Solved: Re: 9120 Can't join C9800-L-C-K9 as an OEAP

Tony M · ‎07-31-2020

Hello,

I have a demo C9800-L-C-K9 and a bunch of 9120 APs that I am using to prove that the controller will be able to replace the 5508 and 3500/3700 APs we are currently using for OE. The APs were able to connect to the controller internally and have been configured as OfficeExtend APs. However, when I brought the APs home, they send a discovery request to the controller and receive a response, but they are not able to join. Here are console log messages from the AP:

[*07/31/2020 13:16:24.7710]
[*07/31/2020 13:16:24.7710] CAPWAP State: Discovery
[*07/31/2020 13:16:24.7730] Discovery Request sent to 10.x.x.x, discovery type STATIC_CONFIG(1)
[*07/31/2020 13:16:24.7740] Discovery Request sent to 72.x.x.x, discovery type STATIC_CONFIG(1)
[*07/31/2020 13:16:24.7740] IP DNS query for CISCO-CAPWAP-CONTROLLER.msnomer.com
[*07/31/2020 13:16:24.7760] DNS resolved CISCO-CAPWAP-CONTROLLER.msnomer.com
[*07/31/2020 13:16:24.7760] DNS discover IP addr: 72.x.x.x
[*07/31/2020 13:16:24.7760] IPv6 DNS query for CISCO-CAPWAP-CONTROLLER.msnomer.com
[*07/31/2020 13:16:24.7780] DNS resolved CISCO-CAPWAP-CONTROLLER.msnomer.com
[*07/31/2020 13:16:24.7780] DNS discover IP addr: 72.x.x.x
[*07/31/2020 13:16:24.7790] Discovery Request sent to 10.x.x.x, discovery type STATIC_CONFIG(1)
[*07/31/2020 13:16:24.7800] Discovery Request sent to 72.x.x.x, discovery type STATIC_CONFIG(1)
[*07/31/2020 13:16:24.7810] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
[*07/31/2020 13:16:24.7890] Discovery Response from 72.x.x.x
[*07/31/2020 13:16:24.7940] Discovery Response from 72.x.x.x
[*07/31/2020 13:16:34.0000]
[*07/31/2020 13:16:34.0000] CAPWAP State: DTLS Setup
[*07/31/2020 13:16:34.0900] hostapd:EAPOL: txStart
[*07/31/2020 13:16:34.0910] hostapd:dot1x: RX EAPOL from 00:e1:6d:92:a2:92
[*07/31/2020 13:16:34.0910] hostapd:EAP: Status notification: completion (param=success)
[*07/31/2020 13:17:06.1170] hostapd:EAPOL: txStart
[*07/31/2020 13:17:06.1180] hostapd:dot1x: RX EAPOL from 00:e1:6d:92:a2:92
[*07/31/2020 13:17:06.1180] hostapd:EAP: Status notification: completion (param=success)
[*07/31/2020 13:17:31.0160]
[*07/31/2020 13:17:31.0160] CAPWAP State: DTLS Teardown
[*07/31/2020 13:17:31.0270] Aborting image download(0x0): Dtls cleanup,
[*07/31/2020 13:17:31.0910] do ABORT, part2 is active part
[*07/31/2020 13:17:31.1070] upgrade.sh: Cleanup tmp files ..

Any ideas as to why this is failing?

Scott Fella · ‎07-31-2020

Please take a look at this guide. Shows you what you need to enable when the ap is behind a NAT.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/215681-configure-oeap-and-rlan-on-catalyst-9800.html

-Scott
*** Please rate helpful posts ***

View solution in original post

Scott Fella · ‎07-31-2020

Please take a look at this guide. Shows you what you need to enable when the ap is behind a NAT.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/215681-configure-oeap-and-rlan-on-catalyst-9800.html

-Scott
*** Please rate helpful posts ***

Tony M · ‎08-05-2020

Thanks Scott. I followed that guide but still have no connection. I've confirmed that CAPWAP ports are allowed and I do see a response from the controller, however communication between the AP and controller is brief and incomplete. From the firewall at the remote end:

[2.4.5-RELEASE][admin@home.firewall]/root: tcpdump -nnei ixv0.666 host b.b.b.b
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ixv0.666, link-type EN10MB (Ethernet), capture size 262144 bytes
10:02:23.091347 52:54:00:db:48:73 > 00:17:10:93:a2:9e, ethertype IPv4 (0x0800), length 266: a.a.a.a.17801 > b.b.b.b.5246: UDP, length 224
10:02:23.099182 52:54:00:db:48:73 > 00:17:10:93:a2:9e, ethertype IPv4 (0x0800), length 266: a.a.a.a.17801 > b.b.b.b.5246: UDP, length 224
10:02:23.115755 00:17:10:93:a2:9e > 52:54:00:db:48:73, ethertype IPv4 (0x0800), length 150: b.b.b.b.5246 > a.a.a.a.17801: UDP, length 108
10:02:23.115972 00:17:10:93:a2:9e > 52:54:00:db:48:73, ethertype IPv4 (0x0800), length 150: b.b.b.b.5246 > a.a.a.a.17801: UDP, length 108

This is the only communication I see for each join attempt. I do have a case open with the TAC and will update this post with the resolution when I have it. Though, if the above sparks any ideas, I'd like to hear them.

Scott Fella · ‎08-05-2020

The only reason it wouldn’t work is if the public/private is not defined. Rasika was able to confirm it works on his setup. Have you confirmed from various other folks? Just in case it’s something with the home network setup?

-Scott
*** Please rate helpful posts ***

Tony M · ‎08-12-2020

Got back to this yesterday. Certainly, the command to include the public address in the response was missing. I think this was because of reapplying the nat command when we switched WIM to a different interface temporarily.

Thanks!

Rasika Nayanajith · ‎07-31-2020

Yes, follow that guide Scott shared. It should work. I have tested it the other day

Rasika