Showing results for 
Search instead for 
Did you mean: 

Wireless access point behind ASA EasyVPN

Good day!

I have a branch office set up with a cable modem and an ASA 5505 as an easyvpn hardware client with network extension mode enabled, and connects to a PIX515E at the headend.

I'm working on a separate issue for why the Internet connection drops periodically at the site, but my main problem is as follows.

In this location, I have an 1142 LAP.  It can boot up, and join the WLC just fine.  Performance seems a little slow when it's working, but it works.  The real issue is, if the VPN connection drops and reestablishes for any reason, the wireless clients all cease being able to communicate.  All wired clients seem to bounce back without a problem.

The access point still shows to be joined to the controller, the access point never goes down, just wireless clients can't access anything any more.  If I reload the access point, clients reassociate and continue on their merry way.  For now, I am experimenting to keep the connection from dropping, but I'd really like to get it where I don't have to babysit this thing all day and night, and it can rejoin and function normally by itself after an outage.

We are changing to this configuration from wireless bridging due to interference and reliability issues - however, I never experienced any similar issues with this particular access point before, so it's not the access point itself.

I'm hoping somebody out there has an idea or suggestion for something to try or look for.  Thanks for any help.

Michal Garcarz
Cisco Employee

Hi Aaron,

I understand that you use flex connect (previously hreap) mode ?

The FlexConnect access points can switch client data traffic locally and perform client authentication locally when their connection to the controller is lost.




I'm not using FlexConnect or HREAP - mostly because the clients don't need access to anything on their local network.  Everything they access is on the enterprise side, so everything is tunneled back to the controllers.

I have been reading about HREAP to see if it might have a shot at fixing the problem, but so far I'm not convinced it will.

OK, Aaron,

When you noticed the problem:

1. Can you login to AP and check if it's associated correctly with controller ?

Can you ping from AP to controller ?

2. You might want to adjust AP primary discovery timeout, AP retransmit count and interval

to make sure you detect failuers faster (and recover faster).



Anthony Biegacki

We are having the same issue on our end as well.  We are using a Flexconnect configuration and it still doesnt allow anyone to authenticate if the EZVPN connection dies.  I just recently Updated to firmware on one of our controllers for a test.  We are using AIR-CAP3502I-A-K9 and AIR-LAP1242AG-A-K9.  Its been happening for about 2 or 3 weeks now and we have tryed speaking with TAC and we havent found a solution. Any incite would be extreamly helpful. Thanks!!

Recognize Your Peers
Content for Community-Ad