Cisco AP 2800 doesnt rejoin after a Service Provider Migration (WLC in SDWAN site)

Debbie Tru · ‎11-19-2020

Hi Everybody,

We haved changed of Service Provider in a branch. This little branch has a Cisco AP 2800 in Flexconnect mode, after migration, the AP doesn't connect anymore. The AP is reacheble from ping, trace, SSH, however, DTLS tunnel go to TEARDOWN. As I said, the device is reacheble and it can join to controller for a couple minutes. The flow connection is following:

Cisco AP<->SWITCH L2<->ROUTER(L3 & CPE)<->*MPLS Service Provider*<->FIREWALL PALO ALTO<-> SDWAN DC CENTER<->SDWAN ANOTHER BRANCH<->SWITCH CORE<->WLC

the same behavior occur last week in another branch, after rollback, the Cisco APs could connect inmediately. At this moment there are 40 access point joined successfully int he WLC

We had replaced the AP, opened a Cisco SR, run a lot of debugs, the result is the same. Service Provider just ran a couple of pings on different packeck size to test MTU, they argue that the issue isn´t their responsability.

I am going to attach some debugs and images. I hope someone has a better idea.

the mac of AP at debug moment was dc:8c:37:8b:be:c0

Awaiting your kind support.

patoberli · ‎11-20-2020

There's a bug in 8.10.130.0 in regards to MTU and data encryption (if using FlexConnect). Either upgrade to 8.10.142.0 or disable data encryption.

This only matters if you use this specific software release though.

Debbie Tru · ‎12-02-2020

The current version is 8.5.161, the encryption is disabled. We opened a Cisco SR, looks like a fragmentation and excesive retransmition issue through new carrier.

The carrier doesnt accept the responsability, however, we are awaiting for his analysis

Thanks.