Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
605
Views
0
Helpful
1
Replies

Remote site 3702i APs drop connections sporadically

Naga Atl
Level 1
Level 1

‎11-07-2017 11:50 AM - last edited on ‎03-25-2019 06:14 PM by Community Manager

We have a couple of 3702is  at the remote site connected to the wlc 5520 via ipsec tunnel through ASA5585 . 

 WLC5520 --- ASA 5585 --------ipsec site2site (AT&TISP)---- cisco 1921 ----- 2960cx----- 3702i APs

The APs join upto the wlc for 30-40 mins and then drop off.  The following are the points of interest:

1) the interface connecting router to switch has this command "ip tcp adjust-mss 1360" on the router 

2) I have adjusted the mss to 1360 on the APs and there's no change

3) Whenever the APs drop , I see the following messages in AP sh log--  

 


*Nov 7 19:10:06.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.x.x.x peer_port: 5246
*Nov 7 19:10:06.307: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.x.x.x peer_port: 5246
*Nov 7 19:10:06.307: %CAPWAP-5-SENDJOIN: sending Join Request to 172.x.x.x
*Nov 7 19:10:11.307: %CAPWAP-5-SENDJOIN: sending Join Request to 172.x.x.x
*Nov 7 19:11:05.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.x.x.x:5246
*Nov 7 19:11:06.407: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Nov 7 19:11:06.407: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Nov 7 19:11:06.411: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Nov 7 19:11:07.047: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Nov 7 19:11:07.411: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Nov 7 19:11:07.439: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Nov 7 19:11:07.447: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Nov 7 19:11:08.431: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Nov 7 19:11:08.439: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Nov 7 19:11:08.499: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Nov 7 19:11:08.507: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Nov 7 19:11:08.515: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Nov 7 19:11:09.499: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Nov 7 19:11:09.507: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Nov 7 19:11:09.535: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Nov 7 19:11:10.535: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Nov 7 19:11:17.047: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Nov 7 19:11:17.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.x.x.x peer_port: 5246
*Nov 7 19:11:46.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2214 Max retransmission count reached for Connection 0xBAD1F98!

*Nov 7 19:12:16.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.x.x.x:5246
*Nov 7 19:12:16.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Nov 7 19:12:17.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.x.x.x peer_port: 5246
*Nov 7 19:12:46.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2214 Max retransmission count reached for Connection 0xA5C30AC!

*Nov 7 19:13:16.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.x.x.x:5246
*Nov 7 19:13:26.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Nov 7 19:13:27.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.x.x.x peer_port: 5246
*Nov 7 19:13:56.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2214 Max retransmission count reached for Connection 0x622E3B8!

*Nov 7 19:14:26.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.x.x.x:5246
*Nov 7 19:14:26.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Nov 7 19:14:27.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.x.x.x peer_port: 5246
*Nov 7 19:14:56.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2214 Max retransmission count reached for Connection 0x4A6DE64!

*Nov 7 19:15:26.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.x.x.x:5246
*Nov 7 19:15:36.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Nov 7 19:15:37.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.x.x.x peer_port: 5246
*Nov 7 19:16:06.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2214 Max retransmission count reached for Connection 0x623386C!

*Nov 7 19:16:36.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.x.x.x:5246
*Nov 7 19:16:36.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Nov 7 19:16:37.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.x.x.x peer_port: 5246
*Nov 7 19:17:06.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2214 Max retransmission count reached for Connection 0xCF5CD24!

*Nov 7 19:17:11.423: %SYS-5-CONFIG_I: Configured from console by imsdadmin on vty0 (10.38.14.28)
*Nov 7 19:17:36.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.x.x.x:5246
*Nov 7 19:17:46.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Nov 7 19:17:47.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.x.x.x peer_port: 5246
*Nov 7 19:18:16.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2214 Max retransmission count reached for Connection 0x623386C!

*Nov 7 19:18:46.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.x.x.x:5246
*Nov 7 19:18:46.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Nov 7 19:18:47.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.x.x.x peer_port: 5246
*Nov 7 19:19:16.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2214 Max retransmission count reached for Connection 0x622E3B8!

*Nov 7 19:19:46.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.x.x.x:5246
*Nov 7 19:19:46.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Nov 7 19:19:47.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.x.x.x peer_port: 5246
*Nov 7 19:20:16.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2214 Max retransmission count reached for Connection 0xBAD1F98!

*Nov 7 19:20:46.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.x.x.x:5246
*Nov 7 19:20:56.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

 

 

4) Not sure if this is of any interest-- we have another remote site of similar config where APs are working perfectly.. but the only difference between these two is that on the problematic site the connection between router and switch is an access port with switchport access vlan (no.) whereas in the working site the connection is a trunk i.e Router on a stick with subinterfaces for 3 different vlans. Does this make any difference??

Can I get some advice on what I could do about this???

 

 

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Flavio Miranda
VIP
VIP

‎11-07-2017 12:23 PM

Hi @Naga Atl

 The logs only tell us that the AP lost connectivity with WLC and disabled the radio. That´s the normal behavior when AP in local mode lost connection with the WLC.

  This problem is more common then you might think. Local AP over wan usually brings some challenges. 

 A good scenario for your would be change APs to flexconnect mode. On this mode, only control plane is send back to the WLC whilst the data plane remains on the local network. When AP loses connectivity with the WLC, it does not turn the radios off and is able to work in standalone mode until recover connectivity.

 However, this depends on your environment. If you need to bring all the traffic to a central point, then, local mode needs to be in place.

 One suggestion I have to help you is change two parameters on the AP configuration: 

AP Retransmit Count      from 5 (packets) to 8 (packets)

AP Retransmit Interval  from 3 (Segunds) to 5(segunds)

With that config, AP will wait a little bit more before to declare WLC as unavailable. 

 Also, try to measure the network delay from AP to WLC. If the delay is too high, you may have problem even change the parameters above.

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful
Customers Also Viewed These Support Documents