CAPWAP same AP source UDP port

Clem58 · ‎09-07-2018

Hello,

I've sniffed with wireshark 2 AP ports, Cisco 3802I that are connected in flexconnect with capwap tunnel to our WLC via a MPLS tunnel.

What I've observed is the source UDP port of AP1 is 5248 to capwap data plane 5247 (and same for 5246 control plane), and is always 5248 it never changed:

AP2 use the exact same port, as 5248 source UDP port to 5247 and 5246:

Is this an normal behaviour ? I though normally this port should have to be dynamic and change each time the AP reconnect to capwap ?

Is this normal the 2 APs use the same source UDP port ? Could it cause troubles in the capwap tunnel ?

Could it be a misconfiguration in the firewall rules ? Or routers ?

Jhosbell Verdesca De Aguiar · ‎09-07-2018

Do you have LAG enabled at the APs? It doesn't matter you have them connected.

config lag enable
config ap lag-mode support enable <ap-name>

If you do, can you try disabling and test again?

config ap lag-mode support disable <ap-name>

** Please rate helpful posts **

CCIE #58023

Clem58 · ‎09-07-2018

Thanks for your answer.

Apparently lag-mode is not configured on APs :

AP LAG Configuration Status ..................... Disabled
LAG Support for AP .............................. Yes

EDIT:

In the other hand, LAG mode is enabled globally:

(Cisco Controller) >show lag summary

LAG Enabled

Jhosbell Verdesca De Aguiar · ‎09-07-2018

That's weird. The only problem I can see is if you have multiple APs behind a NAT device. Otherwise the WLC can differentiate all the sessions using the Access Point IP address. But I do not think this is expected. It should be a random port. Look at the port Matrix:

https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113344-cuwn-ppm.html

Source Device Destination Device Protocol Destination Port Source Port Description
AP WLC UDP 5246-5247 0:65535 CAPWAP Ctl/Data
AP WLC UDP 5248 0:65535 CAPWAP Mcast.

** Please rate helpful posts **

CCIE #58023

Clem58 · ‎09-07-2018

We do have multiple APs behind a NAT.

Our configuration, is like this, multiples remote sites with APs (different models, including 3802 ones), connected on one Firewall via MPLS that's forwarding the CAPWAP tunnel to WLC. That's supposition as I've not access to the FW.

For your info I've sniffed 3 AP ports, we have 2 APs with source port 5248 and another with 5264 in our site, I don't have sniff all the ports (12 APs in total), I'll do it next monday. But for me these ports are "strange" ..

I suspect the FW to be maybe misconfigured.

We have multiple issues on the sites, especially with WIFI clients (scanners) disconnected or freezing.

Jhosbell Verdesca De Aguiar · ‎09-07-2018

In your scenario, if this is causing a problem I would expect it to be the AP losing connectivity to the WLC. If they don't then I guess the firewall is doing some port translation that is covering this issue.

You can check the source port at the WLC using:

(Cisco Controller) >show dtls connections
AP Name Local Port Peer IP Peer Port Ciphersuite
-------------------- ------------- ---------------- ------------- ------------------------------
AP01 Capwap_Ctrl 172.16.55.10 5256 TLS_RSA_WITH_AES_128_CBC_SHA

That'll be easier than doing the captures.

I guess if you cross reference that output with the "show xlate" from the firewall (If it is a Cisco ASA) you'll see the real ports.

It is interesting, let us know what you find.

** Please rate helpful posts **

CCIE #58023

Clem58 · ‎09-07-2018

Here is a part of the command result, thanks for giving me it, it'll save time indeed !

(Cisco Controller) >show dtls connections

       AP Name         Local Port        Peer IP        Peer Port                Ciphersuite
-------------------- ------------- ---------------- -------------     ------------------------------
SITEA-AP26              Capwap_Ctrl    SITEA_IP.172      62967           TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP15              Capwap_Ctrl    SITEA_IP.171      62664           TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP8               Capwap_Ctrl    SITEA_IP.196       1197           TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP17              Capwap_Ctrl    SITEA_IP.206      60226           TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP27              Capwap_Ctrl    SITEA_IP.201      62657           TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP1               Capwap_Ctrl    SITEA_IP.192      14881           TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP28              Capwap_Ctrl    SITEA_IP.187      62664           TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP18              Capwap_Ctrl    SITEA_IP.166      62665           TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP19              Capwap_Ctrl    SITEA_IP.152       1231           TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP24              Capwap_Ctrl    SITEA_IP.202      62998           TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP2               Capwap_Ctrl    SITEA_IP.189       5976           TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP22              Capwap_Ctrl    SITEA_IP.130       1186           TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP5               Capwap_Ctrl    SITEA_IP.193      10309           TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP7               Capwap_Ctrl    SITEA_IP.199       1239           TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP23              Capwap_Ctrl    SITEA_IP.197      51074           TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP21              Capwap_Ctrl    SITEA_IP.191      60167           TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP6               Capwap_Ctrl    SITEA_IP.167       1256           TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP20              Capwap_Ctrl    SITEA_IP.200      51078           TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP3               Capwap_Ctrl    SITEA_IP.190      48397           TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP16              Capwap_Ctrl    SITEA_IP.195      62654           TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP4               Capwap_Ctrl    SITEA_IP.184      10305           TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP11              Capwap_Ctrl    SITEA_IP.186       1241           TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP13              Capwap_Ctrl    SITEA_IP.204      62672           TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP12              Capwap_Ctrl    SITEA_IP.205      51071           TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP14              Capwap_Ctrl    SITEA_IP.188       1251           TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP10              Capwap_Ctrl    SITEA_IP.203      51081           TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP9               Capwap_Ctrl    SITEA_IP.198       1181           TLS_RSA_WITH_AES_128_CBC_SHA
SITEA-AP25              Capwap_Ctrl    10.109.9.67       1228           TLS_RSA_WITH_AES_128_CBC_SHA

SITEB-AP1               Capwap_Ctrl    SITEB_IP.21       5256           TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP15              Capwap_Ctrl    SITEB_IP.35       5256           TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP9               Capwap_Ctrl    SITEB_IP.29       5256           TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP3               Capwap_Ctrl    SITEB_IP.23       5256           TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP4               Capwap_Ctrl    SITEB_IP.24       5256           TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP14              Capwap_Ctrl    SITEB_IP.34       5256           TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP13              Capwap_Ctrl    SITEB_IP.33       5256           TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP10              Capwap_Ctrl    SITEB_IP.30       5256           TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP8               Capwap_Ctrl    SITEB_IP.28       5256           TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP12              Capwap_Ctrl    SITEB_IP.32       5256           TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP2               Capwap_Ctrl    SITEB_IP.22       5256           TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP5               Capwap_Ctrl    SITEB_IP.25       5256           TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP11              Capwap_Ctrl    SITEB_IP.31       5264           TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP6               Capwap_Ctrl    SITEB_IP.26       5264           TLS_RSA_WITH_AES_128_CBC_SHA
SITEB-AP7               Capwap_Ctrl    SITEB_IP.27       5256           TLS_RSA_WITH_AES_128_CBC_SHA

SITEC-AP12              Capwap_Ctrl    SITEC_IP.44      46527           TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP3               Capwap_Ctrl    SITEC_IP.52      39693           TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP27              Capwap_Ctrl    SITEC_IP.55      52323           TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP2               Capwap_Ctrl    SITEC_IP.54      57172           TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP14              Capwap_Ctrl    SITEC_IP.25      14040           TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP20              Capwap_Ctrl    SITEC_IP.21      46477           TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP6               Capwap_Ctrl    SITEC_IP.49      58632           TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP26              Capwap_Ctrl    SITEC_IP.56      52342           TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP19              Capwap_Ctrl    SITEC_IP.33      38429           TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP7               Capwap_Ctrl    SITEC_IP.39      39670           TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP5               Capwap_Ctrl    SITEC_IP.50      46522           TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP15              Capwap_Ctrl    SITEC_IP.27      46498           TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP11              Capwap_Ctrl    SITEC_IP.35      38434           TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP23              Capwap_Ctrl    SITEC_IP.31      60469           TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP8               Capwap_Ctrl    SITEC_IP.47      58613           TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP1               Capwap_Ctrl    SITEC_IP.53      38429           TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP18              Capwap_Ctrl    SITEC_IP.28      46462           TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP24              Capwap_Ctrl    SITEC_IP.26      60470           TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP17              Capwap_Ctrl    SITEC_IP.23      46484           TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP16              Capwap_Ctrl    SITEC_IP.29      46521           TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP10              Capwap_Ctrl    SITEC_IP.45      58598           TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP25              Capwap_Ctrl    SITEC_IP.34      60393           TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP4               Capwap_Ctrl    SITEC_IP.51      58598           TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP21              Capwap_Ctrl    SITEC_IP.48       3456           TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP9               Capwap_Ctrl    SITEC_IP.46       3156           TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP22              Capwap_Ctrl    SITEC_IP.24       3046           TLS_RSA_WITH_AES_128_CBC_SHA
SITEC-AP13              Capwap_Ctrl    SITEC_IP.42      46517           TLS_RSA_WITH_AES_128_CBC_SHA

SITED-AP3               Capwap_Ctrl    SITED_IP.23       5256           TLS_RSA_WITH_AES_128_CBC_SHA
SITED-AP5               Capwap_Ctrl    SITED_IP.25       5264           TLS_RSA_WITH_AES_128_CBC_SHA
SITED-AP6               Capwap_Ctrl    SITED_IP.26       5264           TLS_RSA_WITH_AES_128_CBC_SHA
SITED-AP1               Capwap_Ctrl    SITED_IP.21       5248           TLS_RSA_WITH_AES_128_CBC_SHA
SITED-AP4               Capwap_Ctrl    SITED_IP.24       5272           TLS_RSA_WITH_AES_128_CBC_SHA
SITED-AP8               Capwap_Ctrl    SITED_IP.28       5248           TLS_RSA_WITH_AES_128_CBC_SHA
SITED-AP13              Capwap_Ctrl    SITED_IP.33       5256           TLS_RSA_WITH_AES_128_CBC_SHA
SITED-AP12              Capwap_Ctrl    SITED_IP.32       5272           TLS_RSA_WITH_AES_128_CBC_SHA
SITED-AP10              Capwap_Ctrl    SITED_IP.30       5272           TLS_RSA_WITH_AES_128_CBC_SHA
SITED-AP9               Capwap_Ctrl    SITED_IP.29       5272           TLS_RSA_WITH_AES_128_CBC_SHA
SITED-AP11              Capwap_Ctrl    SITED_IP.31       5264           TLS_RSA_WITH_AES_128_CBC_SHA
SITED-AP7               Capwap_Ctrl    SITED_IP.27       5272           TLS_RSA_WITH_AES_128_CBC_SHA
SITED-AP2               Capwap_Ctrl    SITED_IP.22       5272           TLS_RSA_WITH_AES_128_CBC_SHA
SITED-AP15              Capwap_Ctrl    SITED_IP.35       5264           TLS_RSA_WITH_AES_128_CBC_SHA

SITEE-AP10              Capwap_Ctrl    SITEE_IP.122       5256           TLS_RSA_WITH_AES_128_CBC_SHA
SITEE-AP7               Capwap_Ctrl    SITEE_IP.112       5256           TLS_RSA_WITH_AES_128_CBC_SHA
SITEE-AP8               Capwap_Ctrl    SITEE_IP.113       5256           TLS_RSA_WITH_AES_128_CBC_SHA
SITEE-AP6               Capwap_Ctrl    SITEE_IP.118       5264           TLS_RSA_WITH_AES_128_CBC_SHA
SITEE-AP12              Capwap_Ctrl    SITEE_IP.121       5256           TLS_RSA_WITH_AES_128_CBC_SHA
SITEE-AP11              Capwap_Ctrl    SITEE_IP.125       5264           TLS_RSA_WITH_AES_128_CBC_SHA
SITEE-AP2               Capwap_Ctrl    SITEE_IP.108       5248           TLS_RSA_WITH_AES_128_CBC_SHA
SITEE-AP3               Capwap_Ctrl    SITEE_IP.111       5264           TLS_RSA_WITH_AES_128_CBC_SHA
SITEE-AP4               Capwap_Ctrl    SITEE_IP.119       5248           TLS_RSA_WITH_AES_128_CBC_SHA
SITEE-AP1               Capwap_Ctrl    SITEE_IP.56        5248           TLS_RSA_WITH_AES_128_CBC_SHA
SITEE-AP9               Capwap_Ctrl    SITEE_IP.110       5256           TLS_RSA_WITH_AES_128_CBC_SHA
SITEE-AP5               Capwap_Ctrl    SITEE_IP.120       5248           TLS_RSA_WITH_AES_128_CBC_SHA

All the sites with 5248, 5256, 5264, 5272 source ports are the ones with Cisco 3802I/E APs. The others sites have some differents models (3702, 3602, 2602 ...).

Our local site is SITEE (the one concerning this thread).

By the way we have only the control pane result as DTLS is not activated on the data one for our configuration.