Hi Scott,

Thats what allready is set

On the controller I have the following setting:

AP Discovery - NAT IP Only ................. Disabled

That's what you need. The NAT IP address will show up during the discovery but will eventually join the management IP.

Sent from Cisco Technical Support iPhone App

right!
Thats what I need, but not what I get
It seems to be joined to the NAT address.

Are you allowing the ports out through the FW and allowing that back in? I have no issues like that.

Sent from Cisco Technical Support iPhone App

Ok,
Correction: the network between the remote office and the WLC is a MPLS not a VPN.
Everything is open between AP and WLC.
the OEAP is connecting to the WLC.
the remote AP (remote office, should be connecting over MPLS, not NAT IP) is connected via NAT IP.
How does a discovery work?
Does the WLC give the AP the NAT Address and the Internal WLC IP Address?
How does the AP decide what to use?

Ok, as soon as the NAT config on the WLC is deleted, the remote AP connects normal via MPLS.

I have this setup in my home lab and have no issues at all. Right now I have v7.5 and I still have NAT discovery disabled and the AP joins on the internal IP address. Can you post the output of an ap when you reboot it and it joins?

Sent from Cisco Technical Support iPhone App

I'm running 7.4.100.60 on the WLC5508.

Output of the new AP booting and not joining is..

*Sep 25 13:51:16.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: x.x.x.x peer_port: 5246

*Sep 25 13:51:30.000: DTLS_CLIENT_ERROR: ../dtls/dtls_connection_db.c:1924 Max retransmission count reached!

*Sep 25 13:51:30.000: %DTLS-3-HANDSHAKE_RETRANSMIT: Max retransmit count for x.x.x.x is reached.

Which just keeps looping every few mins.

I'll have to wait until I can get downtime on a working AP to post that output.  I should mention that all the other local APs were configured before the OEAP ones were added and the NAT options configured.

I just put a new AP on and this is the output.. as you can see, it looked at the nat ip first and failed, then if joined the WLC internal ip

IOS Bootloader - Starting system.

flash is writable

FLASH CHIP:  Numonyx Mirrorbit (0089)

Xmodem file system is available.

flashfs[0]: 68 files, 15 directories

flashfs[0]: 0 orphaned files, 0 orphaned directories

flashfs[0]: Total bytes: 31997952

flashfs[0]: Bytes used: 29621248

flashfs[0]: Bytes available: 2376704

flashfs[0]: flashfs fsck took 26 seconds.

Reading cookie from SEEPROM

Base Ethernet MAC address: 44:03:a7:f1:b8:90

Ethernet speed is 1000 Mb - FULL Duplex

Loading "flash:/ap3g2-k9w8-mx.152-2.JB/ap3g2-k9w8-mx.152-2.JB"...#########################

File "flash:/ap3g2-k9w8-mx.152-2.JB/ap3g2-k9w8-mx.152-2.JB" uncompressed and installed, entry point: 0x2003000

executing...

Secondary Bootloader - Starting system.

Xmodem file system is available.

flashfs[0]: 68 files, 15 directories

flashfs[0]: 0 orphaned files, 0 orphaned directories

flashfs[0]: Total bytes: 31997952

flashfs[0]: Bytes used: 29621248

flashfs[0]: Bytes available: 2376704

flashfs[0]: flashfs fsck took 14 seconds.

Reading cookie from SEEPROM

Base Ethernet MAC address: 44:03:a7:f1:b8:90

Boot CMD: 'boot  flash:/ap3g2-k9w8-mx.152-2.JB/ap3g2-k9w8-xx.152-2.JB;flash:/ap3g2-k9w8-mx.152-2.JA/ap3g2-k9w8-xx.152-2.JA'

Loading "flash:/ap3g2-k9w8-mx.152-2.JB/ap3g2-k9w8-xx.152-2.JB"...#############################

File "flash:/ap3g2-k9w8-mx.152-2.JB/ap3g2-k9w8-xx.152-2.JB" uncompressed and installed, entry point: 0x2003000

executing...

