breakout - airheads macau 2013 - top 10 tips from aruba tac

CONFIDENTIAL

© Copyright 2013. Aruba Networks, Inc.

All rights reserved1 #airheadsconf#airheadsconf

Top 10 Tips from Aruba TAC

Ken Peredia, Jeffrey Goff

November 2013

CONFIDENTIAL


All rights reserved2 #airheadsconf

1. Debugging Client Disconnects

2. RF Dashboard

3. AMON and Airwave

4. Client Quirks

5. AirGroup Config Notes

6. Voice Over WiFI Tweaking

7. High CPU On Controller

8. Aruba Utilities for Android

9. AirRecorder

10.11ac sniffing

Agenda

CONFIDENTIAL


All rights reserved3 #airheadsconf#airheadsconf3

Debugging Client Disconnects

CONFIDENTIAL



• Problem could be in any number of places

– AP to controller stability

• BSS uptime, AP uptime

– Feature related

• ClientMatch, bandsteering, SLB, dot11k

– Auth/Association related

• Use the tracebuf and new logging to narrow it down

– RF related

• ARM changing channels

• Interference


CONFIDENTIAL



• AP to Controller

– If the AP is not stable, clients will experience disconnects

– Common causes

• Network issues between AP and controller

• Controller load issues

– Debug these using

• “show ap debug counters” – look for APs with high reboot/straps

• “show ap bss-table” – look for APs with low tot-t (bss uptime)

• Collect “show ap tech-support ap-name <the_ap>”

• Collect “tar logs + tech support”


CONFIDENTIAL



• AP to Controller

– In regards to network issues, common problems include

• ARP issues on AP vlan

• DHCP issues on AP vlan, including duplicate IP

• Packet loss in intermediate switch/router (especially RAPs)

• IDS/Firewall device interfering with connectivity

– If you are seeing AP rebootstraps, start to investigate the

quality of the link between controller and AP

• Setup a long term ping with large packet size (say 1400 bytes)

and monitor

• “show ap debug system-status ap-name <the_ap>” will tell you

something about why the AP is unstable


CONFIDENTIAL



• ClientMatch

– Continuously scans the wireless environment and shares

information about the clients amongst the APs

– Based on the dynamic data obtained, constantly optimizes

the client association by steering clients to the most suitable

AP

– In some cases, ClientMatch may be more aggressive than

needed for certain environments and can be slightly tuned to

be less active


CONFIDENTIAL




CONFIDENTIAL



• View which clients were put in the unsupported

list due to many failed steering attempts


CONFIDENTIAL



• To make ClientMatch less aggressive with load

balancing the following configuration can be

used


CONFIDENTIAL



• Per user auth logging is new in ArubaOS 6.3

• Simplified “per user auth tracebuf”

– No longer need to enable

“logging level debugging user-debug <user mac address>”

– This information is now saved per-user when CLI command

“aaa log” is enabled in configuration terminal.

– To view the log

• “show user-table mac <mac-address> log”

• or “show user-table ip <ip-address> log”


CONFIDENTIAL



(Aruba7210_Sanya) #show user-table mac 68:a8:6d:32:ef:a2 log

1: At Tue Nov 12 05:20:29: [L] Type eap-req <- id 8 len 6, bssid 6c:f3:7f:f0:b7:50

2: At Tue Nov 12 05:20:29: [L] Type eap-resp -> id 8 len 172, bssid 6c:f3:7f:f0:b7:50

3: At Tue Nov 12 05:20:29: [L] Type rad-req -> id 9 len 387, bssid 6c:f3:7f:f0:b7:50

4: At Tue Nov 12 05:20:29: [L] Type rad-resp <- id 9 len 139, bssid 6c:f3:7f:f0:b7:50

5: At Tue Nov 12 05:20:29: [L] Type eap-req <- id 9 len 69, bssid 6c:f3:7f:f0:b7:50

6: At Tue Nov 12 05:20:29: [L] Type eap-resp -> id 9 len 6, bssid 6c:f3:7f:f0:b7:50

7: At Tue Nov 12 05:20:29: [L] Type rad-req -> id 10 len 221, bssid 6c:f3:7f:f0:b7:50

8: At Tue Nov 12 05:20:29: [L] Type rad-accept <- id 10 len 246, bssid 6c:f3:7f:f0:b7:50

9: At Tue Nov 12 05:20:29: [L] Type eap-success <- id 9 len 4, bssid 6c:f3:7f:f0:b7:50

10: At Tue Nov 12 05:20:29: [L] Type wpa2-key1 <- id 0 len 117, bssid 6c:f3:7f:f0:b7:50

11: At Tue Nov 12 05:20:29: [L] Type wpa2-key2 -> id 0 len 135, bssid 6c:f3:7f:f0:b7:50

12: At Tue Nov 12 05:20:29: [L] Type wpa2-key3 <- id 0 len 151, bssid 6c:f3:7f:f0:b7:50

13: At Tue Nov 12 05:20:29: [L] Type wpa2-key4 -> id 0 len 95, bssid 6c:f3:7f:f0:b7:50


CONFIDENTIAL



• Per client association history also new in 6.3

• Easily view the activity of a client‟s connection

– why it was de-authenticated by the system

– what alerts/errors were encountered by the client

– What APs has it been associated to, and for how long


(Aruba7210_Sanya) #show ap client trail-info 68:a8:6d:1f:5a:9a

Client Trail Info

-----------------

MAC BSSID ESSID AP-name VLAN Deauth Reason Alert

--- ----- ----- ------- ---- ------------- -----

68:a8:6d:1f:5a:9a 6c:f3:7f:f0:b9:b4 Diamond5 AP225-6 2 STA has roamed to another AP STA has roamed to another AP

CONFIDENTIAL



Deauth Reason

-------------

Reason Timestamp

------ ---------

STA has roamed to another AP Nov 11 20:14:50

Client Match Nov 11 20:14:36

Rx Data Bytes 108 Mbps+ (Mon) Nov 11 19:29:29


APAE Disconnect Nov 11 18:28:47


Client Match Nov 11 18:27:31

Ptk Challenge Failed Nov 11 18:26:57



Num Deauths:10


CONFIDENTIAL



Mobility Trail

--------------

BSSID ESSID AP-name Timestamp

----- ----- ------- ---------

6c:f3:7f:f0:b9:b4 Diamond5 AP225-6 Nov 12 05:20:34


6c:f3:7f:f0:b7:50 Diamond5 AP225-1 Nov 11 20:14:50


6c:f3:7f:f0:c5:90 Diamond5 AP225-4 Nov 11 20:14:36

6c:f3:7f:f0:c5:90 Diamond5 AP225-4 Nov 11 20:13:02





Num Mobility Trails:10


CONFIDENTIAL



• RF Related

– If the 2.4GHz is particularly noisy the default settings of ARM

may be causing too many channel changes

• “show ap arm history ap-name <the_ap>” to review

– Need to check first for legitimate sources of interference

• Use spectrum analysis

• Use AMON / RF Dashboard

– But sometimes spectrum looks ok and the issues are coming

more from co-channel interference and hidden nodes etc.


CONFIDENTIAL



• RF Related

– If it is observed that the 2.4GHz radio is changing channels

excessively due to noise or error

• Create a new ARM profile for 2.4GHz

• Attach it to the dot11g radio profile

• Increase the noise and error thresholds

– Increase gradually and monitor

– Don‟t increase too much

• if there is real interference, AP will take longer to react.


Error Rate Threshold 50 %

Error Rate Wait Time 30 sec

Noise Threshold 75 -dBm

Noise Wait Time 120 sec

CONFIDENTIAL



Controller RF Dashboard

CONFIDENTIAL



RF Dashboard

• Use the dashboard to quickly find issues

– Find APs with interference

– Find clients with RF problems

– Get a summary of potential issues

– View short term trending information

• Don‟t have to check each AP from CLI

– show ap debug radio-stats…… hard to use and interpret

CONFIDENTIAL



RF Dashboard

CONFIDENTIAL



• Everything is clickable – including the graphs

RF Dashboard

CONFIDENTIAL



• SNR

– Low SNR may mean client is far away from AP or perhaps

not enough coverage.

– Difficult to interpret in a hotspot environment

– In a high density environment where the users are distributed

around the APs, there should be very few red results

• May also be due to sticky clients, ClientMatch can help

RF Dashboard

CONFIDENTIAL



• Noise Floor

– in-band non 802.11 interference

– These APs should always be investigated

– Common causes

• Video bridges, bluetooth, DECT, microwave ovens etc.

RF Dashboard

CONFIDENTIAL



• Channel Busy

– This is an important item – it needs to be considered with

interference

– Channel busy = tx time + rx time + interference

– Possible causes for high values

• Genuine traffic usage

• Over density / too much 802.11 wifi / beacons not optimised

• Interference (in band and out of band)

RF Dashboard

CONFIDENTIAL



• Channel Busy

– For 2.4GHz this will often be high

• Especially in hotspots

• Values of 30-40% are common

• Influenced by g-tx-rate/g-basic-rate/g-beacon-rate

– For 5Ghz, this is a very good indicator of load on the AP

RF Dashboard

CONFIDENTIAL



• Interference

– This is the non 802.11 component of channel busy

– Interference value needs to be as low as possible

• Typical value is 0 ~ 3%

– Possible causes of high interference numbers

• Out-of-band (WiMax, cellular DAS antennas, DECT 1.8GHz)

• In-band from non-802.11 devices (video, microwave ovens,

2.4GHz DECT phones etc)

RF Dashboard

CONFIDENTIAL



AMON and Airwave

CONFIDENTIAL



AMON and Airwave

• What is AMON

– A protocol used to stream information from the controller to

Airwave

• Also used by Aruba‟s Analytic Location Engine (ALE)

• AMON is built on top of PAPI – the AP <-> controller protocol

• Aruba does not provide any public documentation or description about

the protocol definition.

– AMON sends radio stats to Airwave (7.5.x and higher)

• Controller dashboard has only 15 minutes worth of data

• Airwave plots longer term trending

• Use alert triggers to proactively flag when an AP is experiencing

interference or high utilisation etc.

CONFIDENTIAL



AMON and Airwave

• Enable sending of AMON to Airwave on controller

– webUI Configuration Management General

• Also used by Aruba‟s Analytic Location Engine (ALE)

• In Airwave ensure AMON is enabled

• AMP Setup General Additional AMP Services

CONFIDENTIAL



• After a short while AMON radio stats will appear

– Access the stats via the AP (i.e. APs/Devices Monitor)

– Select the radio by clicking on the name

– Then select “Channel Utilization”

from the drop down

– If Channel Utilization is not an option

then AMON is not enabled

AMON and Airwave

CONFIDENTIAL



• Same data as being shown on the controller

– Remember: channel busy == rx + tx + interference

– Can hover over a point to get the values

– Much more history available

via “Time Range”

– Note that noise floor

is accessible via another

dropdown option

AMON and Airwave

CONFIDENTIAL



• What can we determine from this ?

– Perhaps an interference source that comes and goes

– Or one that suddenly appears

• Someone just bought a 2.4GHz non 802.11 wireless device to the

office – interference comes and goes with office hours

• Wireless video camera installed nearby.

– Alternatively, let‟s assume no interference

• Utilisation versus time – does this AP have a problem on some day

of the week?

• Is this AP unexpectedly underutilized ? (maybe on a rare channel)

• Constant “rx == busy” at a high value may indicate that beacon rate

optimization on the APs would be beneficial

AMON and Airwave

CONFIDENTIAL



• Can we be more proactive?

– The statistics that appear in the radio monitor page can be used

within alert triggers

– Actually, use triggers to monitor other critical resources like disk

space on the Airwave itself, or AP CPU etc.

• Use short term and long term durations

– Cover immediate problems with short durations

• “more than 20% interference over 10 mins” critical impact

– Keep an eye on the growth with long durations

• “channel busy > 80% over 6 hours” Warning, capacity running out

AMON and Airwave

CONFIDENTIAL



• Example

– To have 20% interference

on 5GHz is very unusual

– It would be symptomatic

of a device like a motion

detector

• Use radio type to be more/less aggressive by band

– Determine the baseline in each band and adjust accordingly

AMON and Airwave

CONFIDENTIAL



Client Quirks

CONFIDENTIAL



• MacOS 802.1X Roaming Latency

– MacOS 10.8.4 or newer may intermittently experience 5 – 20

seconds latency in completing 802.1X authentication when

roaming between APs.

– This latency is usually seen during the middle of EAP

negotiation.

– This problem is only seen on a 802.1X SSID. It‟s not seen on

a PSK SSID.

Client Quirks

CONFIDENTIAL




– The following is an example 10 sec delay for the client's eap-response

in "show auth-tracebuf" output:

Client Quirks

Sep 13 18:03:17 rad-req -> 10:40:f3:83:fe:6c 00:1a:1e:55:53:50/RADIUS_Server_1 65518 222

Sep 13 18:03:17 rad-resp <- 10:40:f3:83:fe:6c 00:1a:1e:55:53:50/RADIUS_Server_1 65518 287

Sep 13 18:03:17 eap-req <- 10:40:f3:83:fe:6c 00:1a:1e:55:53:50 7 203

Sep 13 18:03:27 eap-resp -> 10:40:f3:83:fe:6c 00:1a:1e:55:53:50 7 1276

Sep 13 18:03:27 rad-req -> 10:40:f3:83:fe:6c 00:1a:1e:55:53:50/RADIUS_Server_1 13 1502

Sep 13 18:03:27 rad-resp <- 10:40:f3:83:fe:6c 00:1a:1e:55:53:50/RADIUS_Server_1 13 90

Sep 13 18:03:27 eap-req <- 10:40:f3:83:fe:6c 00:1a:1e:55:53:50 8 6

Sep 13 18:03:27 eap-resp -> 10:40:f3:83:fe:6c 00:1a:1e:55:53:50

CONFIDENTIAL




– Available workaround seems to greatly improve this

authentication latency

– Trust the 802.1X RADIUS server cert as root in the System

keychain while setting “Always Trust” for SSL, EAP, and X.509

basic policy.

Client Quirks

CONFIDENTIAL



Client Quirks

CONFIDENTIAL



• MacOS Ping Latency

– In viewing continuous pings on a Macbook Pro/Air, you might

see a large variation of ping latency from 2ms to 100+ms

– while other devices on the same AP experience only 1- 4ms

latency

Client Quirks

CONFIDENTIAL




Client Quirks

CONFIDENTIAL




– The issue is due to the aggressive power save behavior seen

in newer MacOS (10.8.4+).

– Sometimes the Macbooks will sleep 1ms after a ping request

is sent and may not wake up until 90ms+ later.

– Therefore the Aruba AP will buffer the ping response until the

Macbook informs the AP it is awake which sometimes results

in large latency as shown in the following sniffer trace.

Client Quirks

CONFIDENTIAL



Client Quirks

CONFIDENTIAL



• Dot11k

– Some interop issues seen – be careful if you enable this

– Example: 4.3.x Android device on wpa2-aes SSID

• Client associates, gets IP address but locks up shortly thereafter

• disabling dot11k inside the “wlan dot11k-profile default” resolved

• Bandsteering vs Clients

– Some clients don‟t react well to bandsteering

– A common one is Android, which can report “authentication

error occurred”

– This error is thrown by Android when the Aruba AP sends a

„resource constrained‟ message during 802.11 auth

Client Quirks

CONFIDENTIAL



AirGroup

CONFIDENTIAL



• Common AirGroup configuration issues

• AirGroup domain controller IP must be switch IP

– Symptom: active domain is stuck in „excluded‟ state

– make sure that the specified controller IP is a switch IP and

not an interface IP

AirGroup

(sg-3200) # show airgroup active-domains

AirGroup Active-Domains

-----------------------

Domain Name Status

----------- ------

SomeDomain Excluded

Num active-domains:1

CONFIDENTIAL



• Wireless based AirGroup „server‟ (i.e. Apple Tv)

– Symptom: AppleTv connected wirelessly keeps disappearing

from list of Airplay servers on the client device

– Controller does not by default send refresh requests to

wireless side

– We have a configuration option to force this behavior

“airgroup active-wireless-discovery enable”

AirGroup

CONFIDENTIAL



• Apple TV and EAP-PEAP

– Symptom: AppleTv fails to connect to PEAP SSID

– AppleTv has no real time clock

– Connect fails because the PEAP cert fails date validation

check – because the date/time is wrong

– Requires NTP to set the time – but needs access to network

to use NTP

– Found to be resolved in iOS 7

• exact method of resolution by Apple is unknown

• Verified on hardware v2 and v3

AirGroup

CONFIDENTIAL



• NAT

– Airgroup is not supported with NAT

– Do not configure ip nat inside or use a NAT ACL on any

client that needs Airgroup.

• Disallow VLAN

– Can be configured globally or on a per service basis

– Disallowing a VLAN means that mDNS servers in that VLAN

cannot be discovered.

– However… mDNS clients in the disallowed VLAN can still be

discovered by servers in other VLANs

AirGroup

CONFIDENTIAL



Voice optimizations

CONFIDENTIAL



ArubaOS – VoWIFI

• Deployment tips

– Always try to use 5GHz for voice

• If AP coverage allows and devices are capable

• But be aware of differences in client ability to support all channels in

your regulatory domain.

– Make sure you have adequate coverage, rule of thumb is two cell-

overlap of -67dB

CONFIDENTIAL



ArubaOS – VoWIFI

• Ensure QOS vs. DSCP is matched

– on both the wired and wireless infrastructure

– SSID configuration and user-role

– Real voice applications should be correctly identified by the

controller ALGs (sip, h323, SCCP, etc.)

• But something like Skype will not be – it‟s just „data‟

• Assumptions

– Dual use SSID (voice and data)

• More aggressive optimizations can be used on a voice-only SSID

– Office style coverage/density

– AP signal strength of -65 dBm at the client

– Client SNR 25 or better at AP (show ap debug client-table)

CONFIDENTIAL



ArubaOS – VoWIFI

• Suggested SSID configuration

– a-basic-rates 12 24

– a-tx-rates 12 18 24 36 48 54

– g-basic-rates 6 12

– g-tx-rates 6 9 12 18 24 36 48 54

– g-beacon-rate 6

– local-probe-req-thresh 25

– eapol-rate-opt

• Suggest virtual AP configuration

– broadcast-filter all * (unless mcast based hold music)

– broadcast-filter arp

CONFIDENTIAL



ArubaOS – VoWIFI

• Suggested ARM configuration

– Don‟t have more than 6 dB difference between “min-tx-power” and

“max-tx-power” to provide a more predictable roaming behavior

• Avoids large power differences between neighboring APs

– “client-aware” and “voip-aware-scan” *must* be enabled

• “ps-aware-scan” should not be enabled

– Don‟t raise “min-tx-power” too high as it can cause sticky clients

• Typical high density office might use a “min-tx-power” of 9 dBm

• Smart phone type devices have quite low roaming thresholds, often as

low as -75dBm. Setting tx power too high can cause client->AP to fail

well before device tries to roam.

CONFIDENTIAL



Common high CPU issues

CONFIDENTIAL



• The usual suspects…

– WMS (the AirMonitor/IDS function)

– HTTPd (the captive portal webserver)

• WMS

– Responsible for the collection of statistics about valid,

interfering and rogue devices (APs and clients)

– In hotspot deployments WMS may be tracking upwards of

50,000 devices

– Airports and large campuses also have large WMS

databases

High CPU on controller

CONFIDENTIAL



– As the WMS database grows so do the related SNMP tables

– Devices like Airwave are polling these tables periodically

which causes CPU spikes

This kind of WMS database would return over 250,000 results in SNMP

– Symptoms of high CPU load in WMS include

• sluggish webUI, SNMP timeouts, missing data in Airwave graphs

• Can also impact captive portal as it checks for CPU load


(aruba) #show wms counters | include table

AP G-table 19841

AP A-table 40

STA G-table 28365

STA A-table 1231

CONFIDENTIAL



– Unstable APs can also contribute to the WMS CPU load.

• “show ap debug counters”

• check for high reboot/rebootstraps

• “show ap bss-table”

• check for low tot-t (uptime) of the BSSID

• Especially for RAPs deployments where the controller to AP

transits multiple networks beyond your control.


AP Counters

-----------

Name Group IP Address Configs Sent Configs Acked Bootstraps (Total) Reboots

---- ----- ---------- ------------ ------------- ------------------ -------

ap100 apgroup 1.1.2.2 4 4 1 (1 ) 0

ap101 apgroup 1.1.2.3 4 4 1 (1 ) 0

ap102 apgroup 1.1.2.4 8 8 120 (120 ) 0

ap103 apgroup 1.1.2.5 8 8 3 (3 ) 0

ap104 apgroup 1.1.2.9 8 8 3 (3 ) 0

CONFIDENTIAL



– What to do ?

1. WMS Offload to Airwave

• Moves large portions of WMS processing to Airwave

• APs on local controllers now send direct to Airwave

• But… increases WMS CPU load on local controllers

2. Need to reduce SNMP polling of certain MIBs

3. Or - reduce the amount of data being held in WMS

– If not able to use WMS offload, two basic levels of

optimization can be done depending on the features being

used.

– If not able to perform #2 or #3 then WMS offload is the only

choice


CONFIDENTIAL



1. If no IDS/WIPS functionality is being used, the following config

will prevent interfering clients from being entered into the WMS

database.

“ids general-profile default wms-client-monitoring none”

• A warning is printed to remind you of the functionality that is

impacted by this command.


(sg-620) (config) #ids general-profile default wms-client-monitoring none

Warning: Enabling this option will cause the following features to not work as intended: Protect Valid Station,

Detect Valid Client Misassociation, Detect Unencrypted Valid Clients, Tarpit Containment of Non-valid

clients, Detect Bad WEP, Detect Disconnect Station Attack, Detect Power Save DoS Attack, Detect Block

ACK DoS, Detect TKIP replay Attack, Detect ChopChop Attack, Detect Omerta Attack, Detect FATA-Jack

Attack, Detect Overflow EAPOL Key, Detect Frame Rate Anomalies.

(sg-620) (config) #

CONFIDENTIAL



2. If you don‟t require or care about rogue AP information in

Airwave, then you can disable “Rogue AP and Device Location

data Polling Period”

– Note this will impact any location services or RAPIDS, and rogue list will no

longer be populated in Airwave


CONFIDENTIAL



• WMS

– What if all that is done but problem not resolved?

– Contact support for assistance

• there are a few more settings that can be changed

• But…these are very specific to the deployment and need to be

carefully chosen.


CONFIDENTIAL



• HTTPD

– High CPU with internal captive portal + large certificates

• Large certs are handled in software for all controllers before 72xx

• Large being 2048 or 4096

• Very hard to get a public signed 1024 bit cert anymore

– Many smart devices constantly trying to hit https locations

once associated

• This is becoming more common over last 1-2 years

• Even if they never authenticate with the captive portal

• iTunes, Play Store, Windows Update, antivirus updates, CDNs

– Also caused by image heavy internal captive portal page


CONFIDENTIAL



• Solutions

– Move to an http based captive portal – but keep https for the

username and password

• Turn on allow http in captive portal profile

• Modify the HTML code of the captive portal page to use https for

the form action:


<div id="logins">

<div id="loginbox" style="">

<h1><span>Wi-Fi Login</span></h1>

<form action="/cgi-bin/login" id="regform" method="post" autocomplete="off" title="Login">

<div id="usernamebox">

<label for="user" accesskey="u">Username</label>

<form action="https://securelogin.arubanetworks.com/auth/index.html/u" id="regform" method="post" title="Login">

If not using the Aruba default certificate, make sure to replace securelogin.arubanetworks.com with the CN of the new cert

