Re: Aruba AP2xx vs. AP5xx apples-to-apples

2021-02-09 Thread Miller, Keith C 
Hi David et al.,

I’ve actually done this with Ekahau and on the 5GHz radio with the same EIRP 
value, the 315 is typically 2dB stronger than the 515. Based on real world 
data, I’ve seen somewhere around a 2-4 dB difference on both the SideKick and 
my MBP when using Adrian’s WFE app.

The 515 has close to 1 dB more antenna gain than the 315 does on the 5GHz radio 
which means there’s going to be less conducted power (TX power) out of the 
transmitter when using the same EIRP value. I also wonder if the 315 using a 
Qualcomm chip vs the 515 using Broadcom has anything to do with it and how much.

Regards,
Keith

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Biron, David 

Date: Tuesday, February 9, 2021 at 9:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] Aruba AP2xx vs. AP5xx apples-to-apples
Hi Jason,

In regards to Ekahau, you can model the AP model before and after in the 
predictive section. Obviously this is based on a computer model, but should 
give an indication.

I can’t comment in regards to going from AP2xx/3xx to the AP515. But we have 
gone from the Cisco 2802i to the AP-515 and in the real world the coverage is a 
lot better with the Aruba in comparison to the Cisco. Modelling this in Ekahau 
shows similar.

We were a really early adopter of AX and chose to turn off that feature due to 
the amount of corporate managed laptops running the affected Intel chipset.

Now AX is more widespread (Lots more client devices) and better information is 
provided to end users in regards to updating drivers, we are looking at turning 
the feature back on.

David Biron

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jason Trinklein
Sent: 08 February 2021 18:02
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Aruba AP2xx vs. AP5xx apples-to-apples

In the early days of Aruba's AP5xx series, I heard rumblings in peer 
institutions and on Educause about the AP5xx series having poor RF properties 
compared to the AP2xx and AP3xx series. For example, when replacing an AP315 
with an AP515, signal coverage was worse, sometimes bad enough to cause service 
loss in distant locations.

We are considering our next wifi upgrade to 802.11ax and are thinking about 
performing an apples-to-apples wifi survey by surveying our 2xx APs in-place, 
then performing the same survey with 5xx APs in-place. Has anyone performed 
such an apples-to-apples comparison with Ekahau, measuring RSSI, throughput, 
jitter, and latency? Any comparisons of airtime utilization using EyePA or 
similar?

If anyone has experience they can share to help us make a data-driven and 
informed decision, I'd be appreciative.

In a broader question - for those who have moved from .ac to .ax, have you seen 
measurable increases in quality of service to your community?

Thanks!

--
Jason Trinklein
Information Technology Services - Infrastructure
Clark University | 950 Main Street | Worcester, MA 01610
508-421-3865 (o) | 508-736-4001 (c) | 
jtrinkl...@clarku.edu

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: Dedicated IDS/IPS monitors

2021-02-01 Thread Miller, Keith C 
Hi JJ,

Thank you for your response! You make a lot of good points. While the subject 
line and bulk of my original e-mail focused on IDS/IPS, I also thought about 
potential use-cases for packet capturing and spectrum analysis that wouldn’t 
require us to go into the field or potentially disable a client servicing radio 
for that purpose (thinking specan here).

We’ve POC’d Aruba’s UXI in the past and I’ve had some good talks with the folks 
at 7Signal, but we aren’t in a position to make that type of investment at this 
time. I thought it might be prudent to consider reusing APs that were being 
refreshed for newer models since they are perfectly fine for this type of 
use-case, but as I’ve mentioned the more I thought about it, the more it seemed 
to be a bad idea due to costs and labor. Another aspect I didn’t consider until 
after I hit the send button was software support and licensing. Each additional 
AP would require us to burn at least an additional AP and RF Protect license 
and at some point, those older APs will no longer be supported which would 
require even more labor to swap them out.

At this point, I definitely agree with you. If we were to go with an overlay 
type solution, it would likely be something that wasn’t specifically tied to 
our controllers. I think we get enough IDS information via off-channel scanning 
to work for us, but I’m always looking for different ways of doing things so I 
decided to ask. Honestly, I think we could get away with a few strategically 
placed UXI sensors or Sapphire EYE 250s that can be moved as needed, but for 
now that is just a dream. 

Regards,
Keith

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jennifer Minella 

Date: Monday, February 1, 2021 at 3:27 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] Dedicated IDS/IPS monitors
Keith, I’m curious to hear what everyone is doing. I can tell you what our 
experience has been and that is, in the last several years, all purpose-built 
overlay WIPS systems have become basically extinct. There are a few 
purpose-built, broad-spectrum wireless sensor/monitoring systems targeted for 
DoD and highly regulated environments and they’re focused not only on WiFi but 
other non-802.11 wireless. Aside from that all of the standard WIPS overlays 
have really gone away. A few thoughts/bullets on that in case it helps…

  *   Dedicated WIPS were popular for organizations that needed to meet 
requirements for PCI compliance and other regulations which effective said “if 
you’re using WiFi, you have to prove it’s in scope and secured” and “if you’re 
not using WiFi in these areas/for this purpose you have to prove there is no 
WiFi there”. Those expectations have changed over the years and even now in 
federal (civ) that language is virtually non-existent. Sometimes they’ll say 
there needs to be occasional validation of no WiFi in specific areas but they 
can use other tools, handheld devices, and/or free laptop software for that 
audit.
  *   Most (probably all?) manufacturers have pretty mature spectrum monitoring 
at least in the WiFi spectrum space.
  *   Although current radios can’t both service clients and do containment, as 
you pointed out containment has been less of an issue especially in HED 
environments. The type of containment WIPS was good at was malicious source 
containment, but even then that is limited to managing a subset of RF-based 
attacks. The rest of the more common containment features/needs can be managed 
via endpoint and/or infrastructure settings. (e.g. keep managed devices off the 
guest network, etc.) Of course other containment like those associated with 
rogue APs has become a bit tricky due to FCC rulings about the ownership (or 
lack of) of airspace.
  *   As you already mentioned the cost and complexity of managing *anything* 
overlaid is expensive. And if you’re looking at controller-based APs 
(regardless of the mfr) it gets way more messy.
  *   If someone were going to deploy an overlay (even though I don’t think 
it’s recommended in 95% of cases), it’s probably less expensive and easier to 
use a cloud-managed solution that can be easily moved, deployed, and managed. I 
have heard of orgs deploying things like Mist to use a dedicated scanning radio 
for this purpose in limited areas. There are also 3rd party monitoring devices 
that also look at SLAs for applications – specifically I’m thinking about tools 
like 7Signal and Aruba’s UXI (whatever they call it- it used to be Cape Sensor).

Just food for thought….
-jj
___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com<http://www.cadinc.com/>
j...@cadinc.com<mailto:j...@cadinc.com>
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Miller, Keith C 
Sent: Saturday, January 30, 2021 8:22 AM
Subject: Dedicated IDS/IPS monitors

Hello all,

I know IDS/IPS has been di

Dedicated IDS/IPS monitors

2021-01-30 Thread Miller, Keith C 
Hello all,

I know IDS/IPS has been discussed a couple of times over the past few years, so 
I apologize if this has been asked and answered in the past, but I wanted to 
see what folks were doing across the larger EDU landscape, especially those 
using Aruba as a Wi-Fi vendor.

Despite some recent blog posts and webinars from Extreme Networks and David 
Coleman, IDS/IPS doesn’t seem to be a popular topic; almost as if it’s not 
worth the investment to deploy dedicated IDS/IPS especially since you typically 
cannot take action through mechanisms like containment.

Anyway, we lifecycle our APs on a fairly regular schedule here at UNC Chapel 
Hill and last night it hit me that perhaps we could reuse some of the older 
generation APs as dedicated air monitors (AM) or spectrum monitors (SM). It 
seemed like a no brainer at first, but the more I thought about it the more I 
realized this is not a decision to take lightly. To do something like this, 
we'd have to run more cables, burn additional switch ports, provide more power 
from our switches' power budgets, and manage and troubleshoot additional 
hardware should something go wrong. That's more money and time investments, but 
for how much gain? In addition, adding additional APs that aren't servicing 
clients in an environment with 10,000 APs already seems a bit ridiculous for 
alerts that we might not even have the time to fully monitor and/or pursue due 
to lack of resources.

So what are you doing if anything? Are all of your APs in AP mode? How about 
hybrid-mode? Hybrid-mode provides home channel scanning, but there could be 
some performance degradation for clients during off-channel scanning. Aruba 
recommends 1 dedicated AM per 4 APs which would likely not happen here, but 
deploying some strategically around campus that could be used as AMs or 
converted to SMs when needed might not be a terrible idea. If you're not doing 
this, what are you doing with your older, still serviceable APs that have been 
replaced by the latest-gen tech besides sending them to surplus?

Thanks in advance!

Regards,
Keith

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] ArubaOS 8.5.0.11 or 8.6.0.6 Experiences?

2020-12-18 Thread Miller, Keith C 
There’s no way that I’m aware of to fix the issue if it’s already occurring. 
You cannot telnet into the AP remotely because the AP doesn’t have a config 
that could enable telnet so you must console into the AP to get access to the 
APboot environment and then change the os_partition to whatever partition 
houses the newly upgraded image.

Regards,
Keith

From: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Friday, December 18, 2020 at 10:32 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] ArubaOS 8.5.0.11 or 
8.6.0.6 Experiences?
Yep, we have an AP-205h that failed to upgrade.  I think it was from 8.7.0.0 to 
8.7.1.0 this fall.  That AP is in quarantine space and is still broken as none 
of us are willing to go replace it yet.  Luckily there was enough coverage from 
neighboring AP's, but it is less than ideal for sure.

If anyone knows of a way to fix these AP's stuck in an upgrade loop without 
having to physically touch them, I'd love to hear how.

--Dan


On Fri, Dec 18, 2020 at 9:23 AM Sweetser, Frank E. 
mailto:f...@wpi.edu>> wrote:
That’s not a bad idea in general, but in this case it’s not only student 
housing in the midst of a COVID crisis, it’s student housing partially reserved 
as isolation housing for anyone who tests positive.  Advance RMA absolutely 
makes sense as far as wasting less time perched on the ladder, but at this 
point if it requires visiting all of the student rooms at all it’s just going 
to have to wait until summer.

Frank Sweetser
Director of Network Operations
Worcester Polytechnic Institute
"For every problem, there is a solution that is simple, elegant, and wrong." - 
HL Mencken

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Lee H Badman
Sent: Friday, December 18, 2020 8:54 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] ArubaOS 8.5.0.11 or 
8.6.0.6 Experiences?

I really struggle with the notion of ever actually visiting deployed APs to do 
console work- regardless of vendor. If the bug is that bad, I’d seriously 
consider demanding an advance RMA for each of them. That way the site visit is 
a replacement rather than a tech monkeying around with file system at the top 
of a ladder or lift. To me, that is way beyond what should be expected of 
customers for what these systems cost.

Just one man’s opinion.

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu<http://its.syr.edu>
Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fanswers.syr.edu%2Fdisplay%2Fnetwork%2FWireless%2BNetwork%2Band%2BSystems=04%7C01%7Cfs%40WPI.EDU%7C5ddc863f0a924b96501b08d8a35c56ed%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C637438964959379097%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000=AZLG5POfKmuuwynFV%2FHgKFP6bO%2FybkwtvE%2BVg1mDHxY%3D=0>
SYRACUSE UNIVERSITY
syr.edu<http://syr.edu>

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Sweetser, Frank E.
Sent: Friday, December 18, 2020 8:49 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] ArubaOS 8.5.0.11 or 
8.6.0.6 Experiences?

I recently performed an upgrade that included about 90 505s, and strongly 
suspect I hit the same bug on the entire batch – except, of course, for the one 
that I kept and put in the lab environment.  That one stubbornly refused to 
fail, upgrading flawlessly every time.

Has anyone ever heard if there’s a fix that doesn’t require physical access?  
All of my 505 are in residential space, which basically means that I’m not 
likely to get physical access to them until after the students move out this 
summer.

Frank Sweetser
Director of Network Operations
Worcester Polytechnic Institute
"For every problem, there is a solution that is simple, elegant, and wrong." - 
HL Mencken

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Miller, Keith C
Sent: Friday, December 18, 2020 6:33 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [EXT] Re: [WIRELESS-LAN] ArubaOS 8.5.0.11 or 8.6.0.6 Experiences?

That’s the one. Have you reported it to them? I didn’t pull the word rare out 
of thin air... That’s what I’ve been told and that it affected roughly 0.0001% 
of deployed 515s. I guess I’m just being naive.

Thanks for waking

Re: ArubaOS 8.5.0.11 or 8.6.0.6 Experiences?

2020-12-18 Thread Miller, Keith C 
Hi Jason,

I’m glad things seem to be going well for your upgrade, I would never wish or 
hope that someone experienced bugs or issues.

In saying that, have you noticed any flakiness in the web UI? Dashboard not 
loading, files not visible when going to Diagnostics -> Technical Support -> 
Copy files from individual controllers? Are you able to SCP from the 
controllers using the CLI? How about rebootstrap/reboot counters for APs? Have 
the numbers been reset now that you’ve upgraded? The counters did not seem to 
reset for ours. You can check by issuing the “show ap debug counters” command 
from your controllers’ CLI.

Regards,
Keith

From: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Friday, December 18, 2020 at 8:50 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] ArubaOS 8.5.0.11 or 8.6.0.6 Experiences?
> We just went to 8.5.0.11 from 8.5.0.8 and .9 this week and I’ll be honest, 
> I’m not thrilled with it.

We just ran an update to 8.5.0.11 for 3am this morning, and woke up to read 
your message as I was getting ready to check on everything... yikes!

I'm glad to report that we aren't seeing any major issues (everything came back 
up fine), but we're only a few hours into it.  We're on all 300-series APs (I 
don't have any 500s).  We have two clustered 7205s and those came back up 
without any issues in the clustering.

Jason
**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] ArubaOS 8.5.0.11 or 8.6.0.6 Experiences?

2020-12-18 Thread Miller, Keith C 
That’s the one. Have you reported it to them? I didn’t pull the word rare out 
of thin air... That’s what I’ve been told and that it affected roughly 0.0001% 
of deployed 515s. I guess I’m just being naive.

Thanks for waking me up!

Regards,
Keith
M: (803) 464-2397 O: (919) 962-6564

Sent from my mobile device so please excuse any typos.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Michael Davis 
Sent: Thursday, December 17, 2020 10:22:13 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] ArubaOS 8.5.0.11 or 8.6.0.6 Experiences?

It's not so rare, it's been happening to our 515s since 8.4.

The AP will upgrade successfully, but the apboot> environment variable that 
selects which
partition to boot, never gets changed so it reboots to the old partition and 
rinse and repeat.



On 12/17/20 9:03 PM, Miller, Keith C wrote:

2. We hit a “rare” bug that’s only affected a small number of 515s worldwide 
where the AP gets stuck in a boot/image upgrade loop and you must physically 
console into the AP to fix it and boot from the upgraded partition.



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: ArubaOS 8.5.0.11 or 8.6.0.6 Experiences?

2020-12-17 Thread Miller, Keith C 
Hi Christopher,

We just went to 8.5.0.11 from 8.5.0.8 and .9 this week and I’ll be honest, I’m 
not thrilled with it. I’ve run into a handful of issues, some minor, some 
cosmetic, but we’ve also hit a couple of bugs that leave you scratching your 
head:

1. 2 controllers in the same cluster ended up acting as VRRP master, even 
though communication was seemingly okay with L2 connected status across all 
controllers. One of those controllers had higher priority configured to control 
which controller should be master so I’m still unsure how this happened. I’m 
still having problems getting logs to TAC because we can’t see the files from 
the web UI and SCP/TFTP fails from the CLI on the interesting controller. I’m 
going to have to have someone get in front of it and resort to copying the logs 
to USB.

