cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
543
Views
1
Helpful
9
Replies

Join Remote CW9166 APs to C9800-CL over Site-to-Site VPN Tunnel

ejgreco
Level 1
Level 1

I am trying to join CW9166 APs at a remote site to a C9800-CL WLC at the HQ site. A site-to-site tunnel between a Meraki MX67 (remote) and FTD-2110 (HQ) has been created. The WLC can reach the APs via ping; the MX can ping the WLC sourced from the AP's VLAN/SVI. I have a DHCP scope on the MX that includes both the DNS server at HQ and Option 43 for the WLC wireless management SVI on the WLC (unfortunately you cannot configure local domains in Meraki DHCP scopes). I double-checked on the Core at HQ (routing all LANs at that site): it can ping the APs sourced from the WLC wireless management VLAN/SVI. I am not using Flex, just relying on the VPN tunnel to pass CAPWAP join requests from the APs to the WLC. Am I missing anything? Do the APs need to be put into Flex Connect mode to join the WLC over the VPN tunnel?

The general architecture:

Remote: 4x CW9166 APs (access) -> Meraki MS-250 (trunk) -> MX67 (s2s) ----> HQ: (s2s) FTD-2110 -> Core -> C9800-CL

9 Replies 9

No the AP not need to be in flexconn to connect to WLC 

But check FTD if you use bypass ACP or not for VPN

MHM

marce1000
VIP
VIP

 

  - It does not need to be in flexconnect mode for joining , actually for that operation it makes no difference
    Here are some troubleshooting notes :
                https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/119286-lap-notjoin-wlc-tshoot.html#toc-hId--607814488
                https://logadvisor.cisco.com/logadvisor/wireless/9800/9800APJoin
                Note that radio active traces from that process can be analyzed with  Wireless Debug Analyzer

                  + Check logs on the controller when an AP tries to join
                  + You may try to lower the MTU on the vpn link (e.g.)

  Appendix :  Have an overall checkup of the  C9800-CLcontroller's configuration with the CLI command
       show tech wireless and feed the output from that into Wireless Config Analyzer
      use the full command as denoted in green , do not use a simple show tech as input for this procedure
                       (to be considered mandatory in all circumstances  , perhaps good to start with!!)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

marce1000
VIP
VIP

 

  - Also note that if any AP get's joined this command can be useful : show capwap detailed
     to get details on the Path MTU available , 

 M.
 



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Amar_Tufo
Level 1
Level 1

Have you reached to a conclusion for this, as I've have a similar situation that I'm trying to create

for anyone wondering how to resolve this, in the future, dhcp option 43 with hex value f104XXXXXXX (X as the ip address of the wlc) under the dhcp pool for ap on it's SVI is the solution for scenarios like this. keep in mind that routing must be established between the WLC and remote site. 

I ended up just bringing the APs into our HQ location (where the WLC is located) and joining them there. I had a similar issue in the past with another AP that I currently use as Flex connect. Needed to bring that into HQ to convert it to a FC AP.

 

 @ejgreco  - Note that starting from 17.13.x there are a number of extra built ins to prevent AP image download corruption over VPN tunnels or WAN links , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

which in my opinion is nonsense. when you have connectivity and routing established to the wlc, what's the point to prevent AP image download over VPN or WAN links?

me to, had to do the same thing. but still I ended up implementing dhcp option 43 just when the ap joins the network and get's it address to get the informations again of its wlc.

Review Cisco Networking for a $25 gift card