Re: AP can't join WLC over the internet

Yea9632 · ‎07-19-2019

Hello,

I'm trying to make an AP join a controller over the internet, I think I've done all the setup needed to make this work, here's what I did so far :

- booted the AP and defined the public IP address of the WLC in the WLC managers list( NAT is configured and tested)

- defined NAT rules in the external router wired to the WLC, port forwarding made for the following ports :

external ports 443(TCP&UDP) (for management from the outside), 5246 and 5247 (Both UDP) respectively towards internal 443(TCP&UDP), 5246 and 5247 (UDP) ==> tested HTTPS access using Public IP : OK

- added the following command to avoid nat problems :config network ap-discovery nat-ip-only disable

-disabled latecy check aswell : config ap link-latency disable all

-rebooted the AP

Before all of this, checked that if the AP is able to register to the same WLC locally and it works (primary WLC ip address used was the private one), once I used internet for the same process it won't work( by including the public ip address of the WLC in the AP)

the registration process shows that the AP can't join the WLC, X.X.X.X is the public IP address of the WLC :

CAPWAP State: Discovery
[*07/19/2019 15:46:05.5533] Discovery Request sent to X.X.X.X, discovery type STATIC_CONFIG(1)
[*07/19/2019 15:46:06.1331] Discovery Request sent to X.X.X.X, discovery type STATIC_CONFIG(1)
[*07/19/2019 15:46:06.1331] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
[*07/19/2019 15:46:06.1331] Discovery Response from X.X.X.X
[*07/19/2019 15:47:13.0999] Discovery Response from X.X.X.X
[*07/19/2019 15:47:13.0000]
[*07/19/2019 15:47:13.0000] CAPWAP State: DTLS Setup
[*07/19/2019 15:48:10.0222] dtls_disconnect: ERROR shutting down dtls connection ...
[*07/19/2019 15:48:10.0222]
[*07/19/2019 15:48:10.0222]
[*07/19/2019 15:48:10.0222] CAPWAP State: DTLS Teardown
[*07/19/2019 15:48:14.7707] No more AP manager addresses remain..
[*07/19/2019 15:48:14.7707] Failed to join controller.
[*07/19/2019 15:47:14.0000]
[*07/19/2019 15:47:14.0000] CAPWAP State: DTLS Setup

In the WLC side :

spamApTask4: Jul 22 16:06:16.152: 00:f8:b4:20:2c:21: Discovery Request from Y.Y.Y.Y:5264

*spamApTask4: Jul 22 16:06:16.152: 00:f8:b4:20:2c:21 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 200, MaxLicense=200 joined Aps =0
*spamApTask4: Jul 22 16:06:16.152: 00:f8:b4:20:2c:21 apType = 58 apModel: AIR-AP1832I-I-K9

*spamApTask4: Jul 22 16:06:16.152: 00:f8:b4:20:2c:21 apType: Ox3a bundleApImageVer: 8.3.143.0
*spamApTask4: Jul 22 16:06:16.152: 00:f8:b4:20:2c:21 version:8 release:3 maint:143 build:0
*spamApTask4: Jul 22 16:06:16.152: 00:f8:b4:20:2c:21 apType = 58 apModel: AIR-AP1832I-I-K9

*spamApTask4: Jul 22 16:06:16.152: 00:f8:b4:20:2c:21 apType: Ox3a bundleApImageVer: 8.3.143.0
*spamApTask4: Jul 22 16:06:16.152: 00:f8:b4:20:2c:21 version:8 release:3 maint:143 build:0
*spamApTask4: Jul 22 16:06:16.152: 00:f8:b4:20:2c:21 Discovery Response sent to Y.Y.Y.Y:5264

System information:

vWLC, version : 8.3.143.0

AP : AIR-AP1832I-I-K9

What in your opinion could be the issue ?

Thanks

Yea9632 · ‎07-19-2019

any idea guys ?

d.friday · ‎07-19-2019

What mode is you AP in running in local mode ? if so try Flexconnect mode

Rasika Nayanajith · ‎07-19-2019

Do you have any other APs (from internal network) register to this vWLC ? If not I would check (Time, Licenses,Country code) configured on your WLC.

First see if you can get register from internal network & then try to use external NAP IP from outside world.

HTH

Rasika

*** Pls rate all useful responses ***

Yea9632 · ‎07-22-2019

Hello Resika,

Yes I did this as explained in my post "Before all of this, checked that if the AP is able to register to the same WLC locally and it works (primary WLC ip address used was the private one), once I used internet for the same process it won't work( by including the public ip address of the WLC in the AP)"

I feel like i'm close to find out what exactly is missing, I see that the WLC send an answer to the AP but it can't join tho...do you have any idea? please take a look at the OP logs

Rasika Nayanajith · ‎07-22-2019

To test it out, would you be able to allow (through firewall) IP level communication from AP IP to WLC public IP (instead of UDP 5246 & 5247), given output indicate different UDP port numbers in the log.

HTH

Rasika

Yea9632 · ‎07-25-2019

Yes, I noticed this and i'm afraid of to fail my setup when I try to move to the production... All documentations say that only 5246 & 5247 are used in CAPWAP process, but I find out that random ones from the 52XX range are assigned ... for the moment the registration process worked perfectly fine using a my home router only ( using port forwarding)

Scott Fella · ‎07-22-2019

I have done this many times with WLC but not vWLC’s. So if we start from the beginning, you have to only forward UDP 5246/5247 to the internal management ip. When your AP is joined internal, you should set the high availability to use the wlc hostname, which is case sensitive and the public IP address. That is about it.

If your AP is not local mode, then you have to add the MAC address to the Mac filter list, but since you were able to join the AP locally, I’m assuming it’s not FlexConnect or bridged mode.

-Scott
*** Please rate helpful posts ***

Yea9632 · ‎07-23-2019

Hello Scott,
Thank you for your feedback, can you please explain to me the particularity with Flexconnect ? I configured the AP with Flexconnect mode, and finally was able to make the AP join the WLC through internet... the missing option was the NAT address in the WLC (CONTROLLER menu ==> Management interface ==> NAT address), once addded the AP has joined instantly

Can you please clarify the Flexconnect point you've mentionned, I would like to respect recommanded practices, because I didn't add the MAC address manually, all I did was giving the Public IP address of the WLC to the AP
Thank you

Scott Fella · ‎07-23-2019

Typically when you have an AP in bridged mode, the WLC then refers to the Mac filter list for AP authentication. This is for security purposes as you don’t want to all of a sudden have other AP’s joining. Also when you are connecting and AP from the internet, you also want to enable DTLS to encrypt the data. This isn’t needed when the AP is in the internal network, just when visible to the internet.

Take a look at some documents and blogs for this type of design to get a better understanding of recommendations and best practices. Changes to the TCP MSS is sometimes required if the AP fails to join, bounces or is behind a VPN. Few things to consider.

Search for OEAP behind NAT and you will find information that will help.

-Scott
*** Please rate helpful posts ***

Yea9632 · ‎07-24-2019

HI Scott,
Thanks for the advices, really helpful, one last question please, do you think DTLS is enough in a design where APs are registred through internet in remote locations, or it's mandatory to use OEAP ? I would like to use only DTLS but not sure of the impact

Rasika Nayanajith · ‎07-24-2019

DTLS has performance impact. However it is much more important to secure your traffic across public internet rather using it in un-encrypted CAPWAP tunnels back & forth.

Hence when you convert OEAP, it is asked to use DTLS for data traffic.

HTH

Rasika