topic Re: [WLC] CAPWAP tunnel lifetime in Wireless

[WLC] CAPWAP tunnel lifetime

thibaut.matzke — Tue, 30 Nov 2021 16:35:48 GMT

Hello,

We faced an issue where after a misconfiguration, APs couldn't connect back to our primary WLC, and went to our secondary WLC. This "migration" wasn't sudden for all of our APs, and I think it was due to CAPWAP tunnel still up and not trying to renegociate with the WLC.

After resolving the issue, I tried to find the global CAPWAP tunnel lifetime (standard CAPWAP tunnel renegociation), but I couldn't. Does anyone know where I can find this information ? We have a Cisco 8540.

Thank you in advance for your answers,

Regards

Re: [WLC] CAPWAP tunnel lifetime

balaji.bandi — Tue, 30 Nov 2021 20:37:50 GMT

you can find some information here : when the AP try to contact again Primary AP, if not reachable it will go alternative WLC automatically and join, but when the Primary come back online, i do not believe they will automatically move to Primary, you need to manually move them Primary controller.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/ap_connectivity_to_cisco_wlc.html#capwap

or something i miss understood your situation?

Re: [WLC] CAPWAP tunnel lifetime

thibaut.matzke — Wed, 01 Dec 2021 10:00:46 GMT

Hello Balaji, and thank you for your answer ! But this is not what I am looking for. My issue is resolved, but I will deeply explain it to understand why I am asking about CAPWAP tunnel lifetime :

This is the standard configuration : all APs are connected to the primary WLC and working well :

After a misconfiguration on the primary WLC making it impossible to establish a new CAPWAP tunnel to it, we started to see some APs from the primary WLC going to the secondary one,but not all of them at the same time :

I think the reason why not all of the primary WLC APs "migrated" to the secondary one is because their CAPWAP tunnel was still active and working (CAPWAP association with primary WLC was still OK). Since they didn't have to renegociate any new CAPWAP tunnel to the primary WLC, they stayed connected to it, and when they had to renegociate CAPWAP tunnel, since they couldn't do it with the primary WLC, they went on the second one.

I think this is the "Controller Associated Time" that you can see on the AP :

After correcting the misconfiguration on the primary WLC, every APs connected to the secondary one went back on the primary one automatically. For information, while troubleshooting (with this very useful link), I could see with the CAPWAP debug command on an AP that they were trying to reconnect to the first WLC continuously, so this was expected.

Now, from this usecase, what I want to know is the to understand "when they had to renegociate CAPWAP tunnel". Is this because the CAPWAP protocol has an lifetime ? And if so, what is it ? And if not, then when does an AP needs to renegociate its CAPWAP tunnel ? I couldn't find a precise answer on it, and this would really help me understand why not all APs migrated to the secondary WLC at the same time.

Thank you in advance for your answers,

Regards

Re: [WLC] CAPWAP tunnel lifetime

balaji.bandi — Wed, 01 Dec 2021 18:35:54 GMT

is the WLC Cluster ?

As per i know the AP do the heartbeat with Controller every 30seconds see if the WLC up and running, then take action based on the availability Groups, below document explain better :

https://mrncciew.com/2013/04/07/ap-failover/

Re: [WLC] CAPWAP tunnel lifetime

thibaut.matzke — Wed, 01 Dec 2021 20:04:11 GMT

Yes the WLC is a cluster, but this is not what I am asking.

Thank you for your documentation link, it was very interesting, but I still couldn't find the information I am looking for.

I understand that an AP sends heartbeat to its WLC every 30 seconds via its CAPWAP tunnel to be sure it is still working, but even when everything is working well, this CAPWAP tunnel needs to be renegociated at some point, right ? This CAPWAP interconnection with the WLC has a lifetime, no ?

Thank you in advance for your answers,

Regards

Re: [WLC] CAPWAP tunnel lifetime

Mark Elsen — Thu, 02 Dec 2021 07:57:31 GMT

>this CAPWAP tunnel needs to be renegotiated at some point, right

- I don't think so , the ap-heartbeat is an indicator for the controller to keep the capwap-tunnel UP.

Re: [WLC] CAPWAP tunnel lifetime

patoberli — Thu, 02 Dec 2021 16:03:27 GMT

I think it stays up forever, unless you have a layer 3 border between the WLC and the APs. In that case there might be a firewall in between, which terminates all connections after xx hours, for example.

Re: [WLC] CAPWAP tunnel lifetime

balaji.bandi — Thu, 02 Dec 2021 16:31:39 GMT

why we asking Cluster, checking failover.

as per i know the Tunnel forever, until the AP reboot and reload new session start.

Re: [WLC] CAPWAP tunnel lifetime

thibaut.matzke — Mon, 06 Dec 2021 00:42:15 GMT

Hello,

Thank you very much for all of your answers, it was very helpful. I guess it was one of our firewall between the APs and WLC that must have terminated the interconnection between them.