https://community.cisco.com/t5/network-security/firewall-blocking-lightweight-access-points/m-p/1237906#M860168 <HTML><HEAD></HEAD><BODY><P>I appreciate any assistance as sometimes we tend to overthink the obvious. We opened the firewall for IP from 10.0.0.0 /8 to each Ap's ip that should cover those 2 ports.</P></BODY></HTML> Tue, 05 May 2009 14:26:16 GMT vancamt76 2009-05-05T14:26:16Z https://community.cisco.com/t5/network-security/firewall-blocking-lightweight-access-points/m-p/1237904#M860162 <P>I have 3 access points that I recently converted to LWAPP. After the conversion, all 3 AP's are now MIA - no sign of them in WCS or on any of our controllers. I can trace them back to the switch that they are directly connected to and they do pull a DHCP address. I found this on the firewall: </P><P></P><P>May 04 2009 16:39:58: %ASA-7-710005: UDP request discarded from &lt;AP's ip&gt;/26586 to inside:255.255.255.255/12223 </P><P></P><P>I am wondering if there is something on the firewall that is blocking the requests from the AP's to join the controller. </P><P></P><P>Any thoughts?</P><P></P> Mon, 11 Mar 2019 15:27:20 GMT https://community.cisco.com/t5/network-security/firewall-blocking-lightweight-access-points/m-p/1237904#M860162 vancamt76 2019-03-11T15:27:20Z https://community.cisco.com/t5/network-security/firewall-blocking-lightweight-access-points/m-p/1237905#M860164 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>When you turn on a LWAAP AP, he start descovering a DHCP server to get a an IP Address,and TFTP server to get his configuration. the LWAAP tunnel use some UDP port, and I think that you should allow them in your firewall.</P><P></P><P>A. Follow these guidelines when you use CAPWAP:</P><P></P><P>If your firewall is currently configured to allow traffic only from access points that use LWAPP, you must change the rules of the firewall to allow traffic from access points that use CAPWAP.</P><P></P><P>Make sure that the CAPWAP UDP ports 5246 and 5247 (similar to the LWAPP UDP ports 12222 and 12223) are enabled and are not blocked by an intermediate device that could prevent an access point from joining the controller.</P><P></P><P>If access control lists (ACLs) are in the control path between the controller and its access points, you need to open new protocol ports to prevent access points from being stranded.</P><P></P><P>more info: <A class="jive-link-custom" href="http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a008064a991.shtml" target="_blank">http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a008064a991.shtml</A></P><P></P><P>I hope it's useful,</P><P>from a Future CCSP</P><P><A href="mailto:j.reda7@gmail.com">j.reda7@gmail.com</A></P><P>Reda</P></BODY></HTML> Tue, 05 May 2009 08:56:55 GMT https://community.cisco.com/t5/network-security/firewall-blocking-lightweight-access-points/m-p/1237905#M860164 rjaaouan 2009-05-05T08:56:55Z https://community.cisco.com/t5/network-security/firewall-blocking-lightweight-access-points/m-p/1237906#M860168 <HTML><HEAD></HEAD><BODY><P>I appreciate any assistance as sometimes we tend to overthink the obvious. We opened the firewall for IP from 10.0.0.0 /8 to each Ap's ip that should cover those 2 ports.</P></BODY></HTML> Tue, 05 May 2009 14:26:16 GMT https://community.cisco.com/t5/network-security/firewall-blocking-lightweight-access-points/m-p/1237906#M860168 vancamt76 2009-05-05T14:26:16Z