topic What devices are you in Wireless

WLC NAT Feature problem for OEAP

Sebastian Helmer — Mon, 05 Jul 2021 09:23:02 GMT

Dear all,

The problem that i have when i enable NAT on my MGMT interface, the APs on the "inside" does not find the WLC.

If uncheck the NAT the APs will connect right away.

When I enable the NAT, the APs stay connected but some them and from time to time they leave the WLC and join the backup WLC and back to main and and...

I also use the feature config network ap-discovery nat-ip-only disable

Code 7.6.130.0

I know it is better to use a separate WLC for OEAP, but the option is there and I would like to use it because we have not much OEAPs.

should I prevent the internal APs to be able to reach the external IP? I allowed only CAPWA to the NAT IP, is there anything we should change..?

best regards,
Sebastian

When you enable NAT, I

Scott Fella — Fri, 30 Jan 2015 13:43:02 GMT

When you enable NAT, I believe you also need to add the APs MAC address in the ap authorization. APs inside will eventually drop when enabling that feature without adding all the MAC address.

Edit: Come to think about it, you just need to issue the command you posted:

config network ap-discovery nat-ip-only disable

-Scott

Scott,I added only the

Sebastian Helmer — Fri, 30 Jan 2015 13:43:03 GMT

Scott,

I added only the "Problem" makers to see if that helps, and it seem so...great..I have th e Problems since almost years and worked with a lot of Workarounds...where is that documented?

I will now checkout some CLI command to make that easier, because we are having hundred of APs.

Thanks so far I will update with a "correct Answer" after a while and i see that it works for me..

thanks

Sebastian

The idea to add the mac's

Sebastian Helmer — Fri, 30 Jan 2015 14:03:49 GMT

The idea to add the mac's doesn't help.. 😞

It was just a lucky hit in the moment I checked the WLC.

the command is used, but without success....at the Moment I have just two APs..we will see if the count grows...

Sebastian,when using

Scott Fella — Fri, 30 Jan 2015 15:08:15 GMT

Sebastian,

when using anninternal wlc for OEAP, one thing you want is to sort of prevent unknown APs from registering as an OEAP. The only way to do that is with MAC address being added to the WLC. This way you can remove any given ap that you might decide to remove. Another option is to get a 2504 just for OEAP's as long as your not hitting over 75 AP's. Cisco has a bundle in which if you purchase two 1702, 2702, or 3702, you get a free 2504-25. You can use any of these also for OEAP, but no wired connection.

-Scott

Scott,I know best practise

Sebastian Helmer — Tue, 03 Feb 2015 19:06:28 GMT

Scott,

I know best practise would be a dedicated WLC, but my colleauges and global technical teamlead asked me why because it seems to work and to be honest the option is there and if there is a way I would like to use it as well. Maybe just to safe the working and maintenance and management for the additional WLC..But if there is no solution, sure I will go the best practise way...but right now it makes fun to go deeper in that ;)..

Anyhow, I discussed the situation with our firewall guy's and we didn't find a reason because everything seems to be okay like we see in the tcpdumps, but we are still in discussions..

I did some debugs on the AP, because I think on the WLC with about 200 APs it could make trouble. I see no problem..if you like I can post it..BUT when I configure the public NAT IP als primary WLC for the AP it works...without problems..(since about 20min) otherwise with the interanl WLC IP as primary configured the AP will struggle every 5min as we see today...

Is there any idea with those new information? For me it sound like a Protocoll "problem" It was with some codes we used in the past the same..

Sebastian

The WLC that you have nat

Scott Fella — Tue, 03 Feb 2015 19:25:06 GMT

The WLC that you have nat enabled, is that an anchor wlc or a foreign wlc?

-Scott

It's an anchor for a few

Sebastian Helmer — Tue, 03 Feb 2015 19:30:29 GMT

It's an anchor for a few foreign!

Okay, so nat ip address on

Scott Fella — Tue, 03 Feb 2015 19:35:04 GMT

Okay, so nat ip address on the management should only be configured on that anchor. You have local mode ap's on that anchor?

-Scott

U mean as primary WLC for the

Sebastian Helmer — Tue, 03 Feb 2015 19:42:01 GMT

U mean as primary WLC for the APs? Is there any explanation why?

we use successfully except one voice wlan location flexconnect everywhere.

The problem that the internal

David Ritter — Tue, 03 Feb 2015 20:13:04 GMT

The problem that the internal AP has in linking with the WLC on the Internal management IP is that shortly in the dialog the WLC will tell the AP to reply on the NAT (External) ip. How many internal devices can ping the external doorway? Current code can allow the WLC to report both the internal and external IP's. that's the mode you need.

Problem with one WLC providing both internal and external support is that RLANS require 1mbps support. lacking that and rlans will fail to authenticate. That means that all the ssids are transmitting beacons at 1mbps. at least that was the way it was in the beginning and I have not gone back and tested my current code (7.6.120). I have way too many rlans to loose. Almost all of my OEAPS' are supporting rlans for a voip phone and a workstation.

Another, OEAP ssids don't support MFP

David

David, thanks to to let me

Sebastian Helmer — Tue, 03 Feb 2015 20:31:13 GMT

David,

thanks to to let me know that

As u can see above my WLC is responding with the internal and the external. That should be no issue. I used the necessary cli command.

My APs wasn't able to ping the external till yesterday, we thought that could be the problem so we enabled that but it didn't helped.

But now when I configure the external ip on the ap it joins successfully the WLC.

If that is they way I need to go because I have also a mobility setup in place for the anchor setup I use, I'm fine with that. But it would be nice to have details why I have to use the external ip and it is not working with the internal management ip.

Sebastian

What devices are you

David Ritter — Tue, 03 Feb 2015 20:44:32 GMT

What devices are you deploying in the OEAP mode? 602's or normal enterprise class units?

What is your discovery mechanism? A DNS call?

602's don't do a DNS lookup..

602 and they are workin fine.

Sebastian Helmer — Tue, 03 Feb 2015 21:04:34 GMT

602 and they are workin fine. Manually configured as u can see in the config guide. Why is that important for my case? My problem are the internal APs

....

don't know yet.. I don't

David Ritter — Tue, 03 Feb 2015 21:26:45 GMT

don't know yet.. I don't hook anything to the OEAP wlc that I'm not going to config as such.

I going to spin up a 3602 and send it over to the OEAP box and watch what happens..

All but 2 of my oe's are 602's and the wlc is not discoverable to an out-of-box unit.. they all log to the production system first and I will move it an observe.

I don't know what to tell you

David Ritter — Tue, 03 Feb 2015 22:13:07 GMT

I don't know what to tell you.. My 3062 landed on the productions system and I redirected it to the OE system and the out-of-box apgroup. It took about 10 mins for it to roll over and decide to stay. I bet it tries the outside ip a few times then gives up and stays on the inside.

Ok, today we decided to block

Sebastian Helmer — Wed, 04 Feb 2015 20:24:46 GMT

Ok, today we decided to block the ability for internal APs to join the public ip. I will see if that helps. I keep u in the loop.