Showing results for 
Search instead for 
Did you mean: 

AP registration over IPSEC Tunnel(ASA)



I have my WAP sitting behind ASA and have ipsec tunnel between ASA and router.below is the topology:-




Recently we have replaced router with ASA 5505 for security reasons and since then WAP is not able to registered to WLC. we have VPN tunnel up and working. Even WAP is able to ping to WLC ip address.


Do we have any special configuration in my ASA considering my above topology. I can confirm that capwap and lwap ports are opened in asa.


Please let me know if some one has faced this issue before.

Rising star



I hope you have already allowed the below mentioned ports as per your requirement.

You must enable these ports:

  • Enable these UDP ports for LWAPP traffic:

    • Data - 12222

    • Control - 12223

  • Enable these UDP ports for mobility traffic:

    • 16666 - 16666

    • 16667 - 16667

  • Enable UDP ports 5246 and 5247 for CAPWAP traffic.

  • TCP 161 and 162 for SNMP (for the Wireless Control System [WCS])

These ports are optional (depending on your requirements):

  • UDP 69 for TFTP

  • TCP 80 and/or 443 for HTTP or HTTPS for GUI access

  • TCP 23 and/or 22 for Telnet or SSH for CLI access


Also if it goes over the IPSec VPN, MTU size  for the path between AP and WLC should be of 1500, if it has the lesser MTU, then communication fails.


Can you get me your WLC and ASA OS versions?




Thanks Kartik for your response!


I assume we just need to wprry about IPSEC and iskmp port as WAP and WLC is coming via vpn tunnel. please correct me if i m wrong.


Also asa is 8.2 and rucks is WAP/WLC devices. I am sure this is not a Wireless configuration issues as everything was working until i put ASA in place of router..hope you would able to help me further.


my whole point is do ASA need any special condition if WAP/WLC traffic coming via vpn tunnel?





Yeah... But through tunnel only problem is mtu.... WLC to LWAPP communication requires 1500bytes MTU... if you run the older version....


Also have you tried to capture inbound and outbound traffic from ap

capture cap interface inside match tcp host <ap> host <wlc>

capture cap interface outside match tcp host <wlc> host <ap>

Here we can get the info where it gets failed....



Well, About MTU some forum advise to put 1400 due avoid any fragmentation issue.

Also i did put cature at the Firewall but didn't see any traffic coming from WLC(return traffic).


just to confirm you are asking me to change mtu value at the interfaces(asa and router) where my ipsec is getting terminated? or at the wlc and wap level.





let me know if you find below link useful and related to my issue:-

HI Guys, I have got this working. I found WLC is sending packets putting DSCP value as 1. This DSCP value makes ASA to drop Wireless traffic(capwap) and thats why WAP never talks to WLC through IPSEC Tunnel. I just changed DSCP value in WLC from 1 to 0 and everything back to normal. I yet to understand why ASA is dropping packets having DSCP value.(please someone explain me if has idea). So the question is- does ASA drop the packets( going through ipsec tunnel) if it has any non-zero value? Thanks and hoping to have some informative response. -Prashant

how to change DSCP vlaue in WLC ?

What wlc model are you using 
Recognize Your Peers
Which of these topics should we host an event in the Community?

Top Choice: ISE- Guest and Posture Troubleshooting (39%)

Content for Community-Ad