It’s been a while… just been busy like everyone else, doing my best to keep the ship moving while not capsizing. I thought I would take an hour here on a Sunday morning and tell you another story. It’s a cautionary tail about the cloud and what can happen when vendors they have hooks into your infrastructure.

We use HPE/Aruba Instant APs at many of our locations globally. A while back we had an interesting issue. We had a site reporting that their wireless was down and the team performing the initial troubleshooting reported that they were unable to log into any of the Aruba Instant APs or the virtual controller. I ended up taking the case myself and what I found was troubling. While the VC IP address was still responding to ICMP pings, it appeared as if our enter configuration was wiped and overlaid with a different configuration.

I would factory reset the IAP to get it back online and shortly after I loose access to it again once it contacted Aruba Active – I verified this via my firewall logs.

Ultimately I found that the IAPs appeared to have adopted a configuration from Aruba Activate – the cloud solution from HPE/Aruba to help solve zero touch provisioning and configuration. These IAPs were originally purchased by my organization and had no configuration in Activate but somehow someone else in Aruba Activate pushed a configuration to our IAPs? I never did learn the answer to who or how that happened but my HPE/Aruba sales engineer was extremely help working internally within HPE/Aruba to address the issue. For a short term solution I blocked access to the HPE Activate at my firewall and then had to factory reset and reconfigure all the Instant Access Points.

There is an option in Instant AOS 8.4.x and later that allows you to disable Activate.

activate-disable

Unfortunately this wouldn’t have worked for us as we’re still running 6.5.4.x on a large number of our IAPs.

Question: Do you know what really happens to your gear when that cloud subscription runs out?

Cheers!