the configuration was uploaded to the aerhive device but no activated

  • 1
  • Question
  • Updated 4 years ago
  • Answered
From hive manager online i pushed a configuration and this took a while but finally the AP's came online but with message: the configuration was uploaded to the aerhive device but no activated.

Any one an idea what this caused and what is the impact ?
John Q.
Photo of John Q

John Q

  • 4 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Hi John,

Looks like a complete upload was performed, which always requires a reboot of the Access Point.

So your new configuration will be activated after/through the next AP reboot.

The default Aerohive setting is:
- determine automatically if a full upload (requires reboot) or a delta upload (only differences are uploaded, no reboot) is performed
- on full upload, a manual reboot is required

You can see a summary of these settings (2nd screenshot) and modify this behaviour, e.g. to automatically reboot after a complete upload, or to reboot at a certain scheduled time.



Check out the "Activation Time" summary. Then click on "Settings" to modify both Upload Type and Activation Time:

Photo of John Q

John Q

  • 4 Posts
  • 0 Reply Likes
Thankz for the quick respons.
Did reboot all the AP and got this. Default DTLS passphrase is in use. Push a complete config to update the passphrase automatically, or set it manually and push a complete or delta config

so i changed the default DTLS passphrase and now i am waiting more then 20minutes and AP's are still rebooting



Now i have a timeout


Could this be a capwap communication issue?
John Q

Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
I am curious... where exactly did you set the DTLS passphrase? Under CAPWAP server settings of your VHM? Or directly at the AP configuration settings?

The Aerohive system has a default, built-in DTLS passphrase that cannot be changed. It is used internally by the Hivemanager to be able to communicate with new, unconfigured devices. And yes, you are right, this is about CAPWAP communication.

From the Help system:
Aerohive devices and HiveManager use the CAPWAP (Control and Provisioning of Wireless Access Points) protocol to communicate with each other. A device acts as a CAPWAP client, and HiveManager acts as a CAPWAP server. The client keeps sending Discovery Request messages until it receives a Discovery Response from the server. When the CAPWAP server receives a Discovery Request message and responds with a Discovery Response, the CAPWAP server and client can then perform a DTLS (Datagram Transport Layer Security) handshake to establish a secure DTLS session. They mutually authenticate each other by using a preshared key that is derived from a passphrase.
So the first time you do a complete upload, the default DTLS passphrase is changed to the one unique to your VHM (see CAPWAP server settings). You do not have to change this - just do a complete upload with reboot.

So I am not sure what happened now in your case... but as the capwap communication between your APs and Hivemanager is failing, there should be an automatic configuration rollback after a timeout, and your APs will appear again. Then try a complete upload with reboot again.

One note: A complete upload is using SCP (TCP 22), not CAPWAP (UDP 12222)! The latter is used for AP status updates and DELTA uploads.

So you want to make sure that both TCP 22 and UDP 12222 are open for outgoing connections from your APs to the Hivemanager used. We had cases where UDP 12222 was open but TCP 22 was blocked: APs were showing up as online, delta uploads were working, but not complete upload and no firmware upgrades.

carsten

Photo of John Q

John Q

  • 4 Posts
  • 0 Reply Likes
HI

I changed the cap passphrase in the cloud Hive \device management settings\other global settings

since this passphrase the first time is automatically changed with the new hive manager oonline account which is sent with the registration on the email adress this mechanism automatically changes the passphrase.

After the upload it said to change it so i changed this but this did not work.

Now i am checking the firewall

But strange that in the orginal upload eventually the uplod works but nod loads.

So the capwap communication just starts after upload config?

I will let you know as soon as the firewall is adjusted.
John Q.




Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
The password you set is the root admin password, used to log into the device (e.g. by ssh):

For your network security, change the login password for your configured Aerohive devices: This is the password for the root admin to use when logging in to a new device. The default password is aerohive. The New Password field only affects the password used to log in to devices.
The DTLS passphrase is something different and used for CAPWAP communications:

By default, when a device first connects to HiveManager, it uses a predefined bootstrap passphrase combined with several other values to derive a shared key that the devices then use to authenticate each other. The different elements that are involved with the generation of the key ensure that it is unique for each device-HiveManager relationship. Then, after the device and HiveManager authenticate each other and complete the DTLS handshake, they generate another key for encrypting their communications. They generate a different encryption key after every DTLS handshake.

After the device and HiveManager securely establish an initial session, you can devise your own passphrase from which that device and HiveManager derive their shared keys. For information about doing that,see the DTLS section in "Aerohive AP Settings".

So in your case this process hasn't been completed yet, hence the message about using the DTLS passphrase.

As mentioned, you can set this per AP, as descirbed here: http://www.aerohive.com/330000/docs/help/english/6.1r5/hm/full/help.htm#config/APs/manAPDconfig.htm. But really, you don't have to...

A CAPWAP communication is the first thing that happens when you connect a new AP to your network. It is used to register to a Hivemanager. Once a CAPWAP tunnel is successfully established, the same tunnel is used for constant status updates as well as for transmitting delta uploads. SCP is used for complete uploads and firmware updates.

I think checking your Firewall rules is a good bet. However, if you force complete upload with reboot again, I believe it should work.