06-03-2013 05:37 AM - edited 07-04-2021 12:10 AM
Hi all,
We have a 5508 with 7.4.100.0 vor Internal APs and OEAPs.
till now every thing is ok.
Now we have to connect an AP (local) in a remote office, connected to the WLC by a VPN Tunnel.
The problem is that the AP in the remote office uses the NAT Address to connect to the WLC, so the traffic goes over the Internet, not trough the VPN Tunnel.
On the controller I have the following setting:
AP Discovery - NAT IP Only ................. Disabled
On the AP:
AP Link Latency.................................. Disabled
How to force the AP to use the internal IP Address of the WLC?
Thanks
Willem
06-03-2013 05:39 AM
Try this command:
config network ap-discovery nat-ip-only disable
Sent from Cisco Technical Support iPhone App
06-03-2013 06:00 AM
Hi Scott,
Thats what allready is set
On the controller I have the following setting:
AP Discovery - NAT IP Only ................. Disabled
06-03-2013 06:06 AM
That's what you need. The NAT IP address will show up during the discovery but will eventually join the management IP.
Sent from Cisco Technical Support iPhone App
06-03-2013 06:10 AM
right!
Thats what I need, but not what I get
It seems to be joined to the NAT address.
06-03-2013 06:51 AM
Are you allowing the ports out through the FW and allowing that back in? I have no issues like that.
Sent from Cisco Technical Support iPhone App
06-03-2013 06:58 AM
Ok,
Correction: the network between the remote office and the WLC is a MPLS not a VPN.
Everything is open between AP and WLC.
the OEAP is connecting to the WLC.
the remote AP (remote office, should be connecting over MPLS, not NAT IP) is connected via NAT IP.
How does a discovery work?
Does the WLC give the AP the NAT Address and the Internal WLC IP Address?
How does the AP decide what to use?
06-03-2013 07:35 AM
Ok, as soon as the NAT config on the WLC is deleted, the remote AP connects normal via MPLS.
09-25-2013 06:41 AM
I have the same problem except the new Local AP I'm trying to add is in the same subnet as the WLC management interface. I can't remove the NAT config because there are still OEAPs in use.
"AP Discovery - NAT IP only" is already disabled on the controller and from what I've read this means the discovery is given both IP's of the WLC (internal and NAT'd), but the new Local AP (1142) only ever tries to connect to the NAT'd address which of course it cannot reach.
Even using "lwapp ap controller ip address x.x.x.x" to point it to the local address of the WLC does not work.
09-25-2013 06:47 AM
I have this setup in my home lab and have no issues at all. Right now I have v7.5 and I still have NAT discovery disabled and the AP joins on the internal IP address. Can you post the output of an ap when you reboot it and it joins?
Sent from Cisco Technical Support iPhone App
09-25-2013 07:01 AM
I'm running 7.4.100.60 on the WLC5508.
Output of the new AP booting and not joining is..
*Sep 25 13:51:16.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: x.x.x.x peer_port: 5246
*Sep 25 13:51:30.000: DTLS_CLIENT_ERROR: ../dtls/dtls_connection_db.c:1924 Max retransmission count reached!
*Sep 25 13:51:30.000: %DTLS-3-HANDSHAKE_RETRANSMIT: Max retransmit count for x.x.x.x is reached.
Which just keeps looping every few mins.
I'll have to wait until I can get downtime on a working AP to post that output. I should mention that all the other local APs were configured before the OEAP ones were added and the NAT options configured.
09-25-2013 07:36 AM
I just put a new AP on and this is the output.. as you can see, it looked at the nat ip first and failed, then if joined the WLC internal ip
IOS Bootloader - Starting system.
flash is writable
FLASH CHIP: Numonyx Mirrorbit (0089)
Xmodem file system is available.
flashfs[0]: 68 files, 15 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 31997952
flashfs[0]: Bytes used: 29621248
flashfs[0]: Bytes available: 2376704
flashfs[0]: flashfs fsck took 26 seconds.
Reading cookie from SEEPROM
Base Ethernet MAC address: 44:03:a7:f1:b8:90
Ethernet speed is 1000 Mb - FULL Duplex
Loading "flash:/ap3g2-k9w8-mx.152-2.JB/ap3g2-k9w8-mx.152-2.JB"...#########################
File "flash:/ap3g2-k9w8-mx.152-2.JB/ap3g2-k9w8-mx.152-2.JB" uncompressed and installed, entry point: 0x2003000
executing...
Secondary Bootloader - Starting system.
Xmodem file system is available.
flashfs[0]: 68 files, 15 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 31997952
flashfs[0]: Bytes used: 29621248
flashfs[0]: Bytes available: 2376704
flashfs[0]: flashfs fsck took 14 seconds.
Reading cookie from SEEPROM
Base Ethernet MAC address: 44:03:a7:f1:b8:90
Boot CMD: 'boot flash:/ap3g2-k9w8-mx.152-2.JB/ap3g2-k9w8-xx.152-2.JB;flash:/ap3g2-k9w8-mx.152-2.JA/ap3g2-k9w8-xx.152-2.JA'
Loading "flash:/ap3g2-k9w8-mx.152-2.JB/ap3g2-k9w8-xx.152-2.JB"...#############################
File "flash:/ap3g2-k9w8-mx.152-2.JB/ap3g2-k9w8-xx.152-2.JB" uncompressed and installed, entry point: 0x2003000
executing...
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, C2600 Software (AP3G2-K9W8-M), Version 15.2(2)JB, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Mon 10-Dec-12 23:52 by prod_rel_team
Initializing flashfs...
flashfs[3]: 68 files, 15 directories
flashfs[3]: 0 orphaned files, 0 orphaned directories
flashfs[3]: Total bytes: 31739904
flashfs[3]: Bytes used: 29