topic Disable iCAP on AP's in Wireless

Disable iCAP on AP's

Vida44 — Thu, 11 Aug 2022 12:26:07 GMT

Dear all,

Let me start with the Problem first.
Our customer is reporting a lot of Firewall drops on the Port 32626, from AP's to DNAC.
After some searching, reading documentation and so on, I found out this is the Intelligent Capture feature.

What I found out is that in the AP Join Profile the iCAP is disabled. And therefore should be applied to every AP.

But if I go into each AP it will have a setting of "Not Configured" and not "Disabled".

If I manually disable this in GUI, after a restart the setting will go back to "Not Configured".
But even with all of this set as "Disabled" I can still see the Access Points in the sh ap icap serviceability summary as "connecting".
(Although this could be the status of connection from DNAC to WLC and not the other way around.)
Also, there is no option in CLI to set it as "disabled" which could probably mean that the "Not Configured" and "Disabled" are one and the same.

Which now brings me to the question of how I can disable Intelligent Capture on the AP level since the above methods are not working?
The documentation doesn't show any command/button that disables Intelligent Capture on the AP's.
The goal is to not have any Traffic from AP in the direct direction to DNAC and with this also no Firewall drops.

WLC Version 17.3.4c
WLC Model: 9800-CL
AP Model: 9120AX

Any help would be appreciated.

Re: Disable iCAP on AP's

patoberli — Thu, 11 Aug 2022 12:35:09 GMT

You should rather open the firewall to allow this traffic, as this can be quite useful for troubleshooting clients in DNAC. I think this gets used as soon as you do a Live Trace of a client and disabled again if you click stop.

But in my opinion this is an essential feature of DNAC and should/can not be disabled.

More information about the ports that should be open: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/1-3/install_guide/M5/b_cisco_dna_center_install_guide_1_3_M5/b_cisco_dna_center_install_guide_1_3_M5_chapter_01.html and here Table 7.

Re: Disable iCAP on AP's

Vida44 — Mon, 15 Aug 2022 12:32:06 GMT

We are looking into opening the port for this traffic, but there are some compliance issues which make this problematic.
Hence the question on how to disable this.

Of course, ignoring the Firewall blocks is possible (the customer will need to live with it), but I need to explore all options before going into that direction.

@patoberli wrote:

But in my opinion this is an essential feature of DNAC and should/can not be disabled.

Since the DNAC cannot receive this traffic due to Firewall block, then its function in DNAC is not relevant. Decision to disable/enable a feature should be left to the Customer and not Cisco. Just my two Cents. 🙂
And please do not misunderstand me, I would love to have this in DNAC for troubleshooting purposes.

In any case if it is not possible to disable it (at this moment) I can go with this information to the customer.
My question was more in the direction if I missed something in some Documentation.

Thank you.

Re: Disable iCAP on AP's

stayd — Wed, 29 Nov 2023 01:18:47 GMT

... btw link is not working ...

Re: Disable iCAP on AP's

Ambuj M — Wed, 29 Nov 2023 01:39:52 GMT

Intelligent Capture is not just for packet capture data but also AP and client statistics, and spectrum data, it even allows you to access data from APs that is not available from wireless controllers.

If you haven't already, then look at "Enable and Manage Intelligent Capture for an Access Point" section in this document