09-07-2018 07:33 AM - edited 07-05-2021 09:08 AM
Hello,
I've sniffed with wireshark 2 AP ports, Cisco 3802I that are connected in flexconnect with capwap tunnel to our WLC via a MPLS tunnel.
What I've observed is the source UDP port of AP1 is 5248 to capwap data plane 5247 (and same for 5246 control plane), and is always 5248 it never changed:
AP2 use the exact same port, as 5248 source UDP port to 5247 and 5246:
Is this an normal behaviour ? I though normally this port should have to be dynamic and change each time the AP reconnect to capwap ?
Is this normal the 2 APs use the same source UDP port ? Could it cause troubles in the capwap tunnel ?
Could it be a misconfiguration in the firewall rules ? Or routers ?
09-07-2018 01:23 PM
09-07-2018 01:39 PM - edited 09-07-2018 02:10 PM
Thanks for your answer.
Apparently lag-mode is not configured on APs :
AP LAG Configuration Status ..................... Disabled
LAG Support for AP .............................. Yes
EDIT:
In the other hand, LAG mode is enabled globally:
(Cisco Controller) >show lag summary
LAG Enabled
09-07-2018 01:59 PM
09-07-2018 02:19 PM
We do have multiple APs behind a NAT.
Our configuration, is like this, multiples remote sites with APs (different models, including 3802 ones), connected on one Firewall via MPLS that's forwarding the CAPWAP tunnel to WLC. That's supposition as I've not access to the FW.
For your info I've sniffed 3 AP ports, we have 2 APs with source port 5248 and another with 5264 in our site, I don't have sniff all the ports (12 APs in total), I'll do it next monday. But for me these ports are "strange" ..
I suspect the FW to be maybe misconfigured.
We have multiple issues on the sites, especially with WIFI clients (scanners) disconnected or freezing.
09-07-2018 02:31 PM
09-07-2018 03:10 PM
Here is a part of the command result, thanks for giving me it, it'll save time indeed !
(Cisco Controller) >show dtls connections
AP Name Local Port Peer IP Peer Port Ciphersuite
-------------------- ------------- ---------------- ------------- ------------------------------
SITEA-AP26 Capwap_Ctrl SITEA_IP.172 62967 TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP15 Capwap_Ctrl SITEA_IP.171 62664 TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP8 Capwap_Ctrl SITEA_IP.196 1197 TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP17 Capwap_Ctrl SITEA_IP.206 60226 TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP27 Capwap_Ctrl SITEA_IP.201 62657 TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP1 Capwap_Ctrl SITEA_IP.192 14881 TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP28 Capwap_Ctrl SITEA_IP.187 62664 TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP18 Capwap_Ctrl SITEA_IP.166 62665 TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP19 Capwap_Ctrl SITEA_IP.152 1231 TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP24 Capwap_Ctrl SITEA_IP.202 62998 TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP2 Capwap_Ctrl SITEA_IP.189 5976 TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP22 Capwap_Ctrl SITEA_IP.130 1186 TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP5 Capwap_Ctrl SITEA_IP.193 10309 TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP7 Capwap_Ctrl SITEA_IP.199 1239 TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP23 Capwap_Ctrl SITEA_IP.197 51074 TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP21 Capwap_Ctrl SITEA_IP.191 60167 TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP6 Capwap_Ctrl SITEA_IP.167 1256 TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP20 Capwap_Ctrl SITEA_IP.200 51078 TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP3 Capwap_Ctrl SITEA_IP.190 48397 TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP16 Capwap_Ctrl SITEA_IP.195 62654 TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP4 Capwap_Ctrl SITEA_IP.184 10305 TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP11 Capwap_Ctrl SITEA_IP.186 1241 TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP13 Capwap_Ctrl SITEA_IP.204 62672 TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP12 Capwap_Ctrl SITEA_IP.205 51071 TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP14 Capwap_Ctrl SITEA_IP.188 1251 TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP10 Capwap_Ctrl SITEA_IP.203 51081 TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP9 Capwap_Ctrl SITEA_IP.198 1181 TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP25 Capwap_Ctrl 10.109.9.67 1228 TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP1 Capwap_Ctrl SITEB_IP.21 5256 TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP15 Capwap_Ctrl SITEB_IP.35 5256 TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP9 Capwap_Ctrl SITEB_IP.29 5256 TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP3 Capwap_Ctrl SITEB_IP.23 5256 TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP4 Capwap_Ctrl SITEB_IP.24 5256 TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP14 Capwap_Ctrl SITEB_IP.34 5256 TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP13 Capwap_Ctrl SITEB_IP.33 5256 TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP10 Capwap_Ctrl SITEB_IP.30 5256 TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP8 Capwap_Ctrl SITEB_IP.28 5256 TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP12 Capwap_Ctrl SITEB_IP.32 5256 TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP2 Capwap_Ctrl SITEB_IP.22 5256 TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP5 Capwap_Ctrl SITEB_IP.25 5256 TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP11 Capwap_Ctrl SITEB_IP.31 5264 TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP6 Capwap_Ctrl SITEB_IP.26 5264 TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP7 Capwap_Ctrl SITEB_IP.27 5256 TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP12 Capwap_Ctrl SITEC_IP.44 46527 TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP3 Capwap_Ctrl SITEC_IP.52 39693 TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP27 Capwap_Ctrl SITEC_IP.55 52323 TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP2 Capwap_Ctrl SITEC_IP.54 57172 TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP14 Capwap_Ctrl SITEC_IP.25 14040 TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP20 Capwap_Ctrl SITEC_IP.21 46477 TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP6 Capwap_Ctrl SITEC_IP.49 58632 TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP26 Capwap_Ctrl SITEC_IP.56 52342 TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP19 Capwap_Ctrl SITEC_IP.33 38429 TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP7 Capwap_Ctrl SITEC_IP.39 39670 TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP5 Capwap_Ctrl SITEC_IP.50 46522 TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP15 Capwap_Ctrl SITEC_IP.27 46498 TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP11 Capwap_Ctrl SITEC_IP.35 38434 TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP23 Capwap_Ctrl SITEC_IP.31 60469 TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP8 Capwap_Ctrl SITEC_IP.47 58613 TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP1 Capwap_Ctrl SITEC_IP.53 38429 TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP18 Capwap_Ctrl SITEC_IP.28 46462 TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP24 Capwap_Ctrl SITEC_IP.26 60470 TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP17 Capwap_Ctrl SITEC_IP.23 46484 TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP16 Capwap_Ctrl SITEC_IP.29 46521 TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP10 Capwap_Ctrl SITEC_IP.45 58598 TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP25 Capwap_Ctrl SITEC_IP.34 60393 TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP4 Capwap_Ctrl SITEC_IP.51 58598 TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP21 Capwap_Ctrl SITEC_IP.48 3456 TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP9 Capwap_Ctrl SITEC_IP.46 3156 TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP22 Capwap_Ctrl SITEC_IP.24 3046 TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP13 Capwap_Ctrl SITEC_IP.42 46517 TLS_RSA_WITH_AES_128_CBC_SHA
SITED-AP3 Capwap_Ctrl SITED_IP.23 5256 TLS_RSA_WITH_AES_128_CBC_SHA
SITED-AP5 Capwap_Ctrl SITED_IP.25 5264 TLS_RSA_WITH_AES_128_CBC_SHA
SITED-AP6 Capwap_Ctrl SITED_IP.26 5264 TLS_RSA_WITH_AES_128_CBC_SHA
SITED-AP1 Capwap_Ctrl SITED_IP.21 5248 TLS_RSA_WITH_AES_128_CBC_SHA
SITED-AP4 Capwap_Ctrl SITED_IP.24 5272 TLS_RSA_WITH_AES_128_CBC_SHA
SITED-AP8 Capwap_Ctrl SITED_IP.28 5248 TLS_RSA_WITH_AES_128_CBC_SHA
SITED-AP13 Capwap_Ctrl SITED_IP.33 5256 TLS_RSA_WITH_AES_128_CBC_SHA
SITED-AP12 Capwap_Ctrl SITED_IP.32 5272 TLS_RSA_WITH_AES_128_CBC_SHA
SITED-AP10 Capwap_Ctrl SITED_IP.30 5272 TLS_RSA_WITH_AES_128_CBC_SHA
SITED-AP9 Capwap_Ctrl SITED_IP.29 5272 TLS_RSA_WITH_AES_128_CBC_SHA
SITED-AP11 Capwap_Ctrl SITED_IP.31 5264 TLS_RSA_WITH_AES_128_CBC_SHA
SITED-AP7 Capwap_Ctrl SITED_IP.27 5272 TLS_RSA_WITH_AES_128_CBC_SHA
SITED-AP2 Capwap_Ctrl SITED_IP.22 5272 TLS_RSA_WITH_AES_128_CBC_SHA
SITED-AP15 Capwap_Ctrl SITED_IP.35 5264 TLS_RSA_WITH_AES_128_CBC_SHA
SITEE-AP10 Capwap_Ctrl SITEE_IP.122 5256 TLS_RSA_WITH_AES_128_CBC_SHA
SITEE-AP7 Capwap_Ctrl SITEE_IP.112 5256 TLS_RSA_WITH_AES_128_CBC_SHA
SITEE-AP8 Capwap_Ctrl SITEE_IP.113 5256 TLS_RSA_WITH_AES_128_CBC_SHA
SITEE-AP6 Capwap_Ctrl SITEE_IP.118 5264 TLS_RSA_WITH_AES_128_CBC_SHA
SITEE-AP12 Capwap_Ctrl SITEE_IP.121 5256 TLS_RSA_WITH_AES_128_CBC_SHA
SITEE-AP11 Capwap_Ctrl SITEE_IP.125 5264 TLS_RSA_WITH_AES_128_CBC_SHA
SITEE-AP2 Capwap_Ctrl SITEE_IP.108 5248 TLS_RSA_WITH_AES_128_CBC_SHA
SITEE-AP3 Capwap_Ctrl SITEE_IP.111 5264 TLS_RSA_WITH_AES_128_CBC_SHA
SITEE-AP4 Capwap_Ctrl SITEE_IP.119 5248 TLS_RSA_WITH_AES_128_CBC_SHA
SITEE-AP1 Capwap_Ctrl SITEE_IP.56 5248 TLS_RSA_WITH_AES_128_CBC_SHA
SITEE-AP9 Capwap_Ctrl SITEE_IP.110 5256 TLS_RSA_WITH_AES_128_CBC_SHA
SITEE-AP5 Capwap_Ctrl SITEE_IP.120 5248 TLS_RSA_WITH_AES_128_CBC_SHA
All the sites with 5248, 5256, 5264, 5272 source ports are the ones with Cisco 3802I/E APs. The others sites have some differents models (3702, 3602, 2602 ...).
Our local site is SITEE (the one concerning this thread).
By the way we have only the control pane result as DTLS is not activated on the data one for our configuration.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide