it seens like DTLS connection

jucape2009 · ‎09-10-2014

Hi,

I have two WLC 8500 working in SSO and with nat enable feature configure in management interface.

SSO is working, but i have to configure NAT before SSO becasuse when SSO is up, ip address and nat are greyed out in managemente interface.

Some AP's must join the controller in the private address of the management interface and others AP must join in the public ip address configured in NAT address.

for some reason, there are a lot of AP's that can't join the controller, i have 3 ap's joined in the public ip address and 3 ap's joined in the private ip address

config network ap-discovery nat-only disable is already configured, from the console of one AP that can't not join i see the following:

*Sep 10 12:32:48.115: %CAPWAP-3-ERRORLOG: Selected MWAR 'GI12WLC001A'(index 0).

*Sep 10 12:32:48.115: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Sep 10 12:35:48.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 212.89.5.130 peer_port: 5246

*Sep 10 12:36:17.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2176 Max retransmission count reached!

*Sep 10 12:36:47.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 212.89.5.130:5246

*Sep 10 12:36:47.999: %CAPWAP-3-ERRORLOG: Selected MWAR 'GI12WLC001A'(index 0).

*Sep 10 12:36:47.999: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Sep 10 12:35:48.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.35.0.78 peer_port: 5246

the AP is trying both private and public ip address to join the WLC but can't join properly.

From the WLC console:

debug capwap errors enable:

*spamApTask4: Sep 10 13:13:49.837: 00:10:db:ff:50:06 Discarding non-ClientHello Handshake OR DTLS encrypted packet from 10.35.1.13:47807)since DTLS session is not established

*spamApTask3: Sep 10 13:13:49.958: 1c:6a:7a:5b:e0:30 ApModel: AIR-CAP3702I-E-K9

*spamApTask3: Sep 10 13:13:49.958: Unknown AP type. Using Controller Version!!!

*spamApTask3: Sep 10 13:13:49.958: 1c:6a:7a:5b:e0:30 ApModel: AIR-CAP3702I-E-K9

*spamApTask3: Sep 10 13:13:49.958: Unknown AP type. Using Controller Version!!!

*spamApTask2: Sep 10 13:13:52.103: 00:10:db:ff:50:06 Discarding non-ClientHello Handshake OR DTLS encrypted packet from 10.35.1.11:21207)since DTLS session is not established

*spamApTask1: Sep 10 13:13:52.224: 1c:6a:7a:5e:0f:10 ApModel: AIR-CAP3702I-E-K9

*spamApTask1: Sep 10 13:13:52.224: Unknown AP type. Using Controller Version!!!

*spamApTask1: Sep 10 13:13:52.224: 1c:6a:7a:5e:0f:10 ApModel: AIR-CAP3702I-E-K9

*spamApTask1: Sep 10 13:13:52.224: Unknown AP type. Using Controller Version!!!

the AP model are the same, this is not the problem, but for some reason there are AP's that have problems with the NAT configuration, if i disable NAT option, every AP with private ip address config can join the WLC.

I've tried to break SSO, desconfigure NAT, and private ip address AP join the controller without problem.

anybody can give me a clue?

Regards!

Leo Laohoo · ‎09-10-2014

*spamApTask1: Sep 10 13:13:52.224: Unknown AP type. Using Controller Version!!!

If a clue is what you seek then the highlighted item is X-marks-the-spot.

Go HERE and notice that for a AP3702 your controller should be running a minimum of 7.6.100.X.

jucape2009 · ‎09-11-2014

Hi, thanks for your reply.

Controller version is 7.6.120, and i have other 3702 already joined in the controller. this is not the problem.

AP's are joining the WLC but they last a lot of time, 15 hours or more, without any action, suddenly they join.

The WLC detect once the AP is not in the same subnetwork of management ip address and respond with the NAT public address, some AP's can't reach this public address, must join the management private address, but for some reason they have problem to join, after a few hours the AP's join the WLC without any explanation.

As far as i know, with the command:

config network ap-discovery nat-only disable

the WLC should permit join AP's in both address, private and public,

Regards!

jucape2009 · ‎09-26-2014

it seens like DTLS connection can't be stablished between AP and WLC.

The AP sends discovery request

the WLC respond with two discovery responds, the firts one, contains the public ip address of the WLC and the second one contains the private ip address.

once discovery proccess is complete, the AP tries to send DTLS hello packet to the WLC, but this packet never arrives to WLC.

because hello doesn't arrive, the AP sends a close notify alert to the WLC and tries to send the DTLS hello packet to the WLC private address with same result.

the AP get into a loop trying to send DTLS hello packets to both private and public address.

DTLS hello packet never arrive, but close notify alert arrive to WLC.

theres is FW in the middle doing NAT, but i can understand why close notify alert packets error arrives WLC and Hello DTLS packets don't. this packets uses the same protocol UDP and the same port.

Regards

Leo Laohoo · ‎09-26-2014

Check the Regulatory Domain of your AP against the the Country list on the WLC.

AP 3702 not join the WLC