              Restricted Rights Legend

Use, duplication, or disclosure by the Government is

subject to restrictions as set forth in subparagraph

(c) of the Commercial Computer Software - Restricted

Rights clause at FAR sec. 52.227-19 and subparagraph

(c) (1) (ii) of the Rights in Technical Data and Computer

Software clause at DFARS sec. 252.227-7013.

           cisco Systems, Inc.

           170 West Tasman Drive

           San Jose, California 95134-1706

Cisco IOS Software, C2600 Software (AP3G2-K9W8-M), Version 15.2(2)JB, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2012 by Cisco Systems, Inc.

Compiled Mon 10-Dec-12 23:52 by prod_rel_team

Initializing flashfs...

flashfs[3]: 68 files, 15 directories

flashfs[3]: 0 orphaned files, 0 orphaned directories

flashfs[3]: Total bytes: 31739904

flashfs[3]: Bytes used: 29621248

flashfs[3]: Bytes available: 2118656

flashfs[3]: flashfs fsck took 11 seconds.

flashfs[3]: Initialization complete.

flashfs[4]: 0 files, 1 directories

flashfs[4]: 0 orphaned files, 0 orphaned directories

flashfs[4]: Total bytes: 11999232

flashfs[4]: Bytes used: 1024

flashfs[4]: Bytes available: 11998208

flashfs[4]: flashfs fsck took 0 seconds.

flashfs[4]: Initialization complete....done Initializing flashfs.

Warning:  the compile-time code checksum does not appear to be present.

Radio0  present 8764 8000 0 A8000000 A8010000 0

Rate table has 244 entries (64 SGI/104 BF variants)

Radio1  present 8764 8000 0 88000000 88010000 4

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

memory validate-checksum 30

^

% Invalid input detected at '^' marker.

login authentication default

  ^

% Invalid input detected at '^' marker.

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Warning:  the compile-time code checksum does not appear to be present.

cisco AIR-CAP2602E-A-K9    (PowerPC) processor (revision A0) with 180214K/81920K bytes of memory.

Processor board ID FGL1651S1P0

PowerPC CPU at 800Mhz, revision number 0x2151

Last reset from power-on

LWAPP image version 7.4.100.0

1 Gigabit Ethernet interface

2 802.11 Radios

32K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address: 44:03:A7:F1:B8:90

Part Number                          : 73-14511-02

PCA Assembly Number                  : 800-37898-01

PCA Revision Number                  : A0

PCB Serial Number                    : xxxxxxxxxxx

Top Assembly Part Number             : 800-38357-01

Top Assembly Serial Number           : FGL1651S1P0

Top Revision Number                  : A0

Product/Model Number                 : AIR-CAP2602E-A-K9  

% Please define a domain-name first.

Press RETURN to get started!

*Mar  1 00:00:12.227: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed

*Mar  1 00:00:12.231: %IFMGR-7-NO_IFINDEX_FILE: Unable to open nvram:/ifIndex-table No such file or directory

*Mar  1 00:00:15.727: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to up

*Mar  1 00:00:19.379: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0

*Mar  1 00:00:25.727: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1

*Mar  1 00:00:28.251: %SYS-5-RESTART: System restarted --

Cisco IOS Software, C2600 Software (AP3G2-K9W8-M), Version 15.2(2)JB, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2012 by Cisco Systems, Inc.