2. We hit a “rare” bug that’s only affected a small number of 515s worldwide 
where the AP gets stuck in a boot/image upgrade loop and you must physically 
console into the AP to fix it and boot from the upgraded partition.

I have no idea what the 8.6 train is like so I can’t help you there, but buyer 
beware with 8.5. The penalties of trying to be proactive I suppose.

Regards,
Keith
M: (803) 464-2397 O: (919) 962-6564

Sent from my mobile device so please excuse any typos.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Johnson, Christopher 

Sent: Thursday, December 17, 2020 3:49:31 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] ArubaOS 8.5.0.11 or 8.6.0.6 Experiences?


We’re considering doing some pre-emptive maintenance before winter-break ends 
to resolve a couple issues, and was curious if anyone is running ArubaOS 
8.5.0.11 or 8.6.0.6 (200/220 and 270 Series APs) and what their experiences 
have been?

Christopher Johnson
Wireless Network Engineer
Office of Technology Solutions | Illinois State University
(309) 438-8444

Stay connected with ISU IT news and tips with @ISU IT Help on 
Facebook and 
Twitter



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] MAC Randomization, a step further...

2020-07-23 Thread Miller, Keith C 
Thanks for providing some examples John. It looks like you may have 2 SSIDs, 1 
per band. Did the MAC address also change for the “linksys55” SSID?

Reading from the published Apple document that Hector shared:

“To reduce this privacy risk, iOS 14, iPadOS 14, and watchOS 7 include a 
feature that periodically changes the MAC address your device uses with each 
Wi-Fi network. This randomized MAC address is your device's private Wi-Fi 
address for that network—until the next time it joins with a different address”

I really wish they would provide more detail about what “periodically” means 
and if this occurs at some specific interval depending on activity as some have 
suggested.

https://support.apple.com/en-us/HT211227


Regards,
Keith

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of John Turner 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Tuesday, July 21, 2020 at 6:23 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

I’m working on testing this now.

So far it appears that the "Private Address" option is enabled by default for 
any of the "My Networks" and initially is set to the hardware MAC address.

New connections receive a new private MAC.

Toggling the WiFi does not change them.

I will update tomorrow on if it changes.

Here are 2 screenshots from my home network ( the F3:4D was configured prior to 
upgrade)

On Tue, Jul 21, 2020 at 6:15 PM Norman Elton 
mailto:normel...@gmail.com>> wrote:
This is all fascinating, I’m looking forward to getting my hands on a public 
beta.

Those “in the know” ... does this impact 1x networks as well as open? It seems 
that if you’re connecting with credentials, there’s already a trust 
relationship in place.

And is the feature enabled for networks that were configured before upgrading 
to iOS 14?

Fun times,

Norman Elton



On Tue, Jul 21, 2020 at 2:55 PM Rios, Hector J 
mailto:hector.r...@austin.utexas.edu>> wrote:
I just finished reading the “Apple Beta Software Program Agreement”. 
Interesting information:

“Don’t blog, post screen shots, tweet, or publicly post information about the 
public beta software, and don’t discuss the public beta software with or 
demonstrate it to others who are not in the Apple Beta Software Program.”

So, I need everyone to sign up to the beta software program so we can continue 
this conversation (J/K)

Hector Rios, Wireless Network Architect
The University of Texas at Austin



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Tuesday, July 21, 2020 1:06 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

Yeah, good catch Chris! I’d be interested in seeing some field data as well. 
The only info I saw was that it changed every 24 hours, but it sounds like 
there’s a * which indicates inactivity / not associated.

It makes much more sense that it wouldn’t change if the device maintains an 
active connection as there are really no privacy concerns until the device 
disconnects and moves.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, July 21, 2020 at 13:15
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...
Tim had mentioned the following: “On iOS 14, the MAC is set per ESSID and is 
changed once every 24 hours.”

Chris then mentioned that he found one iOS 14 device that, as long as it 
remains connected, the MAC remains the same, even beyond 24hrs.

Has anyone else done testing? Please share your results.

Hector Rios, Wireless Network Architect
The University of Texas at Austin



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Johnson, Christopher
Sent: Monday, July 20, 2020 10:19 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

Default behavior matters indeed. Got a preview of what to expect over the 
weekend.

Found one individual that was in Aruba Airwave “12 Times” for their iPhone 14.0 
over past couple of weeks and another “6 times”. It appears that as long as the 
device remains “connected” to the network beyond the 24 hours, the MAC Address 
will remain the same. Although if they’re fully de-authenticated or move say 
into an elevator or outside (or a class phone reboot occurs in the pocket) – 
then the MAC Address will update upon establishing a new connection – that is 
just the initial observation I saw.
Christopher Johnson
Wireless Network Engineer
Office of Technology Solutions | Illinois State University
(309) 438-8444

Re: [WIRELESS-LAN] Update on our Aruba solution

2020-01-18 Thread Miller, Keith C 
Hi Barry,

We are running 8.5.0.3, but the build that we think has provided the fix to our 
first issue is based on 8.5.0.5 if I remember correctly.

Disabling ax or ODFMA specifically is ½ of the equation only if Intel ax NICs 
are in your environment. There was also an aggregation queueing issue which 
caused an eventual starvation of traffic for other clients that had to be 
corrected in code as well.

