OEAP 602 can't connect to WLC - WLC doesn't have DTLS enabled

Matt Smeltzer · ‎06-18-2012

Flex 7500

Software Version: 7.2.103.0

I have a Flex 7500 with 200 1142AP's working fine in remote office and local setup. We have since purchased 3 OEAP 602's and looking to distribute to teleworkers.

I have configured the OEAP to point to the NAT'd IP of the WLC, the OEAP does connect and is listed briefly in the WLC wireless listing but I am not able to make any configuration changes, it will then dissassociate and try the join process all over again. I have attached below the OEAP 600 event log. I see that the WLC does not support data DTLS encryption and looking to make this work.

I have tried to install the DTLS license file from the Cisco website, but says license failed to install, with no other errors.

Any help would be greatly appreciated.

Thanks

Matt

*Jun 18 15:18:43.938: Build version 7.0.112.72 (compiled Feb 3 2012 at 01:56:39, [L]).

*Jun 18 15:18:47.859: CAPWAP State: Init.

*Jun 18 15:18:47.860: CAPWAP State: Discovery.

*Jun 18 15:18:47.887: Starting Discovery.

*Jun 18 15:18:47.888: CAPWAP State: Discovery.

*Jun 18 15:18:47.983: Discovery Request sent to <WLC NAT IP> with discovery type set to 0

*Jun 18 15:18:48.052: Discovery Response from <WLC NAT IP>

*Jun 18 15:18:48.054: Dot11 binding decode: Discovery Response

*Jun 18 15:18:48.054: Discovery Response from <WLC NAT IP>

*Jun 18 15:18:48.054: Dot11 binding decode: Discovery Response

*Jun 18 15:18:57.829: Found the discovery response from MASTER Mwar.

*Jun 18 15:18:57.829: Selected MWAR 'HRSB_WLC' (index 0).

*Jun 18 15:18:57.829: Ap mgr count=1

*Jun 18 15:18:57.829: Go join a capwap controller

*Jun 18 15:18:57.829: Choosing AP Mgr with index 0, IP =<WLC NAT IP>

, load = 183..

*Jun 18 15:18:57.829: Synchronizing time with AC time.

*Jun 18 15:18:58.000: CAPWAP State: DTLS Setup.

*Jun 18 15:18:58.549: Dtls Session Established with the AC <WLC NAT IP>

, port= 5246

*Jun 18 15:18:58.549: CAPWAP State: Join.

*Jun 18 15:18:58.550: Join request: version=7.2.103.0

*Jun 18 15:18:58.551: Join request: hasMaximum Message Payload

*Jun 18 15:18:58.551: Dot11 binding encode: Encoding join request

*Jun 18 15:18:58.551: Sending Join Request Path MTU payload, Length 1376

*Jun 18 15:18:58.673: Join Response from <WLC NAT IP>

*Jun 18 15:18:58.674: PTMU : Setting MTU to : 1485

*Jun 18 15:18:58.674: Dot11 binding decode: Join Response

*Jun 18 15:18:58.675: WLC does not support data DTLS encryption, restarting CAPWAP...

Scott Fella · ‎06-18-2012

You need to try to download the free dtls license again. It's needs to be installed successfully in order on use the dtls feature. If you still have issues, then I would open a TAC license case.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Saravanan Lakshmanan · ‎06-18-2012

Try again.

https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=4090

Fill in the info, download the license, install and Reboot the WLC.

kristjan.edvardsson · ‎10-29-2013

Thanks. This was excacly the case for me. The OfficeExtend 600 AP joined and didn´t do anything and then dropped of the WLC over and over. Untill I installed the DTLS license on 2504 I use on DMZ. So it is clearly an issue if the 2504 does´t support DTLS data encryption out of the box that is mandatory for the OE AP to work.

Scott Fella · ‎10-29-2013

It depends on the code. Later code version had the DTLS license. Also if you had a WLC with the LDPE license, you would need the DTLS license.

https://supportforums.cisco.com/docs/DOC-24920

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

praetoleiad · ‎01-16-2014

Hi Scott,

Code 7.6.100 here but OEAP has logs that WLC doesn't support DTLS. Sysinfo of the WLC indicates DATA + WPS. When the OEAP was able to connect i tried configuring it for encryption but is not configurable. "plain text only" is shown.

Manufacturer's Name.............................. Cisco Systems Inc.

Product Name..................................... Cisco Controller

Product Version.................................. 7.6.100.0

Bootloader Version............................... 1.0.16

Field Recovery Image Version..................... 1.0.0

Firmware Version................................. PIC 16.0

Build Type....................................... DATA + WPS

And also i am unable to install the license. transfer is completed but license installation fails.

Scott Fella · ‎01-16-2014

You have an OEAP 600 or are you using a different model AP? Data Encryption is default and not configurable on the OEAP 600 but is configurable on other model AP's being used for OfficeExtend. The build type you have supports DTLS and I have tested that with OEAP 600's with no issues. To really check if you need a license, don't think you do, if you connect any other model AP's like the 2600, 3600, or even a 1131 or 1142, go into the AP after it joins and in the Advanced tab, if under Data Encryption, its grey'd out, then you need to add a DTLS license. Only LDPE really requires that, so this is a good way to check.

Here is a 1142 that we are using as an OfficeExtend AP:

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

praetoleiad · ‎01-16-2014

Hi Scott,

My bad, license wasn't installed because of wrong UDI. I guess this will work now since DTLS is already installed.

Thanks!

Scott Fella · ‎01-16-2014

No problem. Hopefully you get it working.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***