Compiled Mon 10-Dec-12 23:52 by prod_rel_team

*Mar  1 00:00:28.251: %SNMP-5-COLDSTART: SNMP agent on host AIR-CAP2602E-A-K9 is undergoing a cold start

*Mar  1 00:00:28.323: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset

*Mar  1 00:00:28.323: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to resetlwapp_crypto_init: MIC Present and Parsed Successfully

*Mar  1 00:00:28.459: %SSH-5-ENABLED: SSH 2.0 has been enabled

*Mar  1 00:00:28.883: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down

*Mar  1 00:00:29.303: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up

*Mar  1 00:00:29.327: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down

*Mar  1 00:00:29.327: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down

*Mar  1 00:00:31.851: %SOAP_FIPS-2-SELF_TEST_HW_SUCCESS: HW crypto FIPS self test passed

*Mar  1 00:00:31.851: DPAA Initialization Complete

*Mar  1 00:00:31.851: %SYS-3-HARIKARI: Process DPAA INIT top-level routine exited

*Mar  1 00:00:32.467: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up%Default route without gateway, if not a point-to-point interface, may impact performance

*Mar  1 00:00:57.203: Logging LWAPP message to 255.255.255.255.

*Mar  1 00:01:00.883: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source

*Mar  1 00:01:01.931: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 192.168.20.202, mask 255.255.255.0, hostname AIR-CAP2602E-A-K9

*Mar  1 00:01:01.979: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up

*Mar  1 00:01:02.979: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up

*Mar  1 00:01:03.071: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up

*Mar  1 00:01:03.079: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down

*Mar  1 00:01:03.087: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset

*Mar  1 00:01:04.107: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up

*Mar  1 00:01:05.107: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up

Translating "CISCO-CAPWAP-CONTROLLER"...domain server (192.168.20.147)

*Mar  1 00:01:12.859: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.

*Mar  1 00:01:12.859: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER

*Mar  1 00:01:22.859: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Sep 25 14:31:04.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 81.47.22.16 peer_port: 5246

*Sep 25 14:31:33.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2051 Max retransmission count reached!

*Sep 25 14:32:03.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 81.47.22.16:5246

*Sep 25 14:32:03.999: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Sep 25 14:31:04.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.20.24 peer_port: 5246

*Sep 25 14:31:04.411: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.20.24 peer_port: 5246

*Sep 25 14:31:04.411: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.20.24

*Sep 25 14:31:04.415: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.

*Sep 25 14:31:04.415: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.

*Sep 25 14:31:04.415: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller

*Sep 25 14:31:04.415: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 192.168.20.24

User Access Verification

Username:

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

The issue is to do with the AP version.

The new AP shipped with a version 14.something, all the other APs and the one you tested with are 15.2.

Manually upgrading the AP to 15.2 then allowed it to try the external IP, fail and try the internal IP as expected.

I then tested turning off the NAT on the controller, bringing the AP up with its original 14. version, letting the controller upgrade the AP then turning NAT back on. 

This worked and was much easier than manual upgrade, so I'll be using this process for future new APs that come with a old version.  I didn't notice any loss of the OEAPs when I turned NAT off temporarily on the controller.  Is that setting only used during discovery?

Thanks for your assistance.

Hi guys

Coworker of Willlem here.

Back in June I opened a TAC with Cisco concerning this problem, and they filed a bug for this.

https://tools.cisco.com/bugsearch/bug/CSCuh49325

It might be possible that this bug is fixed in the version Stewart mentioned above.

Cheers

Chris

Hi,

I think I´ve excatly the same issue with different  AP models (2602,1131,1242AG, ) . I´m using a 5508 with AIR OS 7.4.110.0 & OEAP & Flexconnect APs connected over MPLS ( also inserted this command: config network ap-discovery nat-ip-only disable )  .
Sometimes the Accesspoints disconnecting and can´t  re joning . The APs need sometimes 2 hours or 2  until 3 days

for rejoing .

I got the same messages into the log  ( copied from above )

13:51:16.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: x.x.x.x peer_port: 5246

25 13:51:30.000: DTLS_CLIENT_ERROR: ../dtls/dtls_connection_db.c:1924 Max retransmission count reached!

25 13:51:30.000: %DTLS-3-HANDSHAKE_RETRANSMIT: Max retransmit count for x.x.x.x is reached.

After we added "ip route WLC NAT IP  null0 "  on our remote sites then it seems to be ok.

Cheers