Regards,
Keith

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of "McCurry, Barry A" 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Friday, January 17, 2020 at 5:13 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Update on our Aruba solution

Have you turned off HE/(High Efficiency) to turn off AX? It seems some of our 
reported issues disappeared after disabling that.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Amel Caldwell
Sent: Friday, January 17, 2020 3:25 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Update on our Aruba solution

We have a small installation of 515s running 8.5.0.5 and have experienced the 
same behavior that Keith described.  So far, mostly anecdotal data but we are 
starting to gather data and troubleshoot this with Aruba as well.

Amel Caldwell
University of Washington

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "McCurry, Barry A" 
mailto:barry.mccu...@vanderbilt.edu>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, January 17, 2020 at 11:33 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Update on our Aruba solution

Do you mind sharing what version of code you are running currently? I think you 
mentioned 8.5.0.3 in the initial thread, but you mentioned the upgrade to 
8.5.0.5 was recommended by Aruba. I would be curious to know if the tiger team 
saw these issues on 8.5.0.5, as we just upgraded to this version over the break.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Turner, Ryan H
Sent: Thursday, January 16, 2020 4:10 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Update on our Aruba solution

All,

Since the thread generated significant interest last week, I wanted to let you 
know how Aruba responded.

After hearing of our issues, Aruba sent a tiger team (5 or 6 folks) that came 
in to work on the bugs.  We had a punch list of things to work on.

On the top of the list was the 515 performance issues.  This is where people 
would stay connected, but data wouldn’t flow for a period of time.  The 
symptoms were reproduced many times during the week with everyone present.  
Aruba found a bug in code that does not handle queuing properly in certain 
circumstances.  They produced code to fix this issue, but we cannot confirm at 
this time if this will resolve what we are seeing….  We saw a similar symptom 
immediately after putting the fix on the AP.

After seeing the same symptom immediately after putting on the hotfix, they 
realized that someone on the team has an intel AX adapter which has significant 
issues with OFDMA.  It can essentially wreck the airwaves for other clients.  
The solution is to TURN OFF OFDMA on AX access points until Aruba releases a 
build that can selectively ignore Intel OFDMA (while allowing others).  I have 
a release from Broadcom on January 6 speaking to this issue, so they aren’t 
making that.  I confirmed it with a separate wireless vendor that Broadcom has 
had some issues on the OFDMA front.  I plan on keeping it off for likely the 
next year as we don’t really have a significant quantity of ax clients to make 
it work the hassle at the moment.



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at

Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

2020-01-15 Thread Miller, Keith C 
Hi Michael,

Currently we do not and yes, that is the situation as I understand it. The PAPI 
traffic between APs and the controllers use the same queue that the controller 
to controller heartbeats use. Enabling CPSec moves that traffic traffic to a 
different queue.

We’re expecting to enable CPSec in Resnet today.

Regards,
Keith

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Michael Davis 
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Tuesday, January 14, 2020 at 3:56 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

Do you run CPSEC on your APs?   I've heard that non-CPSEC AP connections can
contend with the controller cluster heatbeats and cause disconnect.

On 1/14/20 3:37 PM, Miller, Keith C wrote:
Hi Trent,

No not related to AirGroup, but we’ve had problems with AirGroup server leaks 
in the past on 8.4 – One of the solutions was to configure AirGroup in 
centralized mode at the group level.

The other problems are related to the 515s and we are suffering from cluster 
disconnects in a few of our 8.x environments for what seems to be varying 
reasons.

Regards,
Keith




--

 Mike Davis

 IT - University of Delaware  - 302.831.8756

 Newark, DE  19716 Email da...@udel.edu<mailto:da...@udel.edu>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

2020-01-14 Thread Miller, Keith C 
Hi Trent,

No not related to AirGroup, but we’ve had problems with AirGroup server leaks 
in the past on 8.4 – One of the solutions was to configure AirGroup in 
centralized mode at the group level.

The other problems are related to the 515s and we are suffering from cluster 
disconnects in a few of our 8.x environments for what seems to be varying 
reasons.

Regards,
Keith

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of "Hurt,Trenton W." 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Tuesday, January 14, 2020 at 3:03 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

For you other 3 bugs any related to airgroup?  I’m having airgroup issue with 
8.5.x.  Running in centralized mode with no airgroup profiles.  Working with 
TAC they found that the Airgroup config has to be done from /md level and can’t 
override at lower folder levels.  We got past this but now face issue with 
clients not being marked as airgroup users.  If you do show datapath for a user 
filtering on 5353 the Flags for this will 0o if your hitting the bug.  Mine has 
been recreated in tac lab and now in development hands.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
On Behalf Of Turner, Ryan H
Sent: Tuesday, January 14, 2020 2:35 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

We have Aruba engineers on site.  They’ve experienced the issue many times 
since they have been here.  So I am confident that something will be done about 
this specific bug.  We have about 3 more bugs of varying criticality they are 
looking at.

Ryan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>On
 Behalf Of James Andrewartha
Sent: Tuesday, January 14, 2020 3:29 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

On the specific bug that Ryan is talking about, I was speaking today with a 
local partner who was experiencing the bug as well (and I believe has contacted 
Ryan offline), and their workaround was to change the SSIDs to bridge mode. We 
already made that change for unrelated reasons* during our final week ofPoC 
testing which probably explains why we didn't see it recently.

I will say that Aruba support seems to be very quick to point fingers at the 
rest of your infrastructure (DNS, DHCP, RADIUSetc) and so you have to prove 
it's working, even though it's not been an issue up until the point of the bug. 
I can understand this attitude but granting a little bit of trust that we have 
our environment configured correctly since it was working fine with another 
vendor would be nice.

