Extreme Networks

rmcglew · ‎05-06-2019

We occasionally get the alarm: Default DTLS passphrase is in use. Push a complete config to update the passphrase automatically, or set it manually and push a complete or delta config. It happened this past week on several devices within a couple of minutes. They continue to perform seemingly fine.

When I push an update to the access point the cleared alarm now reads "Default DTLS passphrase has been replaced." with the date and time of the original issue.

Preceding the "Default DTLS passphrase is in use...." alarm by about 30 - 90 minutes is a cleared alarm, either "It is currently taking lower to contact the capwap server than the threshold specified in settings" or "The CAPWAP dead neighbor interval elapsed during the previous CAPWAP session."

It seems likely that we temporarily lost connectivity with the hive manager—hosted by our Intermediate School District and not on site here—and perhaps this is the cause, but I'd like to establish that categorically and have a response plan for future recurrences.

Any thoughts or similar experiences?

AnonymousM · ‎05-07-2019

Hello,

In Classic, DTLS Passphrase is somewhat locked into the AP. We can reset and renegotiate like this:

Select an AP from Monitor tab and Utilities -> SSH Client,

Run the following command and you should find DTLS Configurations

show run | in dtls

--You may see something like this:

AH-0cde00#AH-0cde00#show run | inc dtls

capwap client dtls hm-defined-passphrase *** key-id 1

no capwap client dtls negotiation enable

If so, Enter the following commands in order to reset and renegotiate DTLS with Hivemanager:

no capwap client dtls hm-defined-passphrase

capwap client dtls negotiation enable

no capwap client enable

capwap client enable

Once CAPWAP is re-established, attempt to push the configuration again.

Regards,

Kat L

View solution in original post

AnonymousM · ‎05-07-2019

Hello,

In Classic, DTLS Passphrase is somewhat locked into the AP. We can reset and renegotiate like this:

Select an AP from Monitor tab and Utilities -> SSH Client,

Run the following command and you should find DTLS Configurations

show run | in dtls

--You may see something like this:

AH-0cde00#AH-0cde00#show run | inc dtls

capwap client dtls hm-defined-passphrase *** key-id 1

no capwap client dtls negotiation enable

If so, Enter the following commands in order to reset and renegotiate DTLS with Hivemanager:

no capwap client dtls hm-defined-passphrase

capwap client dtls negotiation enable

no capwap client enable

capwap client enable

Once CAPWAP is re-established, attempt to push the configuration again.

Regards,

Kat L

rmcglew · ‎05-07-2019

It is just labeled Hivemanager, but I believe classic is what it called now. The Hivemanager version is 8.2r2b. We have a mix of AP121 and AP122, all running golden versions. That's HiveOS 6.5r6.149161 for the AP121 and HiveOS 8.2r4.207023 for the AP122.

Actually, since I posted this question this morning, I'm starting to get a HiveOS 6.5r11.216370 for the AP121s. One that updated about 10 am got the older version, the ones that updated about 4.5 hours ago got the new version when I pushed an update. I just updated the other AP121 that had experienced the issue. The AP122 that experienced the issue was updated but there was no change to the HiveOS version.

ntodd · ‎05-06-2019

Are you running Hivemanager classic or Hivemanger(Formerly known as NG). Also What HiveOS are you currently using and AP models in your Hivemanger. Just trying to narrow down the variables.

Extreme Networks

Resolving alarms: Default DTLS passphrase is in use. Push a complete config to update the passphrase automatically, or set it manually and push a complete or delta config.

Resolving alarms: Default DTLS passphrase is in use. Push a complete config to update the passphrase automatically, or set it manually and push a complete or delta config.