Troubleshooting a Stranded Aruba AP
When attempting to troubleshoot a stranded Aruba Access Point (AP) that is no longer connected to its Wireless LAN Controller (WLC), I encountered several challenges, including difficulties accessing the AP. Below, I outline two key findings that were crucial to resolving the issue, along with detailed CLI examples.
Finding 1: The SSH Username and Password
Understanding the Default Credentials
The SSH username for Aruba APs is „root“, not „admin“. The password, however, is configured on the WLC and pushed to the AP. By default, this is defined in the „default“ AP system-profile unless the AP or its group is assigned a different profile. It is important to ensure this configuration is set before the AP becomes stranded, as the WLC must write the configuration to the AP.
CLI Examples
Here are examples of the „ap system-profile“ configurations:
ap system-profile "apsys_prof-mtv82"
ap-console-password "***********"
bkup-passwords "***********"
!
ap system-profile "default"
session-acl ""
heartbeat-dscp 46
mgmt-dscp 34
telnet
ap-console-password "***********"
bkup-passwords "***********"
!
ap system-profile "default_apsys_ui"
session-acl ""
lms-ip 10.100.11.11
bkup-lms-ip 10.100.11.12
ap-console-password "***********"
bkup-passwords "***********"
!
ap system-profile "NO-LED"
led-mode off
ap-console-password "***********"
bkup-passwords "***********"
!
ap system-profile "NoAuthApSystem"
session-acl ""
lms-ip 10.100.11.11
bkup-lms-ip 10.100.11.12
ap-console-password "***********"
bkup-passwords "***********"
Pro Tip
To retrieve the AP password from the WLC configuration after the AP is stranded, use the following command to disable password encryption temporarily:
(WC-1UG-HSB-1) *[mynode] #configure t
Enter Configuration commands, one per line. End with CNTL/Z
(WC-1UG-HSB-1) *[mynode] (config) #encrypt disable
(WC-1UG-HSB-1) *[mynode] (config) #exit
Once encryption is disabled, the passwords will be displayed in plain text in the „show run“
Finding 2: Permission Issues on the AP
Initial Challenges
When attempting to connect to the stranded AP via SSH, I encountered numerous „Permission denied“ errors for common commands like enable
, show
, and even ?
. Below is an example of the restricted output:
~ # en
en: Permission denied
~ # show run
show: Permission denied
~ # enable
-sh: enable: not found
~ # help
help: Permission denied
Insights and Solution
Despite these limitations, it is still possible to:
-
Ping other devices:
~ # ping 10.100.11.30
PING 10.100.11.30 (10.100.11.30): 56 data bytes
^C
--- 10.100.11.30 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
~ # ping 10.100.11.10
PING 10.100.11.10 (10.100.11.10): 56 data bytes
64 bytes from 10.100.11.10: icmp_seq=0 ttl=63 time=0.6 ms
^C
--- 10.100.11.10 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
-
Switch to full access: Press „Controll“ + „Escape“ + „k“
controll + esc + k
~ # Switching to Full Access
~ #this enables a „linux shell like“ full access
After gaining full access, additional diagnostics can be performed. For example, checking routing information:
~ # route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.100.31.254 0.0.0.0 UG 0 0 0 br0
10.100.31.0 * 255.255.255.0 U 0 0 0 br0
-
Inspect logs:
~ # cd /var/log/
/var/log # cat messages
Dec 31 16:00:59 KERNEL(303H-SPARE1@10.100.31.240): [ 19.079525] There is no gpio reset info
Dec 31 16:01:01 ofald[3816]: SAPM Client failed: (null) Message Code 62526 Sequence Num is 2
Dec 31 16:07:41 dropbear[4043]: Password auth succeeded for 'root' from 10.20.20.1:57392
/var/log # date
Wed Dec 31 16:19:35 PST 1969
/var/log #
/var/log # uptime
16:20:10 up 20 min, load average: 0.00, 0.03, 0.12
These logs can provide insights into the AP’s status and potential reasons for its stranded state.
Conclusion
Troubleshooting a stranded Aruba AP can be challenging, but understanding the default SSH credentials and how the WLC configures the AP’s password is crucial. Additionally, even with limited access, commands like ping
, route
, and log inspection can provide valuable information. With these tips and CLI examples, resolving stranded AP issues becomes a more manageable task.