*Airgroup wasn't controllingAirtames correctly, I have a TAC session to gather 
traces scheduled for tomorrow

--

James Andrewartha

Network & Projects Engineer

Christ Church Grammar School

Claremont, Western Australia

Ph. (08) 9442 1757

Mob. 0424 160 877
On 10/1/20 5:01 pm, James Andrewartha wrote:
Hi all,

I read this thread with some trepidation, since we're just finishing up a 
rollout of 150 AP515s on 7205s. We chose this platform after a nearly 6 
monthPoC, because we were hitting a high-impact but low occurrence and 
unreproducible bug with our Surface Book 2 fleet when connected to our Extreme 
Wireless network. Microsoft was unable to fix this bug (and it definitely was a 
client bug, their debug traces showed the Surfaces dropping BAR packets from 
the AP), so instead I hope they can fix the new bug we found the Surfaces have 
with Aruba APs, which is low-impact but occurs frequently (several times a 
minute) and so is highly reproducible. More on the Surface bugs below, but I 
had also seen the Aruba bug where the client loses connectivity for 5 minutes 
or so, HE was disabled at the time. It's easiest to spot this in Airwave, there 
will be a period of no traffic transferred for the client. We didn't have any 
problem reports in the last few weeks of testing though, while running on 
8.5.0.3, so maybe it was fixed? The user group (Maths teachers) were very good 
in reporting issues, although not always in a timely fashion. Our new 
production install is running 8.5.0.5 but I'll probably be upgrading to 8.6.0.1 
before the teachers get back from summer holiday.

I will strongly agree with the others in this thread who have posted that the 
support of your local partner and vendor TAC and account team should be high on 
your consideration. ThePoC was a tortured process, definitely not helped by the 
fact that the partner's engineers were in another state, and the local Aruba SE 
had just left, and a new one wasn't hired until October or so. I've also found 
Aruba TAC to be not great in my brief experience with them, certainly not 
compared to Extreme GTAC where I have on several

Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

2020-01-09 Thread Miller, Keith C 
Hi Lee,

We were recommended by Aruba to move to ArubaOS 8.5 for the 500 series since 
they were planning on sunsetting 8.4 at the end of 2019. We are a couple of 
minor revisions off of the latest 8.5 code, but we don’t really have any 
options with regards to the 500 series APs. 8.4 was the first supported release 
and is no longer recommended and 8.6 is currently in beta.

Regards,
Keith
O: (919)962-6564 M: (803)464-2397

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, January 9, 2020 at 11:50 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

Interesting. I wonder- does Aruba consider any of these APs or code versions 
that you all are struggling with to be “bleeding edge” or is it all mainstream, 
supposedly stable product at this point?

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Martin Reynolds
Sent: Thursday, January 9, 2020 11:48 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

Not sure if this could be of help but the issues with the 515 and 535 Aruba APs 
we use was driver related to the 802.11ax code that is on the AP's.  This is 
not an Aruba specific issue but affects other vendors as well.  The following 
link is for the updated Intel drivers.

https://www.intel.com/content/www/us/en/support/articles/54799/network-and-i-o/wireless-networking.html

In our case users could not see the ESSIDs at all where 515 APs were installed 
but could where other model of AP's (2xx and 3xx)were installed.  By using a 
different adapter from what is installed in the hardware (example USB-and not 
Intel) that allowed us to see the ESSIDs

Thanks,
Martin

On Thu, Jan 9, 2020 at 11:40 AM David Morton 
mailto:dmor...@uw.edu>> wrote:
Ryan, we have been experiencing some of the very same issues. Since installing 
515s and resulting 8.5.x code in our offices (always our first step to any 
migration) we too have experienced unexplained periods of no connectivity. In 
most or all the cases I’ve personally experienced, I believe that I remain 
connected at an 802.11 standpoint but will have that 30 seconds to a couple of 
minutes of no IP connectivity. We have now deployed 515s and 8.5.x in one of 
our residence halls so I am concerned about their experience as well. Just 
before the holiday break we had a series of very high-profile outages that 
impacted our students leading up to and during finals week. The issue got so 
bad that our CIO had to issue a letter to students explaining the problem and 
what we are doing about it. This is the first time that this level of 
communication was needed in my 15 years at the UW using Aruba.

We too are a heavy Juniper shop and have recently received a MIST demo kit. We 
haven’t done anything with it yet due to lack of resources, but if things 
continue on the current path we may give it a more serious look.

David


David Morton
Director, Network & Telecom Design/Architecture
University of Washington
dmorton @uw.edu
tel 206.221.7814

PS I am currently on medical leave so if you wish to reply off-list, please 
direct it to Amel Caldwell, amelc@ uw.edu



On Jan 9, 2020, at 8:15 AM, Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:

All:

We’ve been an Aruba shop for a very long time and have around 10,000 access 
points.  While every relationship with vendors have their ups and downs, my 
frustration with the Aruba is finally peaking to the point that I am 
considering making the enormous move to choose a different vendor.  The biggest 
reason is with the 8.X code train, and bugs that we just don’t consider 
appropriate to use in production.  It has been one thing after the other, and 
my extremely talented and qualified Network Architect (Keith Miller) might as 
well be on the Aruba payroll as much work as he has been doing for them to 
solve bugs.  Just when we think we have one fixed, another one crops up.

The big one as of late is with 515s running 8.5 code train.  We have them 
deployed in one of our IT buildings.  Periodically, people that are connected 
to these APs in the 5G band will stop working.  To the user, they are browsing 
a site, then it becomes unresponsive.  If they are on their phone, they will 
disconnect from wifi and everything works fine on cell.  Nothing makes an 
802.11 network look worse than switching to cell and seeing a problem resolve.  
Normally, if the users disconnect then reconnect, their problems will go ahead

Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

2020-01-09 Thread Miller, Keith C 
Hi Lee,

While we’ve experienced the issue with Intel NICs not being able to see SSIDs 
advertised when .11ax is enabled, a driver update has typically resolved that 
problem. The problems we are seeing range across many different device 
platforms ranging from Apple devices (iPhones and MacBook Pros) to Lenovo 
laptops and Samsung phones. I definitely do not believe it’s client related at 
this point.

Regards,
Keith
O: (919)962-6564 M: (803)464-2397

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, January 9, 2020 at 11:45 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

No insult meant to anyone’s intelligence, but are you also looking at client 
device drivers etc in the context of these issues? Depending on which client 
NIC is in play, the device makers haven’t been doing us any favors of late. Is 
very possible for example that hundreds of AD-managed laptops may all have same 
bum driver.

Just asking…

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of David Morton
Sent: Thursday, January 9, 2020 11:39 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

Ryan, we have been experiencing some of the very same issues. Since installing 
515s and resulting 8.5.x code in our offices (always our first step to any 
migration) we too have experienced unexplained periods of no connectivity. In 
most or all the cases I’ve personally experienced, I believe that I remain 
connected at an 802.11 standpoint but will have that 30 seconds to a couple of 
minutes of no IP connectivity. We have now deployed 515s and 8.5.x in one of 
our residence halls so I am concerned about their experience as well. Just 
before the holiday break we had a series of very high-profile outages that 
impacted our students leading up to and during finals week. The issue got so 
bad that our CIO had to issue a letter to students explaining the problem and 
what we are doing about it. This is the first time that this level of 
communication was needed in my 15 years at the UW using Aruba.

We too are a heavy Juniper shop and have recently received a MIST demo kit. We 
haven’t done anything with it yet due to lack of resources, but if things 
continue on the current path we may give it a more serious look.

David


David Morton
Director, Network & Telecom Design/Architecture
University of Washington
dmorton @uw.edu
tel 206.221.7814

PS I am currently on medical leave so if you wish to reply off-list, please 
direct it to Amel Caldwell, amelc@ uw.edu



On Jan 9, 2020, at 8:15 AM, Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:

All:

We’ve been an Aruba shop for a very long time and have around 10,000 access 
points.  While every relationship with vendors have their ups and downs, my 
frustration with the Aruba is finally peaking to the point that I am 
considering making the enormous move to choose a different vendor.  The biggest 
reason is with the 8.X code train, and bugs that we just don’t consider 
appropriate to use in production.  It has been one thing after the other, and 
my extremely talented and qualified Network Architect (Keith Miller) might as 
well be on the Aruba payroll as much work as he has been doing for them to 
solve bugs.  Just when we think we have one fixed, another one crops up.

The big one as of late is with 515s running 8.5 code train.  We have them 
deployed in one of our IT buildings.  Periodically, people that are connected 
to these APs in the 5G band will stop working.  To the user, they are browsing 
a site, then it becomes unresponsive.  If they are on their phone, they will 
disconnect from wifi and everything works fine on cell.  Nothing makes an 
802.11 network look worse than switching to cell and seeing a problem resolve.  
Normally, if the users disconnect then reconnect, their problems will go ahead 
(but I think they end up connecting in the 2.4G band).   We’ve been working on 
this problem with them for months.  It always seems as though we have to prove 
there is a real issue.  I’m fed up with it.  We are a sophisticated shop.  If 
we have a problem, 9 times out of 10 when we bring it to the vendor, it is a 
real problem.  I’m extra frustrated that due to issues we’ve seen in ResNet on 
the 8.3X train that we don’t want to abandon our 6 train on main campus.  To 
Aruba’s credit, we purchased around 1,000 515s last year (I think around 
February).  When they could not get good code to support

Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] ArubaOS 8.x cluster disconnects

2019-12-06 Thread Miller, Keith C 
Hi T.J.,

We are not running port-channels directly to our MDs, but we do have 
port-channels on upstream switches. Based on some things I’ve seen in the 
packet captures we’ve collected and sent to Aruba (IPSec sequence numbers out 
of order), I’ve considered the fact that some packets might be load-balanced 
down different links and are arriving out of order, but the load balancing 
algorithms in place and traffic profile do not support that theory.

We do not run CPSec in our environment, but thank you for the bit of info.

It depends on the environment, but it ranges from in the 10s to as high as 86 
on 1 AP since the last image upgrade. I’d say the average in our most 
frequently disconnecting cluster is somewhere in the 30-40s. Here’s a couple of 
examples:

AP Counters
---
Name   AP Boots Acked  Bootstraps (Total)  Reboots
MEJ_1207A  4  (54   )  21
MEJ_1207B   3  (44   )  22

Regards,
Keith

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of "Norton, Thomas (Network 
Operations)" 
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Friday, December 6, 2019 at 8:37 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] ArubaOS 8.x cluster 
disconnects

Hey Keith,

We’re running 8.3.0.10 with multiple clusters and are not running into any 
issues on our end. Our cluster statistics are fairly clean other than some 
issues on some of our switches that we have been running into.

One question, are you running port channels to your mds? If so, we have run 
into issues in the past with sending fast pdus, causing our links to flap.

Another thing is cpec, if your running it, highly recommend jumbo frames due to 
the extra overhead on the management tunnels. This is still something we’re 
working to implement internally.

Out of curiosity, when you run the counters command how many bootstraps are you 
seeing per ap on average?


T.J. Norton
Wireless Network Architect
Network Operations

Office: (434) 592-6552

[Image removed by sender. 
http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since 1971


On Dec 6, 2019, at 7:52 PM, Miller, Keith C  wrote:


[ EXTERNAL EMAIL: Do not click any links or open attachments unless you know 
the sender and trust the content. ]


Hello all,

As many of you know, we’re an Aruba shop and we’re running multiple versions of 
8.x in our environment. We are also a Nyansa Voyance customer and for those who 
are also Nyansa customers will probably remember back in October when they 
changed the default behavior for AP down/reboot events from “No Priority” to 
“Always P2”. Almost immediately, we began receiving alerts from Voyance about 
large amounts of APs going down at the same time. After looking at our 
controllers and other NMS tools, we realized that the APs were not actually 
going down, but the radios on the APs were rebootstrapping.

For those unfamiliar with what rebootstrapping is, it essentially means that 
the radios of the AP rebooted, but the AP itself stayed up. This is typically 
caused by missed heartbeats and/or when an AP reconnects to a controller. In a 
clustered environment, when a controller fails, an AP should gracefully move to 
its S-AAC with little to no impact. However, in our case we were seeing APs not 
gracefully failover after missing heartbeats and this was causing the 
rebootstraps. This impacts clients and our users so obviously we were very 
concerned with what we had found. After opening a case with Aruba TAC, we 
discovered that the cluster members were disconnecting from each other. You can 
see if this is happening in your environment by running the “show lc-cluster 
heartbeat counters” command on one of the MDs in a cluster. You’re looking for 
the last column that indicates the last time of disconnect. For us, this has 
been occurring in multiple environments (8.3, 8.4, and 8.5) at least since we 
began looking into it back in October. We’ve sent many logs, traces, and now 
packet captures to the Aruba TAC team. At the request of TAC, we’ve changed 
heartbeat thresholds and enabled BCMC optimization on VLAN interfaces even 
though we have it enabled at the SSID level. While some of these efforts have 
slowed down the frequency of the disconnects, they are still occurring.

So I’m looking to get some feedback from those that are running AOS 8.x in 
their environment. Are you seeing this problem in your environment?

Lastly, if you’re experiencing this issue or you’re just interested in finding 
out more about the health of your environment, you can also verify if you have 
APs that are rebootstrapping with the “show ap debug counters” command. If you 
want to isolate a particular AP and gather more information, you can run

ArubaOS 8.x cluster disconnects

2019-12-06 Thread Miller, Keith C 
Hello all,

As many of you know, we’re an Aruba shop and we’re running multiple versions of 
8.x in our environment. We are also a Nyansa Voyance customer and for those who 
are also Nyansa customers will probably remember back in October when they 
changed the default behavior for AP down/reboot events from “No Priority” to 
“Always P2”. Almost immediately, we began receiving alerts from Voyance about 
large amounts of APs going down at the same time. After looking at our 
controllers and other NMS tools, we realized that the APs were not actually 
going down, but the radios on the APs were rebootstrapping.

For those unfamiliar with what rebootstrapping is, it essentially means that 
the radios of the AP rebooted, but the AP itself stayed up. This is typically 
caused by missed heartbeats and/or when an AP reconnects to a controller. In a 
clustered environment, when a controller fails, an AP should gracefully move to 
its S-AAC with little to no impact. However, in our case we were seeing APs not 
gracefully failover after missing heartbeats and this was causing the 
rebootstraps. This impacts clients and our users so obviously we were very 
concerned with what we had found. After opening a case with Aruba TAC, we 
discovered that the cluster members were disconnecting from each other. You can 
see if this is happening in your environment by running the “show lc-cluster 
heartbeat counters” command on one of the MDs in a cluster. You’re looking for 
the last column that indicates the last time of disconnect. For us, this has 
been occurring in multiple environments (8.3, 8.4, and 8.5) at least since we 
began looking into it back in October. We’ve sent many logs, traces, and now 
packet captures to the Aruba TAC team. At the request of TAC, we’ve changed 
heartbeat thresholds and enabled BCMC optimization on VLAN interfaces even 
though we have it enabled at the SSID level. While some of these efforts have 
slowed down the frequency of the disconnects, they are still occurring.

So I’m looking to get some feedback from those that are running AOS 8.x in 
their environment. Are you seeing this problem in your environment?

Lastly, if you’re experiencing this issue or you’re just interested in finding 
out more about the health of your environment, you can also verify if you have 
APs that are rebootstrapping with the “show ap debug counters” command. If you 
want to isolate a particular AP and gather more information, you can run the 
“show ap debug system-status ap-name” command. Here’s what it looks like when 
the AP doesn’t gracefully failover:

Cluster Failover Information

Date   Time Reason (Latest 10)
--
2019-11-25 01:10:20 Delete A-AAC:172.27.xx.xx, cluster enabled=1. fail-over to 
172.27.xx.xx, sby status=1

Thanks in advance for any and all feedback.

Regards,

Keith C. Miller
Wireless Architect, ITS Comm. Technologies
University of North Carolina Chapel Hill
O: (919)962-6564 M: (803)464-2397 | 
keith.mil...@unc.edu

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community