The problem is resolved. I

baskervi · ‎05-26-2015

We have multiple APs at two remote clinics that connect to the WLC via a LAN-to-LAN IPSec tunnel. Last Friday, our primary site received a new IP address, so it took a while to get all the remote tunnels re-established (we had several others besides the ones to our clinics). This morning, the status LEDs on APs at the clinics are flashing red and green, which appears to be a join issue. Is there a way to get these to rejoin, or do we have to take them back to the primary location and let them rejoin locally to the WLC? All workstations are able to traverse the tunnel, so I'm pretty sure this is not a VPN tunnel issue. Thanks

baskervi · ‎05-26-2015

The problem is resolved. I had someone go on site and connect a console cable to the AP, and there was a repeated DNS failure for CISCO-CAPWAP-CONTROLLER.localdomain. There was also a CAPWAP broadcast that continued to fail, but the AP appeared to ignore the DHCP option 43 configured earlier (using ascii and not hex) and didn't even try to use a WLC IP address from NVRAM (I presume one was in here given it has been communicating with the WLC for well over a year). At this point, I wasn’t seeing any traffic entering the remote firewall to the WLC, so we put in the DNS entry, after which I could see on the ASA the AP attempting to communicate with the WLC using a packet capture on the inside interface. The tunnel wasn’t attempting to come up for the WLC network (but we had two other SAs established for the same location), but the configuration looked good. After a reboot of the remote ASA, the AP was able to communicate fine with the WLC.

APs won't rejoin WLC after VPN tunnel is down for a hour SOLVED