cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
31696
Views
35
Helpful
41
Replies

5508 WLC and Office Extend AP's

spirotsares
Level 1
Level 1

I have a 5508 wireless lan controller with a WPlus 100 AP license installed on it. The controller MGMT IP address is an internal IP (172.x.x.x).  I setup a 1:1 static NAT, with an externally accessible (208.x.x.x) being translated to the inside mgmt address (172.x.x.x) of the controller with ports  5246, and 5247 UDPports open.  I've connected the OEAP (1142)  to the controller inside my network (primed it) and set it to H-reap mode. I then selected the office extend ap under the H-reap tab as per the 6.0 config guide.In the High Availabilty tab I've put the name of the controller and the externally accessible IP (208.x.x.x).

When I connect the OEAP to the outside world I look under the montior -> statistics -> AP join page and I see the AP with a successfull discovery phase message :"Received Discovery request and sent response" However the Join phase statistics are all zeroed out. Is there something I'm missing? Does the controller have to be in the DMZ or have an external MGMT IP for OEAPs to join?

Thanks

Spiro

41 Replies 41

gphilebaum-nrh
Level 1
Level 1

I don't have any answer, but I'm hoping someone does.  We are in the same situation.

We have a 5508 internally with a 10.x.x.x address behind an ASA 5510.  The NATed address of the 5508 is 66.x.x.x.  The AP is setup with the public address of the 5508 as its primed controller.

While watching our ASA logs, I can see the AP connecting through the ASA to the 5508 on UDP 5246 and 5247.  At the same time I'm capturing the log information on the AP via the console port, so I can see what is happening.

I have also captured the internal traffic with our NAM, and it shows the UDP 5246 and 5247 traffic getting through the ASA to the 5508 as well as the return traffic going back out.

What I've noticed is that once the the AP finishes the initial communication on UDP 5346 and 5247, it then attempts to establish the DTLS connection.  The problem is that it is trying to establish the DTLS connection to the 5508's private IP addess.

This is what is seen on the AP via the console.

%CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.x.x.x peer_port: 5246

I've double checked the AP configuration, and the controller's 10.x.x.x address is not set anywhere; so I'm assuming it is being sent to the AP from the controller.

So, basically, after initial contact between the two public IPs, the AP then tries creating the DTLS connection to the private IP of the controller.

I'm hoping someone out there has some info on why this happens, and what to check.

Thanks in advance for the help.

I have had the same problems,

I solved the in the end by giving the WLC a public IP addresse, and making a subnet on the inside of the network with public addresses.

in the ASA5510 I do a static NAT for the WLC into the same address.

I reported this as a bug to Cisco,  the answer I got back was that it was working as designed.  I asked our account manager to check on this but have not had any luck yet having this changed.

Here is a link to the bug I reported.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtb81959

regards,

Arni

I managed to fix it, but then ran into another situation.

I talked to our local account rep, and he pointed out that I missed a checkbox on the 5508's management interface.  The checkbox is to enable NAT.  It will then present a text box where the public address can be entered.  This will make the 5508 tell the AP to use the controller's public address to join instead of the private one.

While this resolved my above issue, it presented a new problem.  Once I enable NAT on the 5508 management interface, then I'm not longer able to join APs internally on the network.

What I'm going to try next is to setup two management interfaces.  One with NAT enabled, and one for internal use only.  Our internal DNS will then point to the internal management interface, so I can join and configured the APs in the office, and the Office Extend APs being issued out to employees will have the NAT'd interface configured for them to use.

I think that should take care of it.

Hope this info helps out everyone who may be in the same situation.

Please keep us posted with your findings.  I spoke with a TAC escalation engineer and was told that at this point he'd recommend changing the mgmt. address back and forth from internal address to gloabally accessible address to join inside AP's first, then OEAP's.

Hi,

I tried that as well,  at that point the WLC sometimes told the Office Extend AP´s still to connect to the interface which was on the inside.  So if many AP's were connected the WLC started to try to load balance the AP's,  so when we had about 10 Office Extend AP's connected the we could not have more since they always tried to connect to the interface which was on the inside.

I´ve tried many things,  the only thing which actually solved this for me was to put an public IP on the WLC........ and nat that address into itself on the firewall.

Right now the AP´s are join with out problems.  both on the inside and outside.

The bug I linked to before explained that "work-around" which somebody mentioned to remove the NAT when joining AP's on the inside,  from my view that is not a workaround,  it is a hack...........  not something I did expect from Cisco.

Our main problems at this moment are performance problems.  I have an open TAC about that now,  maybe somebody has input about how they think office extend is performing..........

best regards,

Arni

Good info.  Thanks!

I just finished the test myself.  Results weren't very stable.

I had one mgt interface on port-1 with NAT.  The 2nd mgt interface on port-2 with no NAT.  DNS pointed to end interface only.

APs still weren't sure which one to talk to consistently.  The only thing that worked 100% of the time was to use a single mgt interface and turn off NAT when configuring a new AP.  I don't really like that solution.

Using static NAT on a firewall doesn't work due to the nature of LWAPP/CAPWAP and the join process.  When you use static NAT on a firewall, the problem with the join part is that once the controller gets the hello (i.e. discovery) packet from the AP and subsequently the join request, the controller responds with its private internal address.  Therefore, when the AP sends its join reply, it sends it to that address (most likely an RFC-1918 address not routeable on the 'net).  So the join process fails.  That is why enabling NAT on the managment interface is required, or putting the controller into a DMZ.  Has anyone tried that?  I'm curious to know how this is all supposed to work out when you have a controller in LAG mode.  I almost never use ap-managers if I can avoid it.  I just got a 5508 last week, so I'll try some stuff over the next couple of weeks.

Regards,
Scott

bknapp1948
Level 1
Level 1

We have several 5508's and have been struggling getting OfficeConnect working.  All of our controllers use LAG.  At this point it appears that an entire 5508 needs to be dedicated to OfficeConnect AP's.  The reason for this has been pointed out by other responders.  The NAT address check box needs to be checked and the NAT Address address supplied.  Once this is done, the 5508 will always supply that address to AP's attempting to connect.

We have tried not using LAG and using multiple Mgmt interfaces as another responder tried, but found that connection results were very flakey for internal AP's

We will continue to watch this post and contribute any of our findings

481567
Level 1
Level 1

I have a 5508 WLAN controller with the WPLUS 100 AP license. I want to run this controller as both a guest anchor and the office extend feature at the same time. My question is this: How would the ports be configured on the WLAN controller? Would I have seperate interfaces for Guest and Office Extend? Would the Office Extend port sit on the private side of the network or public. Would you recommend a seperate VLAN for this port? Can you point me to some good documentation dedicated to the office extend feature? I need something that outlines the Controller port config & AP config?

I want to do the same thing with my 5508. I would like to run my Hotspot

, Guest Access and Office Extend from the same controller. Any documentation or recommen

dations would be appreciated.

Thanks,

Gordon

Any news on this problem ?

I am configuring office extend and guest anchor on the same controller today, I will update with the result

reload in 25 years

A bit of fiddleing with the NAT rules on the customers Checkpoint and evrything worked fine. They have turned off auto translation and some other funnys because of merged networks (two corporates)

The remote worker location on vlan red dmz controller,

The guest users on vlan blue same dmz controller.

The dmz controller is the auto anchor for guest wlan sourced at the main controller on internal network.

Basicaly the configuration for both features are not dependant on each other but the routing, and natting accross the outside,dmz and inside interfaces have to be configured precisley to nat inbound from tinternet to the dmz controller but no nat from main wlc across the inside interface to the controller

In summary it works but firewall is the challenge

reload in 25 years

So guys it seems that tweaking the firewall does the trick. thanks for sharing the info. Has someone else tried with firewall settings?

thanks,

Vinay

Thanks & Regards
Review Cisco Networking for a $25 gift card