6/1,mcs7/1,mcs0/2,mcs1/2,mcs2/2,mcs3/2,mcs4/2,mcs5/2,mcs6/2,mcs7/2,mcs0/3,mcs1/3,mcs2/3,mcs3/3,mcs4/3,mcs5/3,mcs6/3,mcs7/3
ssid EducationIT 11ac-mcs-rate-set mcs0/1,mcs1/1,mcs2/1,mcs3/1,mcs4/1,mcs5/1,mcs6/1,mcs7/1,mcs0/2,mcs1/2,mcs2/2,mcs3/2,mcs4/2,mcs5/2,mcs6/2,mcs7/2,mcs0/3,mcs1/3,mcs2/3,mcs3/3,mcs4/3,mcs5/3,mcs6/3,mcs7/3,mcs8/1,mcs9/1,mcs8/2,mcs9/2,mcs8/3,mcs9/3
ssid EducationIT inter-station-traffic
ssid EducationIT max-client 100
no ssid EducationIT mode legacy
ssid EducationIT client-age-out 5
ssid EducationIT multicast conversion-to-unicast disable
hive BFBC
hive BFBC frag-threshold 2346
hive BFBC rts-threshold 2346
hive BFBC password

no hive BFBC manage SNMP
hive BFBC manage SSH
no hive BFBC manage Telnet
hive BFBC manage ping
hive BFBC security mac-filter BFBC
no bonjour-gateway enable
interface eth0 qos-classifier eth0
interface eth1 qos-classifier eth1
interface mgt0 hive BFBC
interface mgt0 ip 10.224.152.29/16
interface wifi0 ssid EducationIT
no interface wifi0 ssid EducationIT shutdown
interface wifi1 mode access
interface wifi1 ssid EducationIT
no interface wifi1 ssid EducationIT shutdown
access-console security protocol-suite wpa-auto-psk ascii-key ******
ntp server ntp1.aerohive.com
capwap client dtls hm-defined-passphrase ****** key-id 1
no capwap client dtls negotiation enable
report statistic alarm-threshold interface tx-retry-rate 60
application reporting auto

Photo of Tom Palmer

Tom Palmer

  • 8 Posts
  • 0 Reply Likes

And a running config

interface mgt0 ip 10.224.152.29 255.255.252.0
ip route net 0.0.0.0 0.0.0.0 gateway 10.224.155.254 
no interface mgt0 dhcp client
dns server-ip 10.224.152.1 
config rollback enable
capwap client server port 80 
capwap client server name freeap-useast-001.aerohive.com 
capwap client vhm-name BFBC
capwap client HTTP proxy name unfiltered.proxy.segfl.ifl.net port 8080 
capwap client transport HTTP 

Photo of J. Goodnough

J. Goodnough, Champ

  • 266 Posts
  • 32 Reply Likes
Just want to confirm that your gateway is the last IP address in the subnet. There's something in your config that's preventing the AP from reaching the outside world...
Photo of Tom Palmer

Tom Palmer

  • 8 Posts
  • 0 Reply Likes
Yup, just double checked its the .254 address above.
Photo of Tom Palmer

Tom Palmer

  • 8 Posts
  • 0 Reply Likes

Then it went to Unable to fetch the running config from the device because it is still disconnected from Hivemanager.

Now its saying Staged.

Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Tom,
What type (make/model) of web proxy does your organization use? We have had reports of incompatibility with some vendors, our QA team uses Squid for testing this feature, this doesn't need any authentication for the proxied devices (like our APs) and it does not combine responses from multiple GETS into one response (which seems to be the part that breaks us).

Is it possible for you to bypass the web proxy and use the "native" port 12222 for CAPWAP? FWIW, we do secure the contents of the CAPWAP messages, so you are not weakening your security by doing this.
(Edited)
Photo of Tom Palmer

Tom Palmer

  • 8 Posts
  • 0 Reply Likes

We also use a squid based proxy unfortunately I cannot bypass this even for testing purposes.

Ive selected to enforce http comms but do any other ports still need to be opened in the firewall as I know all mine are closed.

Photo of J. Goodnough

J. Goodnough, Champ

  • 266 Posts
  • 32 Reply Likes
I do notice that the DNS servers are changing from the running to the candidate, that might be something to examine...
Photo of Tom Palmer

Tom Palmer

  • 8 Posts
  • 0 Reply Likes

Bingo, thanks. Didn't realise you had to set the DNS in the Admin setting in hive manager aswell as on the AP config. Removed the 208.67.222.222 DNS which i'm not sure where it came from and entered the correct one. Works perfectly now.

Thanks for the help.