Wireless LAN Controller - SNMP configuration limitation

Requirement

·         Requirement is to manage the WLC (5508 with 7.4 code) using two SNMP managers in different locations. Also these two Servers should use the same community string to manage WLC.

Observation

·         We were able to configure the SNMP community string for one server IP (to allow access) through GUI

·         While trying to add another Server – IP with same community string – it didn’t allow

·         As per the configuration guide, Controller can use only one IP address range to manage SNMP community.

·         So we cannot configure the same community string to allow only two different server IP addresses

Configuration reference>

http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/consolidated/b_cg74_CONSOLIDATED_chapter_0111.html

Solution

·         We currently configured the major subnet ( 10.x / 8 - two match both server addresses) and it works fine

·         Also when we tried  0.0.0.0 / 0.0.0.0 , it didn’t work (SNMP was failing)

But this creates a security issue wherein any SNMP manager can poll the WLC. 

SSL Optimization Issue - in Steelhead

We encountered a problem with HTTPs optimization after replacing the existing appliance. We installed the SSL license on the appliance. We trusted the certificates in both server side and client side appliances – it was listed under Self signed peer gray list. Still the optimized connections were having “protocol error” - ssl handshake between the client and server side appliances were failed. We could see below logs.

May 28 15:53:00 COGINKOLBANRVBS1 sport[1884]: [io/outer/prod.ERR] 2395632 {10.243.171.105:52695 10.242.29.27:7884} Err while reading: Connection timed out

May 28 15:53:01 COGINKOLBANRVBS1 sport[1884]: [sslinnerchan/client.WARN] 3367929 {10.236.145.63:42635 10.242.237.31:443} SSL inner channel with the server-side steelhead at IP: 10.242.31.173 cannot be established because the ssl handshake with the server-side steelhead probably failed very recently

May 28 15:53:01 COGINKOLBANRVBS1 sport[1884]: [sslinnerchan/client.WARN] 3367929 {10.236.145.63:42635 10.242.237.31:443} - most likely due to a misconfiguration of trust between the steelheads.

May 28 15:53:01 COGINKOLBANRVBS1 sport[1884]: [sslinnerchan/bypass_table.WARN] - {- -} Temporarily disabling interception of traffic for 10.242.237.31:443 - Misconfiguration of inner SSL security between client-side and server-side Steelhead appliances

We had seen similar issues at the initial deployment times and we used to remove the certificates and trust the same again (when it pops under gray list). But this doesn’t help this time. We also restarted the services – still issue remains.

Finally we added peer appliance certificate “PEM file” under the “peering trust” manually in both appliances and SSL optimization started working immediately

Aruba Support Details

TAC Contact Details

India: 0008004402249
Email: support@arubanetworks.com
         ArubaTAC responds to email technical support questions within one (1) business day. 



To manage Aruba product licenses, please go to: licensing.arubanetworks.com
 

Generating Logs

To generate 'logs.tar' along with 'tech-support' information on the controller for TAC analysis, follow these steps from the CLI or WebUI.

From CLI

1) Configure a TFTP server, which is routable from the controller's interface.

2) SSH, or Telnet (if enabled), to switch from your management terminal and enter these commands:

(Aruba)#tar logs tech-support

(Aruba)#copy flash: logs.tar tftp: < TFTP server IP> logs.tar

This should save the file to TFTP server's root folder.

3) Upload the file to the support site or send it to the support engineer working with you.

From WebUI

1) Logon to the Web UI of the controller(s).

2) Go to Maintenance > Copy logs > Download Logs > and check 'Include Technical support Information'> and click Apply.

3) Save this log to your system.

Packetshaper Support Details

TAC Contact Details

Bluecoat - Packetshaper TAC for INDIA

Technical Support:

    +60-3-2687-7501

    000-800-440-1951 (toll-free)

Duty Manager:

    +1 408-541-3700

    000-800-440-1952 (toll-free)

Customer Care:

    +60-3-2687-7501 #3

    000-800-440-1951 #3 (toll-free)

 Logs to be collected before opening a case

1. The output of the following commands will create a ts.zip file that will contain the unit’s configuration, diagnostic and log files. Please copy and paste following commands into Packetshaper command line.   

zip -r ts.zip 9.258/diag 

zip -r ts.zip 9.256/log

zip -r ts.zip 9.256/cfg

2. The ts.zip file will be created at the current working directory.  You can download the file to your computer by navigating to the correct directory using FTP or retrieve the file via ‘file browser’ at the ‘info’ tab of Packetshaper web interface (from ‘file browser’, go to the correct directory, right click on the ts.zip file and save to your computer).

 

F5 Support Details

TAC Contact Details

Support Contact Number for INDIA: 000-800-650-1448

Mail: support@f5.com

Web: support.f5.com

Logs to be collected before opening a case

The qkview utility is a script that automatically collects configuration and diagnostic information from BIG-IP, 3-DNS, and Enterprise Manager systems. The information is gathered into a single file, which can then be provided to F5 Networks Technical Support to aid in troubleshooting. F5 Networks Technical Support requires qkview output in all cases where remote access to the product is not available

To run qkview from the Configuration utility, perform the following procedure:

Important: The qkview script runs a large number of commands when collecting information. This behavior may cause an additional performance burden on systems that are already heavily loaded. If this is a concern for your system, run qkview from the command line and refer to the Command line options (BIG-IP versions 10.x) or Command line options (BIG-IP versions 9.x) section for information about reducing the performance impact of qkview.

• Log in to the Configuration utility.
• Expand the System menu.
• Click Support.
• The QKView option will already be selected.
• Click the Start button.
• When prompted, click the Download Snapshot File button to download the output file.

AskF5 | Solution: SOL1858 - Overview of the qkview utility https://support.f5.com/kb/en-us/solutions/public/1000/800/sol1858.print.html

Also refer the below link for Information required when opening a support case

https://support.f5.com/kb/en-us/solutions/public/2000/600/sol2633.html

Riverbed Support Details

TAC Contact Details

Web:                support.riverbed.com

Phone:              000.800.001.6524 (India – Toll free)

Email:               support@riverbed.com

Skype ID:          riverbed.support (Call TAC through Skype, no chat)

 Logs to be collected before opening a case

System dump can be generated and provided for initial troubleshooting.

1. Choose Reports > Diagnostics > System Dumps to display the System Dumps page.

2. Click Download Link to view a previously saved system dump.

3. Select the filename to open a file or save the file to disk.

4. Click Include Statistics (this option is enabled by default).

5. Optionally, click Include All Logs.

6. Optionally, click Include RSP.

7. Click Generate System Dump to generate a new system dump.