Re: 9800-40 DTLS CAPWAP Encryption when turned off in Join profile

Mkvts · ‎09-18-2023

Hi,

We have 2 9800-40 controllers on versions 17.3.6 and 17.9.3.

Both are configured with the same join profile and capwap configuration.
They have CAPWAP Advanced -> Data encryption both turned off.

If we capture the packets on the controller running version 17.9.3 we can see the data traffic and read it using Wireshark.
If we capture the packets ont he controller running version 17.3.6 we cannot see the data traffic since this is encrypted as DTLS.

Did anyone experience this before?

From CLI view both setups are the same.

marce1000 · ‎09-18-2023

- Note that if an access point does not support DTLS data encryption, DTLS is enabled only for the control plane, and a DTLS session for the data plane is not established : you may for instance for a particular AP (having clients) on both controllers compare the output of :
show platform hardware chassis active qfp feature wireless capwap datapath mac-address <APradio-mac> details
show platform hardware chassis active qfp feature wireless capwap datapath mac-address <APradio-mac> statistics

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Mkvts · ‎09-18-2023

Just reconnected the AP using a different Join profile and CAPWAP data seems to be visible again.

@marce1000 thanks for your quick reply! I didn't see any differences so I just connected a different Join profile. Seems to be working now.