01-29-2014 09:15 AM - edited 07-05-2021 12:03 AM
I have a deployment of 1602 AP's in flexconnect mode connected to a controller over IPSEC. I am assigning the controller address to the AP's via DHCP option 43 and this works without an issue.
If I set a static IP on one of the AP's and use DNS method to assign controller address, the association never happens.
From AP:
*Jan 29 17:02:36.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip:x.x.x.x peer_port: 5246
*Jan 29 17:03:35.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to x.x.x.x:5246
*Jan 29 17:03:46.055: %CAPWAP-3-ERRORLOG: Go join a capwap controller
From Controller:
*spamApTask0: Jan 29 12:13:02.633: xx:xx:xx:xx:xx:xx Discovery Response sent to y.y.y.y:62551
If I remove IPSEC and go straight layer 3, the AP associates.
I saw some posts about MTU issues in older versions, but I was under the impression they were resolved in newer versions.
Has anyone had the same issue or does anyone have any tips?
Thanks,
01-29-2014 09:23 AM
Have you looked at this post?
https://supportforums.cisco.com/message/4137649#4137649
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
01-29-2014 09:55 AM
I didn't read that post, I'm not having an issue with client connections, just ap to controller communication.
I am going all local switching, so I'd rather not affect the client mtu size.
01-29-2014 09:57 AM
* I am doing local switching.
01-29-2014 10:23 AM
Dan,
The only thing that I can think of is if IPSEC is breaking the CAPWAP UPD 5246 & 5247. Since when you remove the IPSEC and the AP joins, then something over the IPSEC is preventing the the join.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
01-29-2014 12:19 PM
I just thought it was odd that if the AP gets its IP from DHCP it works but when set static and using DNS to resolve controller address it doesnt work. I am going to change my topology to use layer3 without IPSEC tunnel, but idealy I would continue using IPSEC.
01-29-2014 12:22 PM
Once the AP knows of the WLC, it doesn't need option 43 anymore nor DNS, it will keep and know of the last WLC it joined. This is the thing.... if the AP already has joined the WLC and when you enable IPSEC and the AP then can't join the WLC, there is an issue with UDP 5246 and UDP 5247 as these are the ports that the WLC and AP uses for the join.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
01-29-2014 12:34 PM
Ok, I see. Thanks for the additional clarification. I will invetigate further and see what I can figure out.
Thanks!
01-29-2014 12:37 PM
From what you have tested, makes it seem like those ports are being blocked. The good part is that they have joined on the same site with a layer 3 connections, so that rules out a lot of other testing:)
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide