I have my WAP sitting behind ASA and have ipsec tunnel between ASA and router.below is the topology:-
WAP>>ASA<<< IPSEC TUNNEL>>> Router<<<WLC
Recently we have replaced router with ASA 5505 for security reasons and since then WAP is not able to registered to WLC. we have VPN tunnel up and working. Even WAP is able to ping to WLC ip address.
Do we have any special configuration in my ASA considering my above topology. I can confirm that capwap and lwap ports are opened in asa.
Please let me know if some one has faced this issue before.
I hope you have already allowed the below mentioned ports as per your requirement.
You must enable these ports:
Enable these UDP ports for LWAPP traffic:
Data - 12222
Control - 12223
Enable these UDP ports for mobility traffic:
16666 - 16666
16667 - 16667
Enable UDP ports 5246 and 5247 for CAPWAP traffic.
TCP 161 and 162 for SNMP (for the Wireless Control System [WCS])
These ports are optional (depending on your requirements):
UDP 69 for TFTP
TCP 80 and/or 443 for HTTP or HTTPS for GUI access
TCP 23 and/or 22 for Telnet or SSH for CLI access
Also if it goes over the IPSec VPN, MTU size for the path between AP and WLC should be of 1500, if it has the lesser MTU, then communication fails.
Can you get me your WLC and ASA OS versions?
Thanks Kartik for your response!
I assume we just need to wprry about IPSEC and iskmp port as WAP and WLC is coming via vpn tunnel. please correct me if i m wrong.
Also asa is 8.2 and rucks is WAP/WLC devices. I am sure this is not a Wireless configuration issues as everything was working until i put ASA in place of router..hope you would able to help me further.
my whole point is do ASA need any special condition if WAP/WLC traffic coming via vpn tunnel?
Yeah... But through tunnel only problem is mtu.... WLC to LWAPP communication requires 1500bytes MTU... if you run the older version....
Also have you tried to capture inbound and outbound traffic from ap
capture cap interface inside match tcp host <ap> host <wlc>
capture cap interface outside match tcp host <wlc> host <ap>
Here we can get the info where it gets failed....
Well, About MTU some forum advise to put 1400 due avoid any fragmentation issue.
Also i did put cature at the Firewall but didn't see any traffic coming from WLC(return traffic).
just to confirm you are asking me to change mtu value at the interfaces(asa and router) where my ipsec is getting terminated? or at the wlc and wap level.
let me know if you find below link useful and related to my issue:-