cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9056
Views
0
Helpful
33
Replies

CISCO-LWAPP-CONTROLLER

Network Pro
Level 1
Level 1

Hello,

I am trying to get this officeextend working.

I connected the ap and checked the H-Reap box and then officeextend and gave it a public ip. This public ip is NAT'd to the dmz controller on the firewall. (The dmz controller is 5508 running code 6.0.199.4)

I have connected this officeextend 1132 ap to a broadband connection and this gets an ip of 192.168.1.23 on its fa0 interface. all good till now.

when i console onto the officeextend 1132 AP, i get an error msg could not resolve Cisco-LWAPP-Controller.abc.uk....domain server (192.168.1.254) and Cisco-CAPWAP-Controller.home.uk...think it needs DNS set to the public ip on the local asdl box, is it ?

if this is the case, I am not sure if i can do this as this is controlled by the ISP

33 Replies 33

Network Pro
Level 1
Level 1

any ideas ?

Scott Fella
Hall of Fame
Hall of Fame

Are you translating udp 5247 & 5247 in your FW to point back to the WLC? Also you need to e tee the WLC name and the public NAT'd ip for the primary wlc. If you didn't do that you can always enter that info from the console.

capwap ap controller ip address

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

Cheers Scott.

I had checked the H-Reap and then tciked on officeextend and gave the officextend DMZ WLC name and public ip address on the AP. Then i connected to the broadband connection and it seems to look for Cisco-LWAPP-Controller.abc.uk.... (abc is my domain name for broadband connection)

And we have two firewalls - the first one being perimeter firewall. I have nat'd this 5246 and 5247 on the perimeter firewall and allowed acl on the outside interface to allow 5246 and 5247 on the internal firewall, hope this is correect ?

That should be fine. As long as the traffic (udp 5246&5247) gets back to the management interface of the wlc you are fine. Don't worry about the Cisco-lwapp-controller... It's just part of the join process.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

but the problem is the AP when connected to broadband connection gets stuck at Cisco-LWAPP-Controller.abc.uk....

i have entered the public ip and dmz officeextend wlc on the high availablity and checked officeextend and h-reap, anything else i need to do?

I am doing this from scratch again and will update you if i have any success in the meantime do you have any thoughts on the above scott ?


Thanks

Did you enter the NAT'd public ip address in the management interface? Do you see the translation coming in from the public interface and being sent to the wlc. Try to console into the ap and set the controller ip address (public). I had to do that on a 1131 that I was testing for that to join.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

ok thanks will trt this scott and by the way do i need to enter the public ip address (66.111.22.12) on the management interface on the WLC ? bcos i have not done this. i was under the impression that the firewall will nat back to the ip of dmz controller

Oh no... You need that public ip entered in the management interface.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

I have added this now scott on the management interface but still cant get the AP to join the controller. This AP is connected to a broadband wireless router connected back to a ADSL router that has the DNS settings

(also i cant see any traffic hitting on ports 5246 and 5247 on the firewall. so think this AP is not trying to go out )

it comes up with

CAPWAP-5-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.

Translating "CISCO-CAPWAP-CONTROLLER.Abc.uk"...domain server (192.168.1.254)
*Apr  8 16:25:39.983: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.

Translating "CISCO-LWAPP-CONTROLLER.Abc"...domain server (192.168.1.254)
*Apr  8 16:25:42.095: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER.Abc.uk

config on AP

service password-encryption

!

hostname AP6400.f14d.b6ba

!

logging rate-limit console 9

enable secret 5 $1$ACEH$BuOIS/RYEP5ZXvWxbyCFS/

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login reap_eap_methods group radius

!

aaa session-id common

eap profile lwapp_eap_profile

method fast

!

!

crypto pki trustpoint Cisco_IOS_MIC_cert

revocation-check none

rsakeypair Cisco_IOS_MIC_Keys

!

crypto pki trustpoint cisco-root-cert

revocation-check none

rsakeypair Cisco_IOS_MIC_Keys

!

crypto pki trustpoint airespace-device-root-cert

revocation-check none

rsakeypair Cisco_IOS_MIC_Keys

!

crypto pki trustpoint airespace-new-root-cert

revocation-check none

rsakeypair Cisco_IOS_MIC_Keys

!

crypto pki trustpoint airespace-old-root-cert

revocation-check none

rsakeypair Cisco_IOS_MIC_Keys

username Cisco secret 5 $1$2zkE$CaKkr5zDUWwltKRFvrIto0

!

!

ip ssh version 2

!

!

interface Dot11Radio0

no ip route-cache

mbssid

speed  basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

power client local

packet retries 64 drop-packet

!

interface Dot11Radio0.2

encapsulation dot1Q 2 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip route-cache

mbssid

power client local

packet retries 64 drop-packet

!

interface Dot11Radio1.2

encapsulation dot1Q 2 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

ip address dhcp client-id FastEthernet0

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

no ip http server

logging trap errors

logging origin-id string AP:6400.f14d.b6ba

logging facility kern

logging snmp-trap notifications

logging snmp-trap informational

logging snmp-trap debugging

logging 255.255.255.255

radius-server local

  no authentication eapfast

  no authentication leap

  no authentication mac

  nas 66.11.22.33 key 7 111D110C041B18030A2632253C363832

  group hreap

  !

!

!

control-plane

!

!

line con 0

line vty 0 4

transport input none

line vty 5 15

transport input none

!

end

Did you try to enter the following: capwap ap controller ip address 66.111.22.12

Also... what model AP is this? 

-Scott
*** Please rate helpful posts ***

yep done this but no joy

these are 1131 ap

That is the same AP I used to test with besides an AP600. If you entered that command, you should see something hit your FW on the public side. 

-Scott
*** Please rate helpful posts ***

Still no joy

this is the console output for the AP. does this give you any thoughts ?


AP6400.f14d.b6ba#sh capwap client config
configMagicMark         0xF1E2D3C4
chkSumV2                15914
chkSumV1                34739
swVer                   7.0.98.0
adminState              ADMIN_ENABLED(1)
name                    AP6400.f14d.b6ba
location                default location
group name
mwarName                CNWL-WLC-OfficeExtend
mwarIPAddress           82.45.135.166
mwarName
mwarIPAddress           0.0.0.0
mwarName
mwarIPAddress           0.0.0.0
ssh status              Disabled
Telnet status           Disabled
numOfSlots              2
spamRebootOnAssert      1
spamStatTimer           180
randSeed                0x0
transport               SPAM_TRANSPORT_L3(2)
transportCfg            SPAM_TRANSPORT_DEFAULT(0)
initialisation          SPAM_PRODUCTION_DISCOVERY(1)
ApMode                  H-REAP
ApSubMode               Not Configured
AP Rogue Detection Mode Disabled
OfficeExtend AP         [1] Enabled
OfficeExtend AP JoinMode[0] Standard
Discovery Timer         10 secs
Heart Beat Timer        30 secs
Led State Enabled       1
Primed Interval         0

Do you see anything hitting your FW? I think that is the key, because if you set the controller public ip address the ap will try to connect to that ip using udp 5246 and the 5247 if data encryption was enabled. From the ap, you should also be able to ping that public ip.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: