02-09-2012 02:17 AM - edited 07-03-2021 09:32 PM
Hello,
I am trying to get this officeextend working.
I connected the ap and checked the H-Reap box and then officeextend and gave it a public ip. This public ip is NAT'd to the dmz controller on the firewall. (The dmz controller is 5508 running code 6.0.199.4)
I have connected this officeextend 1132 ap to a broadband connection and this gets an ip of 192.168.1.23 on its fa0 interface. all good till now.
when i console onto the officeextend 1132 AP, i get an error msg could not resolve Cisco-LWAPP-Controller.abc.uk....domain server (192.168.1.254) and Cisco-CAPWAP-Controller.home.uk...think it needs DNS set to the public ip on the local asdl box, is it ?
if this is the case, I am not sure if i can do this as this is controlled by the ISP
02-09-2012 04:05 AM
any ideas ?
02-09-2012 04:38 AM
Are you translating udp 5247 & 5247 in your FW to point back to the WLC? Also you need to e tee the WLC name and the public NAT'd ip for the primary wlc. If you didn't do that you can always enter that info from the console.
capwap ap controller ip address
Thanks,
Scott Fella
Sent from my iPhone
02-09-2012 04:46 AM
Cheers Scott.
I had checked the H-Reap and then tciked on officeextend and gave the officextend DMZ WLC name and public ip address on the AP. Then i connected to the broadband connection and it seems to look for Cisco-LWAPP-Controller.abc.uk.... (abc is my domain name for broadband connection)
And we have two firewalls - the first one being perimeter firewall. I have nat'd this 5246 and 5247 on the perimeter firewall and allowed acl on the outside interface to allow 5246 and 5247 on the internal firewall, hope this is correect ?
02-09-2012 04:52 AM
That should be fine. As long as the traffic (udp 5246&5247) gets back to the management interface of the wlc you are fine. Don't worry about the Cisco-lwapp-controller... It's just part of the join process.
Thanks,
Scott Fella
Sent from my iPhone
02-09-2012 04:56 AM
but the problem is the AP when connected to broadband connection gets stuck at Cisco-LWAPP-Controller.abc.uk....
i have entered the public ip and dmz officeextend wlc on the high availablity and checked officeextend and h-reap, anything else i need to do?
I am doing this from scratch again and will update you if i have any success in the meantime do you have any thoughts on the above scott ?
Thanks
02-09-2012 05:00 AM
Did you enter the NAT'd public ip address in the management interface? Do you see the translation coming in from the public interface and being sent to the wlc. Try to console into the ap and set the controller ip address (public). I had to do that on a 1131 that I was testing for that to join.
Thanks,
Scott Fella
Sent from my iPhone
02-09-2012 05:04 AM
ok thanks will trt this scott and by the way do i need to enter the public ip address (66.111.22.12) on the management interface on the WLC ? bcos i have not done this. i was under the impression that the firewall will nat back to the ip of dmz controller
02-09-2012 05:08 AM
Oh no... You need that public ip entered in the management interface.
Thanks,
Scott Fella
Sent from my iPhone
02-09-2012 05:46 AM
I have added this now scott on the management interface but still cant get the AP to join the controller. This AP is connected to a broadband wireless router connected back to a ADSL router that has the DNS settings
(also i cant see any traffic hitting on ports 5246 and 5247 on the firewall. so think this AP is not trying to go out )
it comes up with
CAPWAP-5-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
Translating "CISCO-CAPWAP-CONTROLLER.Abc.uk"...domain server (192.168.1.254)
*Apr 8 16:25:39.983: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
Translating "CISCO-LWAPP-CONTROLLER.Abc"...domain server (192.168.1.254)
*Apr 8 16:25:42.095: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER.Abc.uk
config on AP
service password-encryption
!
hostname AP6400.f14d.b6ba
!
logging rate-limit console 9
enable secret 5 $1$ACEH$BuOIS/RYEP5ZXvWxbyCFS/
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login reap_eap_methods group radius
!
aaa session-id common
eap profile lwapp_eap_profile
method fast
!
!
crypto pki trustpoint Cisco_IOS_MIC_cert
revocation-check none
rsakeypair Cisco_IOS_MIC_Keys
!
crypto pki trustpoint cisco-root-cert
revocation-check none
rsakeypair Cisco_IOS_MIC_Keys
!
crypto pki trustpoint airespace-device-root-cert
revocation-check none
rsakeypair Cisco_IOS_MIC_Keys
!
crypto pki trustpoint airespace-new-root-cert
revocation-check none
rsakeypair Cisco_IOS_MIC_Keys
!
crypto pki trustpoint airespace-old-root-cert
revocation-check none
rsakeypair Cisco_IOS_MIC_Keys
username Cisco secret 5 $1$2zkE$CaKkr5zDUWwltKRFvrIto0
!
!
ip ssh version 2
!
!
interface Dot11Radio0
no ip route-cache
mbssid
speed basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
power client local
packet retries 64 drop-packet
!
interface Dot11Radio0.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip route-cache
mbssid
power client local
packet retries 64 drop-packet
!
interface Dot11Radio1.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
ip address dhcp client-id FastEthernet0
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
no ip http server
logging trap errors
logging origin-id string AP:6400.f14d.b6ba
logging facility kern
logging snmp-trap notifications
logging snmp-trap informational
logging snmp-trap debugging
logging 255.255.255.255
radius-server local
no authentication eapfast
no authentication leap
no authentication mac
nas 66.11.22.33 key 7 111D110C041B18030A2632253C363832
group hreap
!
!
!
control-plane
!
!
line con 0
line vty 0 4
transport input none
line vty 5 15
transport input none
!
end
02-09-2012 05:53 AM
Did you try to enter the following: capwap ap controller ip address 66.111.22.12
Also... what model AP is this?
02-09-2012 05:57 AM
yep done this but no joy
these are 1131 ap
02-09-2012 05:59 AM
That is the same AP I used to test with besides an AP600. If you entered that command, you should see something hit your FW on the public side.
02-09-2012 07:40 AM
Still no joy
this is the console output for the AP. does this give you any thoughts ?
AP6400.f14d.b6ba#sh capwap client config
configMagicMark 0xF1E2D3C4
chkSumV2 15914
chkSumV1 34739
swVer 7.0.98.0
adminState ADMIN_ENABLED(1)
name AP6400.f14d.b6ba
location default location
group name
mwarName CNWL-WLC-OfficeExtend
mwarIPAddress 82.45.135.166
mwarName
mwarIPAddress 0.0.0.0
mwarName
mwarIPAddress 0.0.0.0
ssh status Disabled
Telnet status Disabled
numOfSlots 2
spamRebootOnAssert 1
spamStatTimer 180
randSeed 0x0
transport SPAM_TRANSPORT_L3(2)
transportCfg SPAM_TRANSPORT_DEFAULT(0)
initialisation SPAM_PRODUCTION_DISCOVERY(1)
ApMode H-REAP
ApSubMode Not Configured
AP Rogue Detection Mode Disabled
OfficeExtend AP [1] Enabled
OfficeExtend AP JoinMode[0] Standard
Discovery Timer 10 secs
Heart Beat Timer 30 secs
Led State Enabled 1
Primed Interval 0
02-09-2012 07:54 AM
Do you see anything hitting your FW? I think that is the key, because if you set the controller public ip address the ap will try to connect to that ip using udp 5246 and the 5247 if data encryption was enabled. From the ap, you should also be able to ping that public ip.
Thanks,
Scott Fella
Sent from my iPhone
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide