cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2066
Views
0
Helpful
6
Replies

H-REAP OfficeExtend issue with 1142 on 5508

blarkins1
Level 1
Level 1

I am trying to setup an 1142 as an office extend AP with a 5508 controller, but have not yet been successful...

The AP joins the controller across the internet and through the firewall fine, and I see clients probing the AP, but none will associate. 

If I look at the log on the AP, I see it joining the controller and the DTLS tunnel coming up:

*Dec 23 14:15:49.592: %CAPWAP-5-CHANGED: CAPWAP changed state to UP

*Dec 23 14:15:49.772: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller SVB_WLC04

*Dec 23 14:15:49.825: %CAPWAP-5-DATA_DTLS_START: Starting Data DTLS handshake. Wireless client traffic will be blocked until DTLS tunnel is established.

*Dec 23 14:15:49.826: %LWAPP-3-CLIENTEVENTLOG: SSID SVBDATA01 added to the slot[0]

*Dec 23 14:15:49.988: %LWAPP-3-CLIENTEVENTLOG: SSID SVB Public added to the slot[0]DTLS keys are plumbed successfully.

*Dec 23 14:15:50.041: %CAPWAP-5-DATA_DTLS_ESTABLISHED: Data DTLS tunnel established.

*Dec 23 14:15:50.042: %LWAPP-3-CLIENTEVENTLOG: SSID SVBDATA01 added to the slot[1]

*Dec 23 14:15:50.083: %LWAPP-3-CLIENTEVENTLOG: SSID SVB Public added to the slot[1]

*Dec 23 14:15:51.337: %WIDS-5-ENABLED: IDS Signature is loaded and enabled

but then a few minutes later I get this error repeatedly:

*Dec 23 15:15:59.917: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller

*Dec 23 15:15:59.917: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 65.121.114.230

*Dec 23 15:18:58.998: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller

*Dec 23 15:18:58.998: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 65.121.114.230

*Dec 23 15:28:00.001: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller

*Dec 23 15:28:00.001: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 65.121.114.230

*Dec 23 15:28:00.090: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller

*Dec 23 15:28:00.090: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 65.121.114.230

*Dec 23 15:36:59.918: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller

*Dec 23 15:36:59.918: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 65.121.114.230

OfficeExtend#

The 5508 is running 7.0.220.0 code.

I am NATing the internal controller's management interface to 65.121.114.230 on my firewall.  The AP has a Public IP statically assigned to it and the rules set in the firewall allow all ports between this AP and Controller (at least for now until the testing is complete).

I have H-REAP enabled for the AP mode, and Enable Office Extend AP is checked under the H-REAP tab.

I have tried this with H-REAP Local Switching both enabled and disabled...no change in the log.

I have tried this with Data Encryption enabled and disabled...no change in the log.

I even disabled the radios on the AP temporarily and still see the message in the log...

Anyone have an idea of what this error means, or what I am missing to get this to work?

Thanks in advance...

6 Replies 6

Stephen Rodriguez
Cisco Employee
Cisco Employee

What happens if you put the AP behind a local internet router, and let it get a RFC 1918 address?

It could be that the provider starts to block the CAPWAP traffic to a public IP address.

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Thanks Stephen,

Took your advise and tried that.  Still get the errors, and they are very sporadic so it doesn't seem like anything is being blocked.  Maybe some latency issue caused by the internet, or random packets being dropped???  I have clients associating now, but still get the errors whether the AP is inside behind a router, or directly connected to the internet.  Also. the OE AP stays joined to the controller, so the error doesn't seem to be causing enough of an issue to drop the AP.

I'll be testing soon to see if this impacts the users and if clients have any issues staying associated.

fb_webuser
Level 6
Level 6

You need to set the Public IP address that the traffic is getting NATTED to on the Interface Config on the controller, as that address gets embedded in the CAPWAP response from the controller to the AP as well. You also need to enable the checkbox that turns on NAT.

A good reference is here : http://jenniferhuber.blogspot.com/2011/11/configuring-3500-series-access-point-as.html

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

---

Posted by WebUser Timothy O'Hara

timohara
Level 4
Level 4

You need to set the Public IP address that the traffic is getting NATTED to on the Interface Config on the controller, as that address gets embedded in the CAPWAP response from the controller to the AP as well.  You also need to enable the checkbox that turns on NAT.

A good reference is here : http://jenniferhuber.blogspot.com/2011/11/configuring-3500-series-access-point-as.html

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

blarkins1
Level 1
Level 1

Well... I am now able to get clients to associate, although I still get the error.  I am testing this OE AP, connected on an outside internet connection, but within our corporate facilty which has our corporate WLAN, and for whatever reason, clients will not roam from the local AP's to the OE AP's even if the signal strength degrades to poor on the local AP's and the OE AP is right next to me. 

Only If I enable & disable my laptop wireless I can force my client to drop the local AP and then join the OE AP (Same SSID, AP group, mobility group, etc...). 

The capwap errors have something to do with the REAP tunnel and seem to be somewhat sporadic, but I still do not know exactly what is causing them.

I did want to update this thread though to say clients can associate now, so the H-REAP / OfficeExtend feature appears to be working fine.... just not sure about the error.

Thanks for the suggestions guys.

Clients in my testing have never roamed from a local AP to an OEAP. The OEAP isn't participating in any messages for roaming so even if they did it would be a hard disconnect and reconnect.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: