cancel
Showing results for 
Search instead for 
Did you mean: 

Problem with AP7131 and XIQ

Problem with AP7131 and XIQ

Kosiarek
New Contributor

Hi. I cannot connect the AP7131 (wing) to the XIQ account. I do as below and unfortunately my VC doesn't connect to XIQ. What am I doing wrong ?

https://extremeportal.force.com/ExtrArticleDetail?an=000079429&q=show%20run%20nsight-policy%20xiq

 

67997463c5354e83916d87c224c92055_a73740c2-6872-49fd-a3aa-d40d2550c0c9.png
67997463c5354e83916d87c224c92055_8a392c99-4220-4fc3-a2a1-182d3069546c.png
67997463c5354e83916d87c224c92055_d636e8a6-a9ef-4575-b89d-a66bee089bf8.png

 

1 ACCEPTED SOLUTION

Christopher_Fra
Extreme Employee

I just tested AP7131 v5.8.6.13 VC and no issues with onboarding to XIQ:

2dfe2071872e42b8a5adeabe0c9e3a2e_4d7a7ce8-52d4-4e33-b3d2-558a0e30da1b.png

The error that you provided is due to NO valid DNS entries on the AP. 

View solution in original post

18 REPLIES 18

Ovais_Qayyum
Extreme Employee

I have recently learnt that WiNG VC support in XIQ is being discontinued, and moving forward only WiNG controller-based deployments are supported. The issue you have been facing is probably because of that. 

I haven’t seen any official notification yet and would recommend you open a GTAC case to get an official statement on it.   

 

Regards,

Ovais

Ash_Finch
Contributor III

I don’t have much experience on the WiNG side, but as Ovais said, is traffic definitely not being blocked by a firewall for instance? Whilst you can ping and resolve the server name, the log does show port 443 on the connection to the NL-GCP server so I’d check that just in case that it’s allowing the connection through.

Kosiarek
New Contributor
304950809ec94eb8b16cef25ed198cda_45dd6c22-3d7e-46b4-bd51-6d139c4ee6c4.png

 

Kosiarek
New Contributor

Hi Ovais. Thank you for your response. Earlier I tried with version 5.8.6.11 - unfortunately also without results ... Below are logs from 5.8.6.11 and 5.8.6.13 - as I understand they confirm correct communication? I removed AP from XIQ and then added it again - unfortunately no results. Below are screenshots of both firmware versions and the updated startup-config from 5.8.6.11.

Logs from 5.8.6.13

f2ece27592934cddad29d4515d7e232f_6a764d58-ab51-417f-a68c-d62a139180bd.png

Logs from 5.8.6.11

f2ece27592934cddad29d4515d7e232f_639496d8-4e32-4926-b074-3d03cdec3ceb.png
f2ece27592934cddad29d4515d7e232f_840734ed-f3d7-41ba-bc36-81456078a006.png

!
! Configuration of AP7131 version 5.8.6.11-006R
!
!
version 2.5
!
!
client-identity-group default
 load default-fingerprints
!
ip access-list BROADCAST-MULTICAST-CONTROL
 permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
 permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"
 deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"
 deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"
 deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"
 permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
!
mac access-list PERMIT-ARP-AND-IPv4
 permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"
 permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"
!
ip snmp-access-list default
 permit any
!
firewall-policy default
 no ip dos tcp-sequence-past-window
 no stateful-packet-inspection-l2
!
!
mint-policy global-default
!
meshpoint-qos-policy default
!
wlan-qos-policy default
 qos trust dscp
 qos trust wmm
!
radio-qos-policy default
!
!
management-policy default
 no telnet
 no http server
 https server
 ssh
 user admin password 1 31bea27a0267a71db0bd84325a0122274bbebd88437152623cb6e7a5f93e5001 role superuser access all
 snmp-server community 0 private rw
 snmp-server community 0 public ro
 snmp-server user snmptrap v3 encrypted des auth md5 0 admin123
 snmp-server user snmpmanager v3 encrypted des auth md5 0 admin123
!
l2tpv3 policy default
!
nsight-policy cloudiq
 server host nl-gcp-wing.extremecloudiq.com https enforce-verification
!
profile ap71xx default-ap71xx
 autoinstall configuration
 autoinstall firmware
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto remote-vpn-client
 interface radio1
 interface radio2
 interface radio3
 interface ge1
 interface ge2
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  ip dhcp client request options all
 interface wwan1
 interface pppoe1
 use firewall-policy default
 use client-identity-group default
 logging on
 service pm sys-restart
!
rf-domain default
 country-code pl
 use nsight-policy cloudiq
!
self
! ap71xx B4-C7-99-47-01-04
 radio-count 2
 use profile default-ap71xx
 use rf-domain default
 hostname ap7131-470104
 license AP VIRTUAL_CONTROLLER_DEFAULT_AP_LICENSE
 no adoption-site
 interface vlan1
 virtual-controller
 rf-domain-manager capable
!
ap71xx B4-C7-99-47-1B-40
 radio-count 2
 use profile default-ap71xx
 use rf-domain default
 hostname ap71xx-471B40
 license AP VIRTUAL_CONTROLLER_DEFAULT_AP_LICENSE
 no staging-config-learnt
 model-number AP7131
 adoption-site B4-C7-99-47-01-04
!
ap71xx B4-C7-99-47-1B-54
 radio-count 2
 use profile default-ap71xx
 use rf-domain default
 hostname ap71xx-471B54
 license AP VIRTUAL_CONTROLLER_DEFAULT_AP_LICENSE
 model-number AP7131
 adoption-site B4-C7-99-47-01-04
 interface vlan1
  ip address 192.168.0.251/24
!
!
end

 

Regards

Greg

Ovais_Qayyum
Extreme Employee

Greg,

May be you can delete and onboard the AP again. Another thing I am seeing is the AP build, As per XIQ help docs the release should be 5.8.6.11, whereas, the other field docs have release 5.8.6.13 mentioned as supported build for AP7131. Not sure if you could downgrade to 5.8.6.11 and test it out. 

Ensuring that nothing is blocking the HTTPS traffic in your network will be a good idea as well. 

To futher debug it, please send the output after enabling the nsight debug on the VC AP:

 

HLab-VX9K#debug cfgd nsight
HLab-VX9K#loggin monitor debugging
HLab-VX9K#show logging

 

Regards,

Ovais

 

 

GTM-P2G8KFN