Scott,

I added only the "Problem" makers to see if that helps, and it seem so...great..I have th e Problems since almost years and worked with a lot of Workarounds...where is that documented?

I will now checkout some CLI command to make that easier, because we are having hundred of APs.

Thanks so far I will update with a "correct Answer" after a while and i see that it works for me..

thanks

Sebastian

Sebastian,

when using anninternal wlc for OEAP, one thing you want is to sort of prevent unknown APs from registering as an OEAP. The only way to do that is with MAC address being added to the WLC. This way you can remove any given ap that you might decide to remove.  Another option is to get a 2504 just for OEAP's as long as your not hitting over 75 AP's.  Cisco has a bundle in which if you purchase two 1702, 2702, or 3702, you get a free 2504-25.  You can use any of these also for OEAP, but no wired connection. 

-Scott

Scott,

I know best practise would be a dedicated WLC, but my colleauges and global technical teamlead asked me why because it seems to work and to be honest the option is there and if there is a way I would like to use it as well. Maybe just to safe the working and maintenance and management for the additional WLC..But if there is no solution, sure I will go the best practise way...but right now it makes fun to go deeper in that ;)..

Anyhow, I discussed the situation with our firewall guy's and we didn't find a reason because everything seems to be okay like we see in the tcpdumps, but we are still in discussions..

I did some debugs on the AP, because I think on the WLC with about 200 APs it could make trouble. I see no problem..if you like I can post it..BUT when I configure the public NAT IP als primary WLC for the AP it works...without problems..(since about 20min) otherwise with the interanl WLC IP as primary configured the AP will struggle every 5min as we see today...

Is there any idea with those new information? For me it sound like a Protocoll "problem" It was with some codes we used in the past the same..

Sebastian

The WLC that you have nat  enabled, is that an anchor wlc or a foreign wlc?

-Scott

It's an anchor for a few foreign!

Okay, so nat ip address on the management should only be configured on that anchor.  You have local mode ap's on that anchor?

-Scott

U mean as primary WLC for the APs? Is there any explanation why?

we use successfully except one voice wlan location flexconnect everywhere.

The problem that the internal AP has in linking with the WLC on the Internal management IP is that shortly in the dialog the WLC will tell the AP to reply on the NAT (External) ip.  How many internal devices can ping the external doorway?  Current code can allow the WLC to report both the internal and external IP's.  that's the mode you need.

Problem with one WLC providing both internal and external support is that RLANS require 1mbps support.  lacking that and rlans will fail to authenticate.  That means that all the ssids are transmitting beacons at 1mbps.  at least that was the way it was in the beginning and I have not gone back and tested my current code (7.6.120).  I have way too many rlans to loose.  Almost all of my OEAPS' are supporting rlans for a voip phone and a workstation.

Another, OEAP ssids don't support MFP

David

David,

thanks to to let me know that 

As u can see above my WLC is responding with the internal and the external. That should be no issue. I used the necessary cli command. 

My APs wasn't able to ping the external till yesterday, we thought that could be  the problem so we enabled that but it didn't helped.

But now when I configure the external ip on the ap it joins successfully the WLC.

If that is they way I need to go because I have also a mobility setup in place for the anchor setup I use, I'm fine with that. But it would be nice to have details why I have to use the external ip and it is not working with the internal management ip. 

Sebastian 

What devices are you deploying in the OEAP mode?  602's or normal enterprise class units?

What is your discovery mechanism?  A DNS call?

602's don't do a DNS lookup..

602 and they are workin fine. Manually configured as u can see in the config guide. Why is that important for my case? My problem are the internal APs 

....

don't know yet..  I don't hook anything to the OEAP wlc that I'm not going to config as such.

I going to spin up a 3602 and send it over to the OEAP box and watch what happens..

All but 2 of my oe's are 602's and the wlc is not discoverable to an out-of-box unit..  they all log to the production system first and I will move it an observe.

I don't know what to tell you..  My 3062 landed on the productions system and I redirected it to the OE system and the out-of-box apgroup.  It took about 10 mins for it to roll over and decide to stay.  I bet it tries the outside ip a few times then gives up and stays on the inside.