CONFIDENTIAL



• Solutions

– Changing to http with https form action may not totally

recover the CPU…

– Need to deal with the high rate of incoming https requests for

clients that have not authenticated

– CPU load due to the captive portal redirect can also impact

external captive portal


CONFIDENTIAL



• Solutions

– One option is to prevent any https from redirecting

• Remove the “user any svc-https dst-nat 8081” rule from the

captive portal ACL

• This has a downside – clients with https home pages will fail to

redirect to captive portal


Priority Source Destination Service Action TimeRange

-------- ------ ----------- ------- ------ ---------

1 user controller svc-https dst-nat 8081

2 user any svc-http dst-nat 8080

3 user any svc-https dst-nat 8081

4 user any svc-http-proxy1 dst-nat 8088



CONFIDENTIAL



• Solutions

– If removing the https redirect is not possible, another option

is to create a “blacklist” of sites

– Use the datapath session table to examine where clients are

connecting to

– Packet capture on an external captive portal and examine

the URLs that the clients were trying to connect to


https-drop-list

---------------

Position Type IP addr Mask-Len/Range

-------- ---- ------- --------------

1 name 0.0.0.1 *.facebook.com

2 name 0.0.0.3 *.edgekey.net

3 name 0.0.0.4 *.1e100.net

4 name 0.0.0.5 *.akamaitechnologies.com

5 name 0.0.0.2 *.amazonaws.com

6 name 0.0.0.6 *.tfbnw.net

CONFIDENTIAL



• Please note that the Aruba controller factory

certificate is due to expire on 21 November, 2013

• A new cert is loaded into 6.1.3.9, 5.0.4.13, 7.2.3.1

and higher

• There is a support advisory about this on the

Aruba support portal and Airheads Social

– Contact your partner/reseller to get a copy if you cannot

access the portal and you are on an affected version

By the way…

CONFIDENTIAL



Android Aruba Utilities

CONFIDENTIAL



• Free app on Play Store

• Requires Android 3.0 or better

– There is a stripped down version that runs on 2.2 or better

• Features include

– Built in performance tester (aperf)

– Interacts with Airwave and the controller

– Logs signal info to text file

– Site survey tools (heatmap etc.)

– RSSI graphs

– Handover tracking

Aruba Utilities

CONFIDENTIAL



Aruba Utilities

CONFIDENTIAL



AirRecorder

CONFIDENTIAL



• AirRecorder is a Java based tool developed by

Aruba Customer Engineering that will

periodically run several common CLI commands

for checking controller, AP, and wireless device

health for troubleshooting and monitoring.

– It can run on Windows, Linux/Unix, and MacOS platforms.

– It supports ArubaOS, Instant VC (IAP), and MeshOS (MSR)

CLI commands.

– All CLI command output is saved to auto-rotating log files

AirRecorder

CONFIDENTIAL



• By default, a new log file is created every 100 MB

but can be modified with option “--max-log-size”.

• AirRecorder is very flexible in gathering data

– It can automatically retrieve data from all APs and devices on

a Controller via pre-defined variables

– It can manually retrieve data from specific APs and devices

on a Controller

– It can be configured to run different CLI commands at

different intervals

AirRecorder

CONFIDENTIAL



• Example CLI commands and intervals that can

exist in an Airrecorder script

10m,show ap active

5m,show ap association

5m,show user-table

5m,show ap arm rf-summary ap-name %{ap:name}

30m,show ap arm state ap-name %{ap:name}

30m,show ap bss-table

5m,show ap debug client-table ap-name %{ap:name}

5m,show ap debug client-stats %{user:mac} advanced

5m,show ap client trail-info %{user:mac}

5m,show ap arm client-match history client-mac %{user:mac}

AirRecorder

CONFIDENTIAL



• Example running of AirRecorder on Win7

C:\java -jar AirRecorder-1.2.8-release.jar 10.8.7.63

AirRecorder (c)2011-2012 Thomas Bastian, Aruba Networks

Username: admin

Password:

Enable password:

No enable password set, assuming enable mode when connected

A new log file will be created every: 100 Mbytes

Recording to file: air-recorder-10.8.7.63-20131112-091902-00.log

Connecting to controller with hostname: 10.8.7.63, protocol: ssh, port: 22, username: admin

Processing command: [show ap active] at schedule specification of 10m

Processing command: [show ap association] at schedule specification of 5m

Processing command: [show user-table] at schedule specification of 5m

Processing command: [show ap arm rf-summary ap-name %{ap:name}] at schedule specification of 5m

Processing command: [show ap arm state ap-name %{ap:name}] at schedule specification of 30m

Processing command: [show ap bss-table] at schedule specification of 30m

Processing command: [show ap debug radio-stats ap-name %{ap:name} radio 0 advanced] at schedule

specification of 5m

Commands (cur/max): 4/4, Rx Rate: 161 kbps, File size: 1 MB

AirRecorder

CONFIDENTIAL



• Example output of Airrecorder.....

/////

///// Message: RESULT

///// Status: 1937

///// LocalBeginTime: 1384276748945 (2013-11-12T09:19:08.945-0800)

///// LocalEndTime: 1384276749360 (2013-11-12T09:19:09.360-0800)

///// QueryTag: airrecorder.command=10m,show ap active

///// Command: show ap active

///// Section: Stdout

Active AP Table

---------------

Name Group IP Address 11g Clients 11g Ch/EIRP/MaxEIRP 11a Clients 11a

Ch/EIRP/MaxEIRP AP Type Flags Uptime Outer IP

---- ----- ---------- ----------- ------------------- ----------- -----------

-------- ------- ----- ------ --------

AP225-3 Renaissance_APs 10.8.7.115 0 AP:HT:6/12/21 0

225 Ada 15h:21m:59s N/A

AP225-6 Renaissance_APs 10.8.7.116 0 AP:HT:1/12/21 8

AP:VHT:149+/15/22 225 Ada 15h:22m:13s N/A

AirRecorder

CONFIDENTIAL



802.11ac Capture Tools

CONFIDENTIAL



• Limited options for Windows users

– Linksys AE6000 – but single stream

– No multi stream options at this point

• Aruba AP-22x packet capture

– Can decode as “PEEKREMOTE” but the plugin is a bit buggy

• Wildpackets Omnipeek

– beta driver for Linksys AE6000 (1 stream 11ac) NIC available

Known 802.11ac Capture Tools

CONFIDENTIAL



• New Macbook Air (2 stream 11ac) or Macbook Pro (3

stream 11ac)

– Enabled through Wireless DiagnosticsUtilitiesFrame Capture

– Wireless Diagnostics can be found by clicking on

“Option” ”Wi-Fi icon” Wireless Diagnostics

– Saved to a .wcap file that can be opened by Wireshark

Known 802.11ac Capture Tools

CONFIDENTIAL



In conclusion

CONFIDENTIAL



In conclusion

• [email protected]

– One email address for all products

– You can always request your ticket to be moved to another

time-zone

– Upload files directly to the case via the support portal

– Avoid unicasting emails/attachments to support staff

• Using reply-all will get more eyes on your issue

• Always call support for urgent issues

• Please exercise caution when making changes

– Always move your backups off the controllers/servers

– When tweaking, incrementally add changes

mailto:[email protected]

CONFIDENTIAL



Takeaways

TAC Quick Reference Guide

– https://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=1371

Validated Reference Designs (VRD)

– http://www.arubanetworks.com/technology/reference-design-guides/

Airheads Social

– http://community.arubanetworks.com/

Aruba Knowledge Base

– https://kb.arubanetworks.com/

Raise a ticket for any product, RMA, anything !

– [email protected]

Requests for Enhancements (RFE)

– Please discuss with your SE/Sales team

Outdoor planner tool

– https://outdoorplanner.arubanetworks.com/

http://www.arubanetworks.com/technology/reference-design-guides/






http://community.arubanetworks.com/



mailto:[email protected]

breakout - airheads macau 2013 - top 10 tips from aruba tac

Travel

ap techsupport ap

suitable ap

ap rebootstraps

ap vlandhcp issues

aruba tacken peredia

airheadsconf8debugging

airheadsconf7debugging

client association