Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1034
Views
5
Helpful
4
Replies

Acess Point disconnect from WLC after WAN track down

aldrabkin
Level 1
Level 1

‎06-19-2015 09:48 AM - edited ‎07-05-2021 03:26 AM

Hi ! I have some strange problem with my AP and i'm looking for advice.

We have one HQ office with two Cisco ASA 5515-x in Active/Standby configuration with two WAN interface. The main WAN is tracking with ip sla and failover with no problem to backup WAN if primary fails. Two sites are connected with ipsec ikev1 vpn through WAN1, WAN2 is not configured for ipsec. The remote site have the same configuration. Cisco vWLC is located in HQ with 6 aps and two aps are located in remote site and are connected to vWLC. All fine.

Some times ago i have noticed that remote aps have disconnected from wlc. After ap reboot the connection was reestablished. The next morning the remote aps was disconnected again. I noticed that the problem occur when track go down and then back. After tracking recovery aps can not establish connection to wlc. Show conn command show that aps still trying to connect through WAN2. Only clear conn can fix it or ap reload.

 

 

Labels:
0 Helpful
4 Replies 4

Freerk Terpstra
Level 7
Level 7

‎06-19-2015 10:21 AM

Every time the WAN failover occurs the routing is being adjusted by the ASA. The AP cannot communicate with the WLC in that case due to the lack of VPN configuration for the WAN2 interface. The AP does not know that and will repeatedly try to connect anyway.

I think that you run into the problem that CAPWAP traffic is UDP based and that the AP uses the same source port every time when it is trying to connect (until you reset it). This will keep the UDP xlate open based on the ASA based on the WAN2 interface (because of the failover route being active). ASA firewalls first lookup xlate session before using the routing table so that is the reason why it is trying to use the WAN2 interface even if the routing is already being changed back.

There are three things that you can do:
1. Configure the IPSEC VPN also on the WAN2 interface and configure the remote site with an secondary peer IPv4 address
2. Make an static (more specific) route on the ASA for the WLC to the WAN1 interface
3. Lower the UDP xlate timeout

Please rate useful posts :-)

aldrabkin
Level 1
Level 1
In response to Freerk Terpstra

‎06-22-2015 12:56 AM

Hi Freerk !

Thank you for detailed answer, i will try to fix it according to your advice!

Only one thing confuse me - if WAN1 is active so the APs can connect to WLC with no problem, after switchover to WAN2 all APs active connections switching to WAN2. So ASA detect the default route changing and switch all connections to the new default route (through WAN2). Restoration of WAN1 will make all active connections to switch from WAN2 to WAN1 except APs connection.

So WAN1 fail, WAN2 active - all connections (include capwap) switch from WAN1 to WAN2.

WAN1 recover - all connections (exclude APs) switch to WAN1.

I dont understand why, maybe you can clear this behavior for me. Thanks!

0 Helpful

Freerk Terpstra
Level 7
Level 7
In response to aldrabkin

‎06-22-2015 09:48 AM

I don't know for sure why this problem only occurs with the fail-back. Does the physical connection go down on the ASA when the fail-over occurs? Another option is that there is some timeout somewhere in the process being long enough for the connections to be cleared on the ASA or making the AP's reset.

Please let me know if the purposed changes had effect :-)

0 Helpful

aldrabkin
Level 1
Level 1
In response to Freerk Terpstra

‎08-20-2015 09:12 AM

Hi ! Sorry for delay, i was out of office.

The problem is solved. It was due to xlate operation. So we have a Management Network (MGMT) with Access Points and WLC in remote location reachable through VPN connection. So when WAN1 is ok, we have dynamic xlate for APs to WLC session:

TCP PAT from MGMT:AP_1_ip_address to WAN1:AP_1_ip_address

If WAN1 fail then xlate is rebuilding through WAN2, because of default route-lookup for dynamic xlate translations.But WAN2 has no VPN so APs can not find WLC.

TCP PAT from MGMT:AP_1_ip_address to WAN2:AP_1_ip_address

When WAN1 comes up the old xlate through WAN2 remains.

I fixed this problem by creating static xlate for APs with no route-lookup.

nat (LAN,WAN1) source static APs_Net APs_Net destination static WLC_Net WLC_Net no-proxy-arp

Now there is only one static xlate for APs through WAN1 and they always use WAN1 to reach WLC.

I'm sure that WAN2 VPN can solve this problem too. APs will be able to use WAN1 or WAN2 to reach the WLC.

I think more specific route may be useful too, but i did not try it.

Anyway thanks for assistance!

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card