Professional Documents
Culture Documents
Release Note
Copyright
© 2011 Aruba Networks, Inc. AirWave®, Aruba Networks®, Aruba Mobility Management System®, Bluescanner, For Wireless That
Works®, Mobile Edge Architecture®, People Move. Networks Must Follow®, RFprotect®, The All Wireless Workplace Is Now Open For
Business, Green Island, and The Mobile Edge Company® are trademarks of Aruba Networks, Inc.
All rights reserved. Specifications in this manual are subject to change without notice.
Originated in the USA. Any other trademarks appearing in this manual are the property of their respective companies.
Open Source Code
Certain Aruba products include Open Source software code developed by third parties, including software code subject to the GNU
General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open Source Licenses. The Open Source code
used can be found at this site:
http://www.arubanetworks.com/open_source
Legal Notice
The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to terminate other vendors' VPN
client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies, in full, Aruba
Networks, Inc. from any and all legal actions that might be taken against it with respect to infringement of copyright on behalf of those
vendors.
Warranty
This hardware product is protected by the standard Aruba warranty of one year parts/labor. For more information, refer to the
ARUBACARE SERVICE AND SUPPORT TERMS AND CONDITIONS.
Altering this device (such as painting it) voids the warranty.
www.arubanetworks.com
1344 Crossman Avenue
Sunnyvale, California 94089
Phone: 408.227.4500
Fax 408.227.4550
Release Overview
ArubaOS 6.0.1.1 is a patch software release that introduces fixes to many previously outstanding issues. For
details on all of the features described in the following sections, see the ArubaOS 6.0 User Guide, ArubaOS
6.0 CLI Reference Guide, and ArubaOS 6.0 MIB Reference Guide.
See the “Upgrade Procedures” on page 23 for instructions on how to upgrade your controller to this release.
NOTE
Chapter Overview
Chapter 2, “What’s New in this Release” on page 9 describes the new features introduced in this release.
Chapter 3, “Fixed Issues” on page 13 describes the issues that have been fixed in this release.
Chapter 4, “Known Issues and Limitations” on page 17 provides descriptions and workarounds for
outstanding issues in ArubaOS 6.0.
Chapter 5, “Upgrade Procedures” on page 23 cover the procedures for upgrading your controller from
any release of ArubaOS to ArubaOS 6.0.
Supported Browsers
Beginning with ArubaOS 6.0, the following browsers are supported for use with the ArubaOS WebUI:
Microsoft Internet Explorer
Mozilla Firefox on Windows XP, Windows Vista, Windows 7, and MacOS
Apple Safari on MacOS
Contacting Support
Table 1 Web Sites and Emails
Web Site
Support Emails
EMEA emea_support@arubanetworks.com
Telephone Numbers
Support
Universal Free Phone Service Number (UIFN): Australia, Canada, China, +800-4WIFI-LAN (+800-49434-526)
France, Germany, Hong Kong, Ireland, Israel, Japan, Korea, Singapore,
South Africa, Taiwan, and the UK
This chapter provides a brief summary of the new features included in this release of ArubaOS. For more
information about each feature, refer to the ArubaOS 6.0 User Guide or Command Line Reference.
Remote Node
Configuring a local controller as a remote node master is considered beta quality in this release. Aruba
recommends using a master as a remote node master.
In the WebUI
1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select Radius Server to display the Radius Server List.
3. To configure a RADIUS server, enter the name for the server and click Add.
4. Select the name to configure server parameters.
5. In the Source Interface field, enter a VLAN number ID.
This allows you to use source IP addresses to differentiate RADIUS requests. It associates a VLAN
interface with the RADIUS server to allow the server-specific source interface to override the global
configuration.
If you associate a Source Interface (by entering a VLAN number) with a configured server, then the
source IP address of the packet will be that interface’s IP address.
If you do not associate the Source Interface with a configured server (leave the field blank), the IP
address of the global Source Interface will be used.
6. Select the Mode check box to activate the authentication server.
7. Click Apply to apply the configuration.
Device identification
The device identification feature identifies different client device types (e.g. iPod, iPad) and operating
systems (e.g. Android, Windows 7) through a combination of DHCP signature IDs and User-Agent strings in
HTTP packets.
If the rule uses the DHCP-Option condition, best practices is to enable the Enforce DHCP parameter in the AP
group’s AAA profile, which requires users to complete a DHCP exchange to obtain an IP address.
NOTE
The following table describes some of the DHCP options that are useful for assigning a user role or VLAN.
12 Host name
(hexadecimal=0C)
81 Client FQDN
(hexadecimal=51)
There are many online tools available for converting ASCII text to a hexadecimal string.
NOTE
To identify DHCP strings used by an individual device, access the command-line interface in config mode
and issue the following command to include DHCP option values for DHCP-DISCOVER and DHCP-
REQUEST frames in the controller’s log files:
logging level debugging network process dhcpd
Airwave Integration
The AirWave management platform (AMP) is now integrated with the ArubaOS.You can now enable the
mgmt-server type amp command on the AMP server. This provides enhanced monitoring and diagnostic
capabilities on the AMP and to collect channal utilization metrics. This is supported in AMP release 7.2 or
latest.
(host)#show mgmt-servers
Fixed Issues
This release contains all fixes up to and including those in ArubaOS 6.0.0.1. The following issues and
limitations have been fixed in the ArubaOS 6.0.1.1 release:
Bug ID Description
51446, ArubaOS now provides full trust chain of its server certificate in TLS sessions.
51733
Bug ID Description
37115 The time it takes for the controller to locate APs for the first time, or after the cache has expired,
has been improved and no longer causes the WebUI to freeze for long periods of time.
38938 The errorlog no longer shows a missing VPN auth profile for every reboot of the controller when
there is a RAP terminating on that controller.
40032 The AP-105 no longer constantly detects spurious radar when operating DFS channels (52, 56, 60,
and 64).
40315, An issue in which APs bootstrapped and failed to come back up after configuration change due to
34967, broken tunnels has been fixed.
37402
41299, An IP pool leak that was preventing users from connecting using L2TP VPN has been fixed.
45362
42452 The issue in which mesh points drop large multicast frames due to rx_ccmreply has been fixed.
43215, Clients correctly receive a DHCP ACK not matter what broadcast flag bit is applied to the DHCP
43915 request. To allow this, shaping/policing for multicast and broadcast traffic on APs based on
descriptor usage has been disabled.
43300 The issue with the pause in traffic during the Chariot throughput test has been fixed.
43625 Broadcast packets were being flooded into bridge/split tunnels and consuming bandwidth. A fix
has been added to drop non-EAPOL packets on bridge/split dot1x tunnel for wired and wireless
traffic.
44126 Client devices equipped with an Intel 4965AGN NIC can now maintain a connection and pass
traffic when connected to an AP-125 via an HT SSID.
44256 The issue with the traffic being blocked from the bridge user to the split user has been fixed.
Bug ID Description
44378 The issue with PPTP VPN connection between a client and a server has been fixed.
44492 In a master-local set up the client can now successfully send the traffic after roaming from local to
master.
44794 An issue which many bridge mode users were listed with a 0.0.0.0 IP address and many users
could be seen in the datapath user table but not in the user-table has been fixed.
44846 An issue in which APs bootstrap during a write mem on the master controller has been fixed.
44865 There is now a “knob”, in the VIA connection profile, that allows you to minimize VIA during a
session.
44923 Entries in the AP user table without a valid IP address ("0.0.0.0") now timeout as expected.
45053, Improvements have been made to the stm module to prevent the controller and APs terminating on
46234, it from experiencing unintended reboots.
39935,
45710,
45203
45174 In forward bridge mode, tunnels are not added to vlan-mcast table to prevent the flooding of any
kind of packets (unicast, broadcast, multicast) on the base tunnel.
45202 The minimum frame size on encrypted channel has been reduced from 16 bytes to 8 bytes. This is
to ensure that EAPOL-Start packets on encrypted channel are correctly decoded.
45270, Unexpected controller behavior due to a datapath exception has been fixed.
46442,
45744
45362, The controller no longer incorrectly provides a new IP address during every ISAKMP SA
45307, renegotiation.
45199,
45644,
45461,
45471,
46127
45381, Upgrading from RN 3.1.1.12 no longer causes the enteries for RAP Whitelist in local-userdb-ap to
48177, be lost and moved to local-userdb.
49616
45384, AMSDU is now disabled by default with a knob in the firewall command in the CLI.
46355
45534 Clients that support PMK caching are now placed into the correct cached user role after a
disconnect and reconnect. When connecting to the same BSSID, the cached user role information
is used.
45553 In a split VAP firewall mobility environment, FTP sessions work as expected.
45606 The Handoff Assist log message has been enahanced to show the actual low RSSI of the client.
45631, After disabling SNMP server using the no snmp-server command, SNMP server can be re-
45066 enabled by executing the command snmp-server from the configure mode.
Bug ID Description
46701 RAP-5 crashes, when connected to an EVDO device, caused by packets of ip.len=1419 has been
fixed.
45680 UPS Delivery Information Acquisition Devices (DIADs) stay properly connected to an Remote AP in
bridge mode.
45694 The controller is now able to respond to ARP requests from a client when the ARP request is
coming from a port-channel.
45829, Clients are now able to correctly authenticate while doing AAA Radius authentication.
46344,
45668
45864 The command show ap-global ace-table acl now correctly displays all ACE entries no
matter how many ACE entries the ACL has.
45871, Clients no longer incorrectly remain in the Failed machine auth role after user and machine
45924 authentication have succeeded.
45914, An STM crash, which occurs when executing the show ap-global acl-table command,
45917 causing the controller to become unusable has been fixed.
45971 Controllers can include an AP group name (Aruba-AP-Group) in the list of RADIUS attributes sent in
a RADIUS authentication request.
46001 An issue in which datapath utilization reaches 100% during peak traffic has been fixed.
46080, This release introduces the following improvements to the User table:
46128, The User table shows correct client IP address even before the clients send an IP packet.
46142 The User table displays the correct number of user entries.
The User table displays the correct user ages.
46163 Improvements to the controller kernel prevent APs from performing unintended reboots.
46204 The controller’s buffer size has been increased for EAPOL packets to help prevent authmgr
crashes.
46237 The process to add and modify users and bridge mode has been improved, increasing AP stability.
46340 ZTE modem ttyUSB no longer changes between cold and warm boot.
46421 Clients are no longer being incorrectly deauthenticated when admission control is mandatory for
VO and VI.
46483 Improvements to the Auth and STM modules prevent the controller from failing to respond due to
IPIP loops.
46624 For APs using a bridge-mode SSID, VLANs in a virtual AP profile no longer appear in the Datapath
VLAN Multicast Entries table, since the VLAN is only local to the bridge.
Bug ID Description
47032, The DNSmasq process on 600 Series controllers has been improved to allow a DNS query of a
49180 domain name longer than 51 characters.
47048 Aruba-ESSID and Aruba-Location-ID are no longer missing from RADIUS requests sent to an
external server when the client is authenticated by an XML-API command.
47069 Improvements to NAT discovery payload handing allow the controller to continue to respond
properly even if the NAT discovery payload includes in an incorrect length.
47074 Users no longer lose IP connectivity when using split-tunnel mobility solution.
47313 A controller reboot caused by udbserver module crash has been fixed.
47519 Captive Portal whitelists can be created or modified regardless of whether the PWA license is
installed on the controller.
47850 In a RAP-5WN deployment, a Vonage phone adapter that plugs into a wired port in bridge mode is
now able to obtain an IP address using DHCP.
47805 The internal database on a master controller can be used for 802.1x machine authentication.
48387 If a captive portal page requires a user to click an Accept button to agree to a user policy, the
customer will not be redirected to the requested Web site until the Accept button is clicked.
48459 APs are no longer slowly running out of memory (memory leak).
48625 When a user is added to the user-table, the controller updates that entry in the route-cache table
and deletes any old entries.
49598 The Guest Provisioning Page now reflects all options configured (or not configured).
The following are known issues and limitations for this release of ArubaOS. Applicable bug IDs or
workarounds are included:
Bug ID Descriptions
Do not use the mgmt-server type amp command. This command is not supported in ArubaOS
6.0. If you execute this command, your controller will experience a memory leak in the STM
process and the controller’s performance will become sluggish, eventually causing it to reboot.
Workaround:
None.
41521 APs in spectrum monitor mode cannot detect the Jabra GN9120 2.4 GHz wireless headset.
Workaround:
None.
41522 APs in spectrum monitor mode cannot detect the Uniden DMX776 2.4 GHz DSS cordless phone.
Workaround:
None.
43248 If you minimize and maximize the browser window while you create a spectrum analysis recording,
that recording may show incorrect data when you play it back.
Workaround:
Do not change the browser window size while creating a spectrum analysis recording.
40577, When a guest-provisioning user is logged in to the WebUI, the logout link says Logout Admin
41836, instead of the username of the logged in guest-provisioning user.
41456 Workaround:
None.
41092 In both the WebUI and the CLI, attempting to add a guest users whose name (full name, not
username) contains a “%” will cause the fpcli (in the CLI) and arci-cli-helper (in the WebUI) to crash
and display the following error message: Error: Failed to read socket: Success.
Workaround:
Do not create a guest guest whose full name contains a “%.”
41898 Role derivation from UDR does not happen with a per-vlan-aa profile.
Workaround:
Associate a dummy aaa profile to aaa authentication wired, where the same UDR is
referenced. Role derivation will happen correctly when this dummy aaa profile is referenced.
42832 Executing the command show ap database on a remote master does not show the APs terminating
on that controller even if that device is a local controller.
Workaround:
None.
Bug ID Descriptions
43920 From the WebUI, commands are executed twice when the AAA profile is modified from the AP
Group Page on a remote AP (RAP).
Workaround:
The commands being executed twice is not harmful to your configuration. However, if you want to
avoid this, the CLIs can be modified from the All Profiles Page.
43963 If you access the spectrum analysis dashboard using the Safari 5.0 browser, clicking the
backspace button may return you to the previous browser screen.
Workaround:
None. Avoid using the backspace button when changing dashboard view names or chart options.
43945 The controller should not send EAP-request ID for multimode authenticated user when dhcp lease
expires.
Workaround:
None.
43937 EAP request ID is not sent by the controller in response to eapol start from the client after
executing the aaa user delete all command.
Workaround:
None.
44568 DHCP offer from a guest vlan should is incorrectly sent in response to DHCP discover for 802.1x
users.
Workaround:
None.
44106 Any users with the a quotation mark (“) in their email address will not be successfully imported from
a CSV file.
Workaround:
None. Do not import users with an email address containing a quotation mark.
44496 The New, Import, Delete, Print, and Edit buttons on the top right of the GPP page appear as
hyperlinks instead of buttons.
Workaround:
To make the buttons appear normally, use the following style in your upload policy text.
a:link, span.MsoHyperlink
{color:blue;
text-decoration:none;}
44499 GPP users are unable to to modify the Account End Time during policy text import if the following
policy text is included:
p {mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
Workaround:
Do not include the above policy text.
44645 Load balancing is not working consistently. Occasionally, the load balancing flag is not being set
properly.
Workaround:
None
Bug ID Descriptions
44758 Campus APs provisioned in PPPoE mode do not work. The PPPoE connection with the PPPoE
server will break right after a successful connection is established.
Workaound:
None.
45033 A remote node controller master will not come up if the controller-ip is set as loopback. The
controller becomes stuck at the “Update in progress” state and the error log shows that the
remote-node-profile did not pass validation because “Vlan interface not configured for the
controller-ip vlan.” And, therefore, the configuration is not pushed to the remote node.
Workaround:
None.
45092 In the remote-node-master (RNM), you need to specify the remote-node-localip for authenticating
each of the remote-node on the IPSec connection. This is a different behavior than the case of
master-local IPSec connection.
Workaround:
Aruba recommends putting 0.0.0.0 (which means any IP) in the RNM, where you might want to be
very specific on the allowed IP lists.
45245 The Aruba 651 occasionally encounters a watchdog timeout when no traffic is passing through the
device and the AP is configured as a mesh point.
Workaround:
None.
45351 The wlsxUserEntryAttributesChanged trap does not work for wired, open clients.
Workaround:
None.
45463 Changing the forwarding mode from bridge to split-tunnel and vice-versa on an existing virtual AP
does not work.
Workaround:
To ensure that the forwading mode changes take effect, you must manually reboot the AP. This can
be done through the CLI be executing one of the following commands:
apboot ap-name <ap-name>
apboot ip-addr <ip-address>
apboot wired-mac <mac-address>
45464 After a split user roams to RAP from another RAP, it is placed in the wired-ap bridge role rather than
its previous actual split user role. Since the traffic is handled differently because of the changed
role, the split user’s data sessions breaks after the roaming to new RAP.
Workaround:
None.
45465 Connecting RAPs through the secure jack ENET ports on RAP-5 has become a use-case as part of
split user mobility. As these RAPs are the wired bridge users on the RAP-5, these are maintained in
controller user table as well. But, these wired bridge user's status is not accurate or consistent on
the controller.
Workaround:
Track these wired bridge user RAPs through show datapath user ap-name RAP-5.
45553 FTP sessions break when a split-user roams from one RAP to another RAP. After the client roams
to the second RAP, the ftp datapath sessions become marked as local (inidcating local traffic)
while, on the controller, these sessions remain marked as RAP1 (indicating the previous RAP’s
tunnel). Therefore, the FTP sessions does not continue when the client roams to the second RAP.
Workaround:
None.
Bug ID Descriptions
45607 AAA user derivation rules are activating for visitor users on FA when the client re-associate on FA.
Initially when the clients roam to FA, they get the correct role that redirects all traffic from the visitor
to the HA. But when a client re-associates, it's role on FA gets updated to the one configured in the
derivation rules. As a result the visitor traffic are no longer redirected to HA.
Workaround:
The only way to avoid this issue is to not use user derivation rules.
48182 A remote node will fail to come up even when it has a valid profile associated. The remote node
successfully creates an IPSec tunnel but the configuration push fails.
Workaround:
Remove the whitelist entry associated to the remote node and add it again.
51211 The command remote-node-localip <ip-address> does not scale for remote node
deployment.
Workaround:
None.
47893 ArubaOS does not display DHCP pool usage, specifically the blocks IP addresses currently in use
and what is available.
Workaround:
None.
50764 When the remote-node is unlinked/removed from the whitelist db, the internal tunnel is removed
but the route related to the remote-node is not.
Workaround:
You must remove the route manually.
47988 If a local controller is a remote-node master and if any remote-nodes have APs terminating on
them, the command show ap database on the master or local does not display any information
about those APs. Such APs come up with default profiles and unprovisioned; these APs cannot be
provisioned.
Workaround:
This behavior is not currently supported.
47055 The controller is not proxying the DNS requests OCS clients to the OCS server.
Workaround:
Manually configure the OCS server address in the OCS tools options.
45688 In a remote-node setup, spanning tree is globally disabled after executing a write erase all.
Workaround:
Have the spanning-tree command pushed from the profile.
50689, A remote-note profile with a large number of DHCP pool slots will result in excessive memroy
48995 usage on the remote-note.
Workaround:
Change the remote-node-dhcp-pool to a smaller range and restart the cfgm process.
49426, The command pool-type [[vlan]@ [tunnel]@] <id> will cause all associated remoe-
50530 nodes to reboot after write-mem on remote-master.
Workaround:
None.
50339 Since the no shutdown config is not part of the remote-node profile, and therefore not pushed to
the remote-node, the VRRP admin state will always be down on the remote-node. VRRP is not
supported on a remote-node.
Workaround:
None.
Bug ID Descriptions
50478 In a situation where a remote-master is no longer reachable by a remote-node, any APs attached to
that remote-node will not come back up if the remote-node is rebooted. This is because the
remote-node does not save the any of the license obtained from the remote-master prior to reboot.
Workaround:
A connection must be reestablished with the master before the remote-node and any connected
APs can be brought back up. It takes approximately 12 minutes for the AP to become functional
again after the remote-node is rebooted.
50199 You cannot use the WebUI tocreate or edit remote-node profiles.
Workaround:
None. You must use the CLI to do this.
50545 The command show datapath user ap-name <ap-name> on a bridge AP with 50 user cannot
retrieve the info. It returns the following error message:
Cannot retrieve datapath info (AP needs to be active and reachable for
this command to work)
Workaround:
None.
50611 WPA2-TKIP clients authenticate correctly but cannot pass traffic when connecting to an AP-65 in
bridge mode. This is because there is no KEY for the client but there is one for the AP.
Workaround:
None. However, this probably does not occur if the opmode is changed to WPA2-AES. Additionally,
if the opmode is WPA2-TKIP, if the VAP forwarding mode is changed to tunnel, the issue does not
occur.
50625 The opmode XSec does not work for bridge forwarding mode on a RAP. The client will not
authenticate.
Workaround:
None.
50627 A change-of-authorization (from RFC-3576) server does not update the role correctly for split-
tunnel clients.
Workaround:
None.
50652 RADIUS Accounting requests are not sent to the clients that are connecting to a RAP in bridge
forwarding mode.
Workaround:
None. This behavior is not supported.
50776 User entries for active clients associted to an AP in bridge or tunnel mode with WPA2-AES opmode
are not retained in the user table.
Workaround:
None.
50779 Clients connected on bridge-VAP of mesh-AP are missing from user and datapath session
ap-name tables.
Workaround:
None.
Bug ID Descriptions
50785 Multicast key rotation does not work with dot1x clients on bridge mode.
Workaround:
None.
50787 Clients are pushed to the wrong vlan of UDR even though SDR and VSA is configured with opmode
WPA2-AES and multicast key rotation.
Workaround:
None.
50850 Role derivation is not happening correctly with client machine authentication and user-dot1x auth
for bridge users. The user is placed in machine authentication role even after successful Machine-
auth and user-dot1x authentication.
Workaround:
None.
50852 The global user table does not contain any entries for bridge users.
Workaround:
None.
50899, Skinny packets are dropped after a Cisco client roams from one bridge mode VAP to another.
51065 Workaround:
None.
50962 User role derivation from user derivation rules (UDR) is not working in bridge mode although logs
indicate that it was successful.
Workaround:
None.
51312 Wired client ip-address is shown as 0.0.0.0 in LD page. However, refreshing the page displays the
correct IP address.
Workaround:
None.
Upgrade Procedures
This chapter details software and hardware upgrade procedures. Aruba best practices recommend that you
schedule a maintenance window when upgrading your controllers.
!
CAUTION
Read all the information in this chapter before upgrading your controllers.
All version assume that you have upgraded to the most recent version as posted on the Aruba download site. For
instance, 3.3.x assumes you have upgraded to the most recent version of 3.3.
NOTE
If you must use TFTP, ensure that your TFTP servers can send more then 30 MB of data.
NOTE
Always upgrade the non-boot partition first. If something happens during upgrade, you can restore the
flash, and switch back to the boot partition. Upgrading the non-boot partition gives you a smoother
downgrade path should it be required.
If you manage your controllers via the AirWave Wireless Management Suite, the AirWave upgrade process
automates most of these steps.
NOTE
1. Upload the same version of the new software image onto all controllers.
2. Reboot all controllers simultaneously.
3. Execute the ping -t command to verify all your controllers are up after the reboot.
4. Open a Secure Shell session (SSH) on your Master Controller.
5. Execute the show ap database command to determine if your APs are up and ready to accept clients.
6. Execute the show ap active to view the up and running APs.
In certain situations, a reboot or a shutdown could cause the controller to lose the information stored in its
!
CAUTION
compact flash card. To avoid such issues, it is recommended that you issue the halt command before
rebooting.
ArubaOS 5.0
Figure 1 is an up-to-date illustration of the consolidated licenses effective with this release.
MAP was merged into base ArubaOS
VPN was merged into base ArubaOS
RAP was merged into AP license
ArubaOS 3.4.1
VOC was merged into PEF. This merge happened with ArubaOS 3.4.1
IMP was merged into base ArubaOS
ArubaOS 3.4.0
ESI was merged into PEF
ArubaOS Legacy and End-of-Life
AAA was merged into ESI with the release of ArubaOS 2.5.3.
CIM is End-of-life
When upgrading from ArubaOS 5.0.x to ArubaOS 6.0,x, control plane security configurations will be maintained.
NOTE
Caveats
Before upgrading to ArubaOS 6.0 take note of these known upgrade caveats.
When you upgrade to ArubaOS 6.0, the control plane security feature will be disabled by default. You can
enable this feature at any time after the upgrade.
If you have occasion to downgrade to a prior version, and your current ArubaOS 6.0 configuration has
control plane security enabled, you must disable control plane security before you downgrade.
For more information on configuring control plane security and auto-certificate provisioning, refer to
the ArubaOS 6.0 User Guide.
If you need to downgrade to ArubaOS 3.4.x, the previous licenses will be restored. However, once you upgrade
again to ArubaOS 6.0 the licenses will no longer revert should you need to downgrade again.
NOTE
When upgrading the software in a multi-controller network (one that uses two or more Aruba controllers), special
!
CAUTION
care must be taken to upgrade all the controllers in the network and to upgrade them in the proper sequence.
(See “Upgrading in a Multi-Controller Network” on page 33.)
A valid IP route must exist between the FTP/TFTP server and the controller. A placeholder file with the
destination filename and proper write permissions must exist on the FTP/TFTP server prior to executing the
NOTE copy command.
3. Determine which partition to load the new software image. Use the following command to check the
partitions:
#show image version
Best practices is to load the new image onto the backup partition (the non-boot partition). In the above
example, partition 0 is the boot partition. Partition 1 is empty (image not present) and can be used to
load the new software.
4. Use the copy command to load the new image onto the controller:
(host) # copy ftp: <ftphost> <ftpusername> <image filename> system: partition 1
or
(host) # copy tftp: <tftphost> <image filename> system: partition 1
When using the copy command to load a software image, the specified partition automatically becomes active
(default boot partition) the next time the controller is rebooted. There is no need to manually select the partition.
NOTE
5. Execute the show image version command to verify the new image is loaded:
(host) #show image version
----------------------------------
Partition : 0:0 (/dev/hda1) **Default boot**
Software Version : ArubaOS 4.3.0.0 (Digitally Signed - Production Build)
Build number : 23623
Label : 23623
Built on : Wed Mar 10 09:11:59 PST 2009
----------------------------------
Partition : 0:1 (/dev/hda2)
Software Version : ArubaOS 6.0.0.0 (Digitally Signed - Production Build)
Build number : 23711
Label : 23711
Built on : Wed July 24 09:11:59 PST 2010
A valid IP route must exist between the FTP/TFTP server and the controller. A placeholder file with the
destination filename and proper write permissions must exist on the FTP/TFTP server prior to executing the
NOTE copy command.
3. Determine which partition to load the new software image. Best practices are to load the new image
onto the backup partition (the non-boot partition). In the above example, partition 0 is the boot
partition. Partition 1 is empty (image not present) and can be used to load the new software.
