cancel
Showing results for 
Search instead for 
Did you mean: 

AP's on WAN side of Firewall don't upgrade

AP's on WAN side of Firewall don't upgrade

Tim_Senaldi
New Contributor II
I have several AP's at a remote site. They are accessing the controller through a public IP. I have no issues with this. The issue appears when I try to upgrade the controller. The AP's do not update and they fail. They are found in the controller. However, they don't get a channel and are inaccessible to the remote clients as they don't see a SSID. Is there a port I need to open on the firewall to handle the upgrade of AP's?
4 REPLIES 4

Steve_Ballantyn
Contributor
I think what Tim is saying is that his AP's are at a remote site behind a firewall (using NAT) but they access the controller with a public IP address (which too, is probably NAT'd). This is the setup that I just got up and running with. It works well, but I was told explicitly that you cannot upgrade your AP's in this configuration (yet).

The problem is that the AP is sending "authorize firmware version" requests to the controller, and the controller is saying "no, you need to upgrade". The AP tries, but then the TFTP will fail every time. I think support may actually be working on that (from what I hear from support).

I resolved this on two different locations using two different fixes. 1) Brought the AP on site, let it upgrade, took it back to where it came from, and 2) I logged into the AP remotely with ssh and downloaded the firmware from a TFTP server (tftpd) running on a PC local to the AP. You can find instructions for that here.

Ronald_Dvorak
Honored Contributor
In the GUI go to > AP > Global Settings > AP Maintenance > Upgrade Behavior

Set it to "upgrade when AP connects using settings from controlled upgrade"

This will disable the software upgrade on the APs = APs will run the old software.
But that should bring up the WLAN/SSID.

What is the version you've upgraded the controller to?

-Ron

JP4
New Contributor II
It sounds like you might have something else going on if the ssid's are not broadcasting, but I have never been able to upgrade remote AP's through a NAT on a firewall. I ended up doing a site-to-site VPN after several conversations with GTAC. This was 1+years ago, so maybe this has been added in newer code, but I have not tried. I also think you can run an FTP server locally and get the code that way, but I don't have the commands for doing this, probably need to contact GTAC about this.
GTM-P2G8KFN