01-24-2012 05:55 AM - edited 07-03-2021 09:26 PM
Hi
I have a wireless LAN Controller 5508 that is connected to a dmz on a ASA 5520 that will provide wireless services to home users.
I have primed the access point(s) with the external IP of the controller. I see the requests come in through our permiter router and hit the ASA. When I debug the controller it sees the request and replies, however the port it sees is 5257, I thought this should be UDP 5246 and 5247. See debug on the WLC below
*spamApTask7: Jan 24 13:44:57.422: ec:c8:82:c3:71:60 Discovery Request from 91.102.62.46:5257
*spamApTask7: Jan 24 13:44:57.422: ec:c8:82:c3:71:60 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 25, joined Aps =0
*spamApTask7: Jan 24 13:44:57.423: ec:c8:82:c3:71:60 Discovery Response sent to 91.102.62.46:5257
*spamApTask7: Jan 24 13:44:57.423: ec:c8:82:c3:71:60 Discovery Response sent to 91.102.62.46:5257
*spamApTask7: Jan 24 13:45:07.424: ec:c8:82:c3:71:60 Discovery Request from 91.102.62.46:5257
*spamApTask7: Jan 24 13:45:07.424: ec:c8:82:c3:71:60 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 25, joined Aps =0
*spamApTask7: Jan 24 13:45:07.424: ec:c8:82:c3:71:60 Discovery Response sent to 91.102.62.46:5257
*spamApTask7: Jan 24 13:45:07.424: ec:c8:82:c3:71:60 Discovery Response sent to 91.102.62.46:5257
*spamApTask7: Jan 24 13:45:17.425: ec:c8:82:c3:71:60 Discovery Request from 91.102.62.46:5257
I did see there was a known bug with the WLC and the NAT and have siince upgraded to version 7.0.220.0
I have run the packet trace on the FW from the outside -> dmz and from dmz to outside and the packet goes through.
Any thoughts on what might be up would be useful
Thanks
01-24-2012 06:04 AM
can you post the NAT config from the ASA?
Steve
Sent from Cisco Technical Support iPhone App
01-24-2012 07:13 AM
Outside Rtr
===========
interface GigabitEthernet0/0.1
description ### Link to Internet ###
ip address 94.136.227.xx 255.255.255.248 - external ip
ip nat outside
ip access-group OUTSIDE_IN in
!
interface GigabitEthernet0/1
description ### Link to Firewalls ###
ip address 172.16.100.254 255.255.255.0
ip nat inside
!
ip nat inside source static 172.16.10.1 94.136.227.xx - controller NAT
ip access-list extended OUTSIDE_IN
permit udp any host 94.136.227.xx eq 5246
permit udp any host 94.136.227.xx eq 5247
ASA
===
global (wireless-dmz) 1 interface
nat (wireless-dmz) 1 172.16.10.0 255.255.255.0
static (wireless-dmz,OUTSIDE) 172.16.10.1 172.16.10.1 netmask 255.255.255.255
access-group wireless-dmz_access_in in interface wireless-dmz
01-24-2012 06:05 AM
I was just testing this yesterday andgot it to work.... The ap will use udp 5246 & 5247 and when I was tesing, I didn't use an ASA, but had to do nat translation on m y router (test lab). The port will not be 5246 or 5247 since the other router will nat using a different port. Here is my log:
udp 72.57.26.241:5246 192.168.221.27:5246 71.238.159.119:5266 71.238.159.119:5266
udp 72.57.26.241:5246 192.168.221.27:5246 --- ---
udp 72.57.26.241:5247 192.168.221.27:5247 71.238.159.119:5266 71.238.159.119:5266
udp 72.57.26.241:5247 192.168.221.27:5247 --- ---
*Jan 24 02:41:08.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 72.57.26.241 peer_port: 5246
*Jan 24 02:41:08.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
wmmAC status is FALSE
*Jan 24 02:41:09.491: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 72.57.26.241 peer_port: 5246
*Jan 24 02:41:09.492: %CAPWAP-5-SENDJOIN: sending Join Request to 72.57.26.241
*Jan 24 02:41:09.492: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*Jan 24 02:41:09.697: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*Jan 24 02:41:10.123: %CAPWAP-5-CHANGED: CAPWAP changed state to UP
*Jan 24 02:41:10.343: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller WLC-2504
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide