Solved

Problem with AP7131 and XIQ


Hi. I cannot connect the AP7131 (wing) to the XIQ account. I do as below and unfortunately my VC doesn't connect to XIQ. What am I doing wrong ?

https://extremeportal.force.com/ExtrArticleDetail?an=000079429&q=show%20run%20nsight-policy%20xiq

 

 

icon

Best answer by Christopher Frazee 4 May 2021, 21:33

I just tested AP7131 v5.8.6.13 VC and no issues with onboarding to XIQ:

The error that you provided is due to NO valid DNS entries on the AP. 

View original

18 replies

Userlevel 4
Badge

Only Wing7 APs can connect to XiQ.

And this old thing is not Wing7 compatible.

Hi PeterK. Thank you for the answer, but I found other information about the compatibility of devices with wing 5. Are you sure the XIQ is incompatible with the Wing 5 - firmware in a specific version for the AP model

https://docs.aerohive.com/330000/docs/help/english/ng/Content/learning-whats-new.htm

 

 

Userlevel 4
Badge

oh, ok…

That was, what I heared in a extreme webcast. But it’s possible, that I’m wrong...

Userlevel 5

Hi Kosiarek,

Is this AP managed by a controller or VC (AP-based controller)? Standalone APs can’t be onboarded in XIQ. You either need to have this AP managed by a controller/VC or if this is a standalone AP, set it up as a VC and you should be able to onboard it. 

If it is, in fact, a controller/VC managed AP, you can use the following command to check if the controller/VC is sending the data to XIQ. The successful output should look like the following:

Lab-VX#service show nsight client-log

Wed Apr 21 18:26:55 2021 sending event data
Wed Apr 21 18:25:54 2021 sending rfd info
Wed Apr 21 18:25:53 2021 sending wlan info
Wed Apr 21 18:25:53 2021 sending device info
Wed Apr 21 18:25:53 2021 update info start
Wed Apr 21 18:25:53 2021 server wait = 0

 

Regards,

Ovais

Thanks Ovais for the answer. I have this AP configured as VC. Below is a screenshot and my startup configuration. Tried nsight policy with and without "... force verification". Unfortunately, my VC does not connect to the XIQ account.

 !
! Configuration of AP7131 version 5.8.6.13-002R
!
!
version 2.5
!
!
client-identity-group default
 load default-fingerprints
!
ip access-list BROADCAST-MULTICAST-CONTROL
 permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
 permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"
 deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"
 deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"
 deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"
 permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
!
mac access-list PERMIT-ARP-AND-IPv4
 permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"
 permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"
!
ip snmp-access-list default
 permit any
!
firewall-policy default
 no ip dos tcp-sequence-past-window
 no stateful-packet-inspection-l2
!
!
mint-policy global-default
!
meshpoint-qos-policy default
!
wlan-qos-policy default
 qos trust dscp
 qos trust wmm
!
radio-qos-policy default
!
!
management-policy default
 no telnet
 no http server
 https server
 ssh
 user admin password 1 31bea27a0267a71db0bd84325a0122274bbebd88437152623cb6e7a5f93e5001 role superuser access all
 snmp-server community 0 private rw
 snmp-server community 0 public ro
 snmp-server user snmptrap v3 encrypted des auth md5 0 admin123
 snmp-server user snmpmanager v3 encrypted des auth md5 0 admin123
!
l2tpv3 policy default
!
nsight-policy XIQ
 server host nl-gcp-wing.extremecloudiq.com https
!
profile ap71xx default-ap71xx
 autoinstall configuration
 autoinstall firmware
 crypto ikev1 policy ikev1-default 
  isakmp-proposal default encryption aes-256 group 2 hash sha 
 crypto ikev2 policy ikev2-default 
  isakmp-proposal default encryption aes-256 group 2 hash sha 
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto remote-vpn-client
 interface radio1
 interface radio2
 interface radio3
 interface ge1
 interface ge2
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  ip dhcp client request options all
 interface wwan1
 interface pppoe1
 use firewall-policy default
 use client-identity-group default
 logging on
 service pm sys-restart
!
rf-domain default
 country-code pl
 use nsight-policy XIQ
!
self
! ap71xx B4-C7-99-47-01-04
 radio-count 2
 use profile default-ap71xx
 use rf-domain default
 hostname ap7131-470104
 license AP VIRTUAL_CONTROLLER_DEFAULT_AP_LICENSE
 no adoption-site
 use nsight-policy XIQ
 interface vlan1
 virtual-controller
 rf-domain-manager capable
!
ap71xx B4-C7-99-47-1B-40
 radio-count 2
 use profile default-ap71xx
 use rf-domain default
 hostname ap71xx-471B40
 license AP VIRTUAL_CONTROLLER_DEFAULT_AP_LICENSE
 no staging-config-learnt
 model-number AP7131
 adoption-site B4-C7-99-47-01-04
!
ap71xx B4-C7-99-47-1B-54
 radio-count 2
 use profile default-ap71xx
 use rf-domain default
 hostname ap71xx-471B54
 license AP VIRTUAL_CONTROLLER_DEFAULT_AP_LICENSE
 model-number AP7131
 adoption-site B4-C7-99-47-01-04
 interface vlan1
  ip address 192.168.0.251/24
!
!
end

Userlevel 5

I see that you have the nsight policy applied in rf domain as well as in self context of the VC AP. Please remove the nsight policy from VC AP self context and only apply it in rf domain config. When done commit write to save settings.

Afterward, unmap the nsight policy from rf domain, delete current nsight policy and create a new one with a different name and map it to rf domain. This time use “server host <rdc-url> https enforce-verification poll-work-queue”, depending on the firmware, you may not have the option of poll-work-queue.

Finally, use “service show nsight client-log” to check if it’s sending stats.   

 

Regards,

Ovais

Hi Ovais. Thank you for helping me. I did as you wrote. I do not understand why AP displays an error communicating with the extremecloudiq server when starting up. After logging in, this server responds to the ping. Below is a screenshot and the current startup-config.

 

!
! Configuration of AP7131 version 5.8.6.13-002R
!
!
version 2.5
!
!
client-identity-group default
 load default-fingerprints
!
ip access-list BROADCAST-MULTICAST-CONTROL
 permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
 permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"
 deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"
 deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"
 deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"
 permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
!
mac access-list PERMIT-ARP-AND-IPv4
 permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"
 permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"
!
ip snmp-access-list default
 permit any
!
firewall-policy default
 no ip dos tcp-sequence-past-window
 no stateful-packet-inspection-l2
!
!
mint-policy global-default
!
meshpoint-qos-policy default
!
wlan-qos-policy default
 qos trust dscp
 qos trust wmm
!
radio-qos-policy default
!
!
management-policy default
 no telnet
 no http server
 https server
 ssh
 user admin password 1 31bea27a0267a71db0bd84325a0122274bbebd88437152623cb6e7a5f93e5001 role superuser access all
 snmp-server community 0 private rw
 snmp-server community 0 public ro
 snmp-server user snmptrap v3 encrypted des auth md5 0 admin123
 snmp-server user snmpmanager v3 encrypted des auth md5 0 admin123
!
l2tpv3 policy default
!
nsight-policy cloudiq
 server host nl-gcp-wing.extremecloudiq.com https enforce-verification
!
profile ap71xx default-ap71xx
 autoinstall configuration
 autoinstall firmware
 crypto ikev1 policy ikev1-default 
  isakmp-proposal default encryption aes-256 group 2 hash sha 
 crypto ikev2 policy ikev2-default 
  isakmp-proposal default encryption aes-256 group 2 hash sha 
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto remote-vpn-client
 interface radio1
 interface radio2
 interface radio3
 interface ge1
 interface ge2
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  ip dhcp client request options all
 interface wwan1
 interface pppoe1
 use firewall-policy default
 use client-identity-group default
 logging on
 service pm sys-restart
!
rf-domain default
 country-code pl
 use nsight-policy cloudiq
!
self
! ap71xx B4-C7-99-47-01-04
 radio-count 2
 use profile default-ap71xx
 use rf-domain default
 hostname ap7131-470104
 license AP VIRTUAL_CONTROLLER_DEFAULT_AP_LICENSE
 no adoption-site
 interface vlan1
 virtual-controller
 rf-domain-manager capable
!
ap71xx B4-C7-99-47-1B-40
 radio-count 2
 use profile default-ap71xx
 use rf-domain default
 hostname ap71xx-471B40
 license AP VIRTUAL_CONTROLLER_DEFAULT_AP_LICENSE
 no staging-config-learnt
 model-number AP7131
 adoption-site B4-C7-99-47-01-04
!
ap71xx B4-C7-99-47-1B-54
 radio-count 2
 use profile default-ap71xx
 use rf-domain default
 hostname ap71xx-471B54
 license AP VIRTUAL_CONTROLLER_DEFAULT_AP_LICENSE
 model-number AP7131
 adoption-site B4-C7-99-47-01-04
 interface vlan1
  ip address 192.168.0.251/24
!
!
end
 

Regards

Greg

Userlevel 5

Hi Greg,

Your “Service show nsight client-log” output looks good and the AP should be sending stats to the XIQ instance. That error message could be due to an initial communication/handshake.

Could you confirm that you were able to add the AP to the XIQ using the VC APs MC address (without hyphens) and now the data is shown? 

 

Regards,

Ovais

Hi Ovais. Thank you for your answer, I'm glad you are helping me. Of course, this AP is added to the XIQ account - screenshots below.

 

Regards

Greg

Userlevel 5

Greg,

May be you can delete and onboard the AP again. Another thing I am seeing is the AP build, As per XIQ help docs the release should be 5.8.6.11, whereas, the other field docs have release 5.8.6.13 mentioned as supported build for AP7131. Not sure if you could downgrade to 5.8.6.11 and test it out. 

Ensuring that nothing is blocking the HTTPS traffic in your network will be a good idea as well. 

To futher debug it, please send the output after enabling the nsight debug on the VC AP:

 

HLab-VX9K#debug cfgd nsight
HLab-VX9K#loggin monitor debugging
HLab-VX9K#show logging

 

Regards,

Ovais

 

 

Hi Ovais. Thank you for your response. Earlier I tried with version 5.8.6.11 - unfortunately also without results ... Below are logs from 5.8.6.11 and 5.8.6.13 - as I understand they confirm correct communication? I removed AP from XIQ and then added it again - unfortunately no results. Below are screenshots of both firmware versions and the updated startup-config from 5.8.6.11.

Logs from 5.8.6.13

Logs from 5.8.6.11

!
! Configuration of AP7131 version 5.8.6.11-006R
!
!
version 2.5
!
!
client-identity-group default
 load default-fingerprints
!
ip access-list BROADCAST-MULTICAST-CONTROL
 permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
 permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"
 deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"
 deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"
 deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"
 permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
!
mac access-list PERMIT-ARP-AND-IPv4
 permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"
 permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"
!
ip snmp-access-list default
 permit any
!
firewall-policy default
 no ip dos tcp-sequence-past-window
 no stateful-packet-inspection-l2
!
!
mint-policy global-default
!
meshpoint-qos-policy default
!
wlan-qos-policy default
 qos trust dscp
 qos trust wmm
!
radio-qos-policy default
!
!
management-policy default
 no telnet
 no http server
 https server
 ssh
 user admin password 1 31bea27a0267a71db0bd84325a0122274bbebd88437152623cb6e7a5f93e5001 role superuser access all
 snmp-server community 0 private rw
 snmp-server community 0 public ro
 snmp-server user snmptrap v3 encrypted des auth md5 0 admin123
 snmp-server user snmpmanager v3 encrypted des auth md5 0 admin123
!
l2tpv3 policy default
!
nsight-policy cloudiq
 server host nl-gcp-wing.extremecloudiq.com https enforce-verification
!
profile ap71xx default-ap71xx
 autoinstall configuration
 autoinstall firmware
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto remote-vpn-client
 interface radio1
 interface radio2
 interface radio3
 interface ge1
 interface ge2
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  ip dhcp client request options all
 interface wwan1
 interface pppoe1
 use firewall-policy default
 use client-identity-group default
 logging on
 service pm sys-restart
!
rf-domain default
 country-code pl
 use nsight-policy cloudiq
!
self
! ap71xx B4-C7-99-47-01-04
 radio-count 2
 use profile default-ap71xx
 use rf-domain default
 hostname ap7131-470104
 license AP VIRTUAL_CONTROLLER_DEFAULT_AP_LICENSE
 no adoption-site
 interface vlan1
 virtual-controller
 rf-domain-manager capable
!
ap71xx B4-C7-99-47-1B-40
 radio-count 2
 use profile default-ap71xx
 use rf-domain default
 hostname ap71xx-471B40
 license AP VIRTUAL_CONTROLLER_DEFAULT_AP_LICENSE
 no staging-config-learnt
 model-number AP7131
 adoption-site B4-C7-99-47-01-04
!
ap71xx B4-C7-99-47-1B-54
 radio-count 2
 use profile default-ap71xx
 use rf-domain default
 hostname ap71xx-471B54
 license AP VIRTUAL_CONTROLLER_DEFAULT_AP_LICENSE
 model-number AP7131
 adoption-site B4-C7-99-47-01-04
 interface vlan1
  ip address 192.168.0.251/24
!
!
end

 

Regards

Greg

 

Userlevel 4

I don’t have much experience on the WiNG side, but as Ovais said, is traffic definitely not being blocked by a firewall for instance? Whilst you can ping and resolve the server name, the log does show port 443 on the connection to the NL-GCP server so I’d check that just in case that it’s allowing the connection through.

Userlevel 5

I have recently learnt that WiNG VC support in XIQ is being discontinued, and moving forward only WiNG controller-based deployments are supported. The issue you have been facing is probably because of that. 

I haven’t seen any official notification yet and would recommend you open a GTAC case to get an official statement on it.   

 

Regards,

Ovais

Userlevel 5

I have checked with the Extreme Wireless Product Line Manager (PLM) team and received the following:

There are NO plans to deprecate WING management from XIQ. WING VC visibility is and will continue to be supported in XIQ.

WING VC is however not supported in Universal AP models (305C/X, AP410C/S6/S12, AP302W). 

 

Userlevel 5

I just tested AP7131 v5.8.6.13 VC and no issues with onboarding to XIQ:

The error that you provided is due to NO valid DNS entries on the AP. 

Hi. Thank you so much for help. Christopher, thanks for checking the possibility of connecting AP7131 to XIQ. DNS seems okay - DHCP assigned addresses as below. Moreover, as you can see, it resolves names correctly.

Ash, Ovais - I checked the router configuration once again - I do not limit the traffic on the ports there. Somehow I did not think before that my ISP can cut selected ports. My LTE router gets an address from DHCP, which is routed inside the provider's network to another address as below. Unfortunately, it looks like key ports are closed there. In fact, it would explain why my VC cannot be connected to the XIQ. I do not understand how my AP305 properly connected to XIQ the same way - if the ports are blocked.

Regards

Greg

Userlevel 1

Only Wing7 APs can connect to XiQ.

And this old thing is not Wing7 compatible.

Not true

Reply