cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1287
Views
5
Helpful
4
Replies

Disable iCAP on AP's

Vida44
Beginner
Beginner

Dear all,

Let me start with the Problem first.
Our customer is reporting a lot of Firewall drops on the Port 32626, from AP's to DNAC.
After some searching, reading documentation and so on, I found out this is the Intelligent Capture feature.

What I found out is that in the AP Join Profile the iCAP is disabled. And therefore should be applied to every AP.

icap.png

 

But if I go into each AP it will have a setting of "Not Configured" and not "Disabled".
icap2.png

If I manually disable this in GUI, after a restart the setting will go back to "Not Configured".
But even with all of this set as "Disabled" I can still see the Access Points in the sh ap icap serviceability summary as "connecting".
(Although this could be the status of connection from DNAC to WLC and not the other way around.)
Also, there is no option in CLI to set it as "disabled" which could probably mean that the "Not Configured" and "Disabled" are one and the same.

Which now brings me to the question of how I can disable Intelligent Capture on the AP level since the above methods are not working?
The documentation doesn't show any command/button that disables Intelligent Capture on the AP's.
The goal is to not have any Traffic from AP in the direct direction to DNAC and with this also no Firewall drops.

WLC Version 17.3.4c
WLC Model: 9800-CL
AP Model: 9120AX

Any help would be appreciated.

4 Replies 4

patoberli
VIP Alumni
VIP Alumni

You should rather open the firewall to allow this traffic, as this can be quite useful for troubleshooting clients in DNAC. I think this gets used as soon as you do a Live Trace of a client and disabled again if you click stop. 

But in my opinion this is an essential feature of DNAC and should/can not be disabled.

More information about the ports that should be open: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/1-3/install_guide/M5/b_cisco_dna_center_install_guide_1_3_M5/b_cisco_dna_center_install_guide_1_3_M5_chapter_01.html and here Table 7.

We are looking into opening the port for this traffic, but there are some compliance issues which make this problematic.
Hence the question on how to disable this.

Of course, ignoring the Firewall blocks is possible (the customer will need to live with it), but I need to explore all options before going into that direction.


@patoberli wrote:

But in my opinion this is an essential feature of DNAC and should/can not be disabled.


Since the DNAC cannot receive this traffic due to Firewall block, then its function in DNAC is not relevant. Decision to disable/enable a feature should be left to the Customer and not Cisco. Just my two Cents.
And please do not misunderstand me, I would love to have this in DNAC for troubleshooting purposes.

In any case if it is not possible to disable it (at this moment) I can go with this information to the customer.
My question was more in the direction if I missed something in some Documentation.

Thank you.

... btw link is not working ...

ammahend
VIP
VIP

Intelligent Capture is not just for packet capture data but also AP and client statistics, and spectrum data, it even allows  you to access data from APs that is not available from wireless controllers.

If you haven't already, then look at "Enable and Manage Intelligent Capture for an Access Point" section in this document

-hope this helps-
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: