AP's on WAN side of Firewall don't upgrade

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
I have several AP's at a remote site. They are accessing the controller through a public IP. I have no issues with this. The issue appears when I try to upgrade the controller. The AP's do not update and they fail. They are found in the controller. However, they don't get a channel and are inaccessible to the remote clients as they don't see a SSID. Is there a port I need to open on the firewall to handle the upgrade of AP's?
Photo of Tim Senaldi

Tim Senaldi

  • 120 Points 100 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of JP

JP

  • 984 Points 500 badge 2x thumb
It sounds like you might have something else going on if the ssid's are not broadcasting, but I have never been able to upgrade remote AP's through a NAT on a firewall.  I ended up doing a site-to-site VPN after several conversations with GTAC.  This was 1+years ago, so maybe this has been added in newer code, but I have not tried.    I also think you can run an FTP server locally and get the code that way, but I don't have  the commands for doing this, probably need to contact GTAC about this.
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,132 Points 20k badge 2x thumb
(Edited)
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,132 Points 20k badge 2x thumb
In the GUI go to > AP > Global Settings > AP Maintenance > Upgrade Behavior

Set it to "upgrade when AP connects using settings from controlled upgrade"

This will disable the software upgrade on the APs = APs will run the old software.
But that should bring up the WLAN/SSID.

What is the version you've upgraded the controller to?

-Ron
Photo of Steve Ballantyne

Steve Ballantyne

  • 5,566 Points 5k badge 2x thumb
I think what Tim is saying is that his AP's are at a remote site behind a firewall (using NAT) but they access the controller with a public IP address (which too, is probably NAT'd). This is the setup that I just got up and running with. It works well, but I was told explicitly that you cannot upgrade your AP's in this configuration (yet).

The problem is that the AP is sending "authorize firmware version" requests to the controller, and the controller is saying "no, you need to upgrade". The AP tries, but then the TFTP will fail every time. I think support may actually be working on that (from what I hear from support).

I resolved this on two different locations using two different fixes. 1) Brought the AP on site, let it upgrade, took it back to where it came from, and 2) I logged into the AP remotely with ssh and downloaded the firmware from a TFTP server (tftpd) running on a PC local to the AP. You can find instructions for that here.
(Edited)