4. Use the copy command to load the new image onto the controller:
(host) # copy ftp: <ftphost> <ftpusername> <image filename> system: partition 1
or
host) # copy tftp: <tftphost> <image filename> system: partition 1
When using the copy command to load a software image, the specified partition automatically becomes active
(default boot partition) the next time the controller is rebooted. There is no need to manually select the partition.
NOTE
Once you have completed the upgrade to the latest version of 3.3.x, then follow the steps in “Upgrading from
3.3.x to 6.0” on page 32 to complete your last “upgrade hop”.
NOTE
To assist you with this migration, Aruba Networks, Inc. provides comprehensive web site with migration
tools listed below.
https://support.arubanetworks.com/MIGRATIONTOOL/tabid/85/Default.aspx
The tools include:
Migration Design Guide
https://support.arubanetworks.com/UPGRADEGUIDE/tabid/88/Default.aspx)
Video
https://support.arubanetworks.com/UPGRADETUTORIAL/tabid/87/Default.aspx
Online Migration Tool
https://support.arubanetworks.com/25to3xTool/tabid/84/Default.aspx
Once you have completed the upgrade to the latest version of RN-3.x.x, then follow the steps in “Upgrading from
3.3.x to 6.0” on page 32 to complete your last “upgrade hop”.
NOTE
Caveat
Should you need to downgrade from ArubaOS 6.0, you can only downgrade to version RN-3.1.4.
For proper operation, all controllers in the network must be upgraded with the same version of ArubaOS
software. For redundant (VRRP) environments, the controllers should be the same model.
NOTE
An inter-controller IPSec tunnel can be used to route data between networks attached to the controllers. To
route traffic, configure a static route on each controller specifying the destination network and the name of the
NOTE IPSec tunnel.
There is a default PSK to allow inter-controller communications, however, for security you need to
configure a a unique PSK for each controller pair. You can use either the WebUI or CLI to configure a 6-64
character PSK on master and local controllers.
Do not use the default global PSK on a master or standalone controller. If you have a multi-controller network
!
CAUTION
then configure the local controllers to match the new IPSec PSK key on the master controller. Leaving the PSK
set to the default value exposes the IPSec channel to serious risk, therefore you should always configure a
unique PSK for each controller pair.
If you upgraded from 3.3.x to a, the upgrade script encrypts the internal database. Any new entries that were
created in ArubaOS 6.0.1.1 will be lost after downgrade (this warning does not apply to upgrades from 3.4.x to
WARNING 6.0).
Before you reboot the controller with the pre-upgrade software version, you must perform the following
steps:
1. Verify that Control Plane Security (CPSec) is disabled.
2. Set the controller to boot with the previously-saved pre-6.0 configuration file.
3. Set the controller to boot from the system partition that contains the previously running ArubaOS image.
When you specify a boot partition (or copy an image file to a system partition), the software checks to ensure
that the image is compatible with the configuration file that will be used on the next controller reload. An error
NOTE message displays if a system boot parameters are set for incompatible image and configuration files.
When reverting the controller software, whenever possible use the previous version of software known to be
!
CAUTION
used on the system. Loading a release not previously confirmed to operate in your environment could result in an
improper configuration.
You cannot load a new image into the active system partition (the default boot).
NOTE
Controller Migration
This section outlines the steps involved in migrating from an Aruba PPC controller environment to MIPS
controller environment. These steps takes into consideration the common Aruba WLAN controller
environment. You must have an operational PPC controller in the environment when migrating to a new
controller. The controllers are classified as:
MIPS Controllers—M3, Aruba 3000 Series, 600 Series
PPC Controllers—Aruba 200, Aruba 800, Aruba 2400, 5000 and SC1/SC2
Use this procedure to upgrade from one Aruba controller model to another. Take care to ensure that the new
controller has equal or greater capacity than the controller you are replacing and verify that your new controller
NOTE supports the ArubaOS version you are migrating to.