Convert Cisco Lightweight AP to Mobility Express

Hi all

Today I’m going to write a short post on how to convert a lightweight AP to an Mobility Express AP. It’s a very simple process and only takes a few minutes to complete.

First you need to download the ME image from the Cisco webpage. Extract the compressed file to a TFTP server.

Login to the AP with console access using Cisco / Cisco as username and password (this is offcourse only if you haven’t changed the password on the AP.

ap-type mobility-express tftp://<TFTP Server IP>/<filename>

When the file is uploaded the AP will reboot and load the new image. The AP will use 2 IP’s. 1 for the ME and 1 for the AP.

During my upgrade I had one issue. It failed repeatedly and I worked a while before I discovered the reason.

Image transfer complete.
Image downloaded, writing to flash...
do CHECK_ME, part1 is active part
upgrade.sh: Error: image not found.
+ do_upgrade CHECK_ME
+ [ ! -r /tmp/part.tar ]
+ loudlog Error: image not found.
+ logger -p 0 -t upgrade Error: image not found.
+ echo upgrade.sh: Error: image not found.
upgrade.sh: Error: image not found.
+ return 1
+ status=1
+ set +x
Error: Image update failed.

I read on the internet that this error could be caused due to lack of space. I had free space left so I could quickly rule that issue out. I have another ME in the same network, it seems that the ME image can’t be uploaded when there is an ME of the same L2 network as the ME you are trying to install. The issue I had dissapeared when I disconnected the other ME.

After the upgrade has been completed the ME will reboot and start a setup wizard.

Enter Administrative User Name (24 characters max): admin
Enter Administrative Password (3 to 127 characters): ********
Re-enter Administrative Password                 : ********
System Name [Cisco-dcf7.193e.4c00] (24 characters max): hostname
Enter Country Code list (enter 'help' for a list of countries) [US]: NO
Configure a NTP server now? [YES][no]: yes
Use default NTP servers [YES][no]:
Enter timezone location index (enter 'help' for a list of timezones): 14
Management Interface IP Address Configuration [STATIC][dhcp]: dhcp
Create Management DHCP Scope? [yes][NO]:
Employee Network Name (SSID)?: SSIDName
Employee Network Security? [PSK][enterprise]:PSK
Employee PSK Passphrase (8-63 characters)?: ***********
Re-enter Employee PSK Passphrase: ***********
Enable RF Parameter Optimization? [YES][no]:
Client Density [TYPICAL][Low][High]:
Traffic with Voice [NO][Yes]:

Configuration correct? If yes, system will save it and reset. [yes][NO]: yes

Configuration saved!

There is a few things that you need to get correct when going trough the options. The first one is country code. This is important to have correct freqency since it need to meet the local regulations. Since my AP’s are in Norway I choose NO as the country code.

The second one is the management interface. You can choose to have it set to static or dhcp. I normally set these ME’s up for clients and configure them with DHCP. If you choose DHCP it’s important to note the correct DHCP address when the ME boots up. As previously mentioned the AP will request 2 IP’s. 1 for the ME and 1 for the CAPWAP AP.. After the bootup you should see the following output

[*08/01/2019 17:24:33.6830] ethernet_port wired0, ip 192.168.50.108, netmask 255.255.255.0, gw 192.168.50.1, mtu 1500, bcast 192.168.50.255, dns1 195.159.0.100, dns2 8.8.8.8, domain hjortsenter.internal, vid 0, static_ip_failover false, dhcp_vlan_failover false
[*08/01/2019 17:24:33.6930] chatter: MeshNat: config_ip IP=192.168.50.108 mask=255.255.255.0 GW=192.168.50.1
[*08/01/2019 17:24:38.7614] ethernet_port wired0, ip 192.168.50.110, netmask 255.255.255.0, gw 192.168.50.1, mtu 1500, bcast 192.168.50.255, dns1 195.159.0.100, dns2 8.8.8.8, domain test.internal, vid 0, static_ip_failover false, dhcp_vlan_failover false
[*08/01/2019 17:24:38.7814] chatter: MeshNat: config_ip IP=192.168.50.110 mask=255.255.255.0 GW=192.168.50.1
[*08/01/2019 17:24:41.8004] AP IPv4 Address updated from 0.0.0.0 to 192.168.50.110

The first IP in my example is the IP for the ME (192.168.50.108)
The last IP is for the CAPWAP (192.168.50.110)

Advertisements

Rebooting a switch in a stack

During some recent switch replacement work I did I noticed not all my stacks had the correct IOS version, or wai. The correct thing to say would be that one of the switches did not have the correct IOS version. The resone for this was that I upgraded to the correct IOS before I created the stack and then connected the second switch to the stack. When the second switch got connected the stack was left with 2 IOS versions.

To solve this issue I used the archive download-sw command to download only the new OS to the switch. To do this I first run show version to know the stack number of the switch.
iosshversion

From the show version I could get the stack number of the switch that needs the IOS upgrade. Be aware that the screenshot is showing the IOS version the same on all switches, so there is no difference in the screenshot. In my blog post I wanted to upgrade switch 2.

archive download-sw /destination-system 2 tftp://1.1.1.1/IOS.tar

To complete the upgrade and not to reboot the whole switch you enter the command

reboot slot 2

This will only reboot the switch that has the stack number specified.

Downgrading from Lightweight AP to Autonomous AP

Hi all

Today I did something new to me. I did a downgrade from a lightweight AP to an standalone AP remotely. I have previously used the old method with the console cable and TFTP server at a local network (until yesterday I only knew about this method). Today I did not have that possibilty and I then took advantage of the following command:

config ap tftp-downgrade tftp-server-ip-address filename access-point-name

You enter the command into the controller and it then starts the downgrade. But there is one thing that bothers me, you can’t monitor the process. My AP’s are located on boats with an controller in the datacenter. They have been running flexconnect but I wan’t to turn them into standalone AP’s since that works better for the solution I have on the boats. The problems is that the boats has low bandwidth and they loose the connection  from time to time. For the TFTP downgrade it seemed fine with a 30 sec downtime for the transfer but I got some issues when it was above that. So how do I monitor the downgrade of the AP?

The solution was to log into the AP by SSH and check that the AP contained an upgrade folder in the flash. The command to do this is:

dir flash:

If the folder upgrade shows up in the list it should be working on an upgrade, normally if the upgrade fails the folder is autmaticly deleted. But I have seen this does not always happen. You could the check the files inside the upgrade folder and look for a change in the filesize. If you type “dir flash:update/<version-folder>” you should see the filesize of normally the last file change every second. I have added an example below where you can see the filesize of  8005.img is 627200.

boat-wl-01#dir flash:update/ap1g2-k9w7-mx.153-3.JC
Directory of flash:update/ap1g2-k9w7-mx.153-3.JC/

22 -rwx 123464 May 12 2016 10:14:52 +00:00 ap1g2-k9w7-mx.153-3.JC
 24 drwx 64 May 12 2016 10:14:52 +00:00 html
 253 -rwx 9029888 May 12 2016 10:45:05 +00:00 ap1g2-k9w7-xx.153-3.JC
 254 -rwx 627200 May 12 2016 10:46:58 +00:00 8005.img

31808000 bytes total (8753152 bytes free)

If you look at the text below you can also see that the size is changing for the file 8005.img. In the example below the filesize is 833536.

boat-wl-01#dir flash:update/ap1g2-k9w7-mx.153-3.JC
Directory of flash:update/ap1g2-k9w7-mx.153-3.JC/

22 -rwx 123464 May 12 2016 10:14:52 +00:00 ap1g2-k9w7-mx.153-3.JC
 24 drwx 64 May 12 2016 10:14:52 +00:00 html
 253 -rwx 9029888 May 12 2016 10:45:05 +00:00 ap1g2-k9w7-xx.153-3.JC
 254 -rwx 833536 May 12 2016 10:47:39 +00:00 8005.img

31808000 bytes total (8546816 bytes free)

 

Examples of issues I got when testing other ways of downgrading:

I tried to do the downgrade directly from the AP while downgrading from the WLC at the same time ( I thought the downgrade from the WLC failed). It then gave me the following error:

boat-wl-01#archive download-sw tftp://172.17.76.231/ap1g2-k9w7-tar.153-3.JC.tar
Unable to create temp dir "flash:/update"
Download image failed, notify controller!!! From:8.0.121.0 to 8.2.100.0, FailureCode:7

Obviously that won’t work but the command itself should work, but I liked more doing it from the controller. I just found it easier that way.

If you try several times to downgrade from the controller you will see the following message in the event log of the lightweight AP:

*May 12 10:18:09.351: lwapp_image_proc: encounter flash problem, retry here
*May 12 10:18:09.351: lwapp_image_proc: encounter flash problem, retry here
*May 12 10:18:09.351: lwapp_image_proc: encounter flash problem, retry here

 

Problems with NSM after schema upgrade.

The other day we upgraded the schema on our NSM server from 327 to 329. After the upgrade the devices was not able to connect to our NSM anymore. In the deviceDeamon I got the following error:

[Notice] [3078149840-connectionMgr.c:2329] SSH Protocol is not enabled -- DeviceBroker is not ready for incoming device connection.
[Notice] [3078149840-connectionMgr.c:2318] Incoming TCP connection from SSH, device ip x.x.x.x
[Notice] [3078149840-connectionMgr.c:2329] SSH Protocol is not enabled -- DeviceBroker is not ready for incoming device connection.
[Notice] [3078149840-connectionMgr.c:2318] Incoming TCP connection from SSH, device ip x.x.x.x
[Notice] [3078149840-connectionMgr.c:2329] SSH Protocol is not enabled -- DeviceBroker is not ready for incoming device connection.
[Notice] [3078149840-connectionMgr.c:2318] Incoming TCP connection from SSH, device ip x.x.x.x
[Notice] [3078149840-connectionMgr.c:2329] SSH Protocol is not enabled -- DeviceBroker is not ready for incoming device connection.
[Notice] [3078149840-connectionMgr.c:2318] Incoming TCP connection from SSH, device ip x.x.x.x
[Notice] [3078149840-connectionMgr.c:2329] SSH Protocol is not enabled -- DeviceBroker is not ready for incoming device connection.

I didn’t know that a simple schema upgrade could do something to the NSM that would not allow the devices to connect so I ended up contacting JTAC support. When I got a support engineer and explained him the issue he found another error message in the guiDaemon. The error was “DC not connected”.

After a while with troubleshooting the engineer discovered that the issue was the RSA key that is responsible for the communication between the NSM services  and the guiDaemon and devDaemon. The engineer then navigated to devSvr.cfg under /usr/netscreen/DevSvr/var and deleted the RSA keys (ourRsaPrivateKey and theirRsaPublicKey).

After that all the devices in some magical way connected again!

dst-port error in NSM

I got a new error while updating a SRX650 from the Juniper Network and Security Manager. The error started after I upgraded the SRX650 to 12.1X47-D30. The error I got is shown below:

Error Code: 

Error Text:
   Update fails UpdateDevice Results
sanityCheckCmd Success.
lock Success.
GenerateEditConfig Failed .
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:junos="http://xml.juniper.net/junos/12.1X47/junos" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
   <rpc-error>
      <error-severity>error</error-severity>
      <error-info>
         <bad-element>dst-port</bad-element>
      </error-info>
      <error-message>syntax error</error-message>
   </rpc-error>
   <rpc-error>
      <error-severity>error</error-severity>
      <error-info>
         <bad-element>dst-port</bad-element>
      </error-info>
      <error-message>syntax error</error-message>
   </rpc-error>
</rpc-reply>


unlock  Success .


Error Details:
   

Logs:
<configuration>
  <version>12.1X47-D25.4</version>
  <system>
    <host-name>casur-srx650-cluster</host-name>
  </system>
  <security>
    <nat>
      <destination>
        <rule-set>
          <name>ca-camera</name>
          <rule>
            <name>camera-01-8200</name>
            <dest-nat-rule-match>
              <destination-port operation="delete">
                <name>8200</name>
              </destination-port>
              <destination-port operation="create">
                <dst-port>8200</dst-port>
              </destination-port>
            </dest-nat-rule-match>
          </rule>
        </rule-set>
      </destination>
    </nat>
  </security>
</configuration>

It’s saying that the destination nat section has problems setting the dst-port. For some reason it was deleting the value and creating it with a new command (dst-port).

I then checked the supported Junos versions on the NSM and I discovered that the last supported version was 12.1X47-D25. Did the downgrade and updated the OS in the NSM. Still the same error as before.

Spoke to JTAC and they informed me that this error was known and that it would help downgrading to D15. This was due to a changed command in Junos. I downgraded to D15 but still the same issue. Researched a bit myself and discovered that it was introduced between X46 and X47.

Earlier it had not been possible to downgrade the versions in NSM. But for some reason I was able to do it now. First from D30 to D25, and after that from X47D15 to X46D40. When I reached  X46D40 I was able to run the update and everything was working.

Could not connect to node1 : No route to host

Today I had some issues when working on a SRX650. We had to replace the Services and Routing Engine a few days ago. When I was supposed to get the cluster back online I got the following error message when trying to run a few of the commands on the device:

Could not connect to node1 : No route to host

I got this error when typing show interface ge-0/0/2. I also entered the command on the node1 so I felt it was a bit strange that node1 could not connect to node1.

The firewall was also saying that it was in a hold mode

{hold:node1}

So it was not showing as secondary or primary. It was keeping this status all the time and didn’t try to go to any other modes while the issue was occuring.

The reason for my issues was that I had not deleted all the default config from the new Service and Routing engine card that we got. My config was not correct for all the cluster ports since some of the ports in the cluster is dedicated to cluster services (on the SRX650 it is ge-0/0/0 (fxp0) and ge-0/0/0 (control plane)). These ports are not to be configured as network ports and that is the reason for my issues. When I deleted the config and set a default root authentication password everything was connected. When I did a commit from the primary node the config was correct on both devices and everything connected succesfully.

During my search on the internet I read that some people also forgot to set the reth-count and got the same error. The command to set the number of reth interfaces is:

set chassis cluster reth-count 4

A great source for more information is the following chapter of the book “Juniper SRX Series” written by Brad Woodberg and Rob Cameron.

http://chimera.labs.oreilly.com/books/1234000001633/ch07.html#activating_juniper_services_redundancy

Problems with HP Port Replicator 3005pr

I had some issues with the screens and usb devices after upgrading from Windows 8 to Windows 10 the other day. It was only one screen that was working and none of the USB devices where working.

When trying to update the driver for HP Port Replicator 3005 pr I got the following error message: “A previous uninstall of HP Port Replicator Software is not yet complete. Please reboot your computer and run this installer again to installation.”

I tried several solutions to solve the issue but none of the ones I found on the internet helped me. Most of the problems was solved with the compability mode but for some reason that was not good enough for me. After some troubleshooting I discovered that it failed during the update of the displaylink software. I then downloaded the Display Link software manually and tried to run the setup. I got a message saying that the installation had failed (I don’t have a screenshot or the correct words).

When I did the complete uninstall of the DisplayLink software I was able to install the port replicator driver. The uninstall software can be found here. The software is named “DisplayLink Installation Cleaner” and starts a command window where you will press enter to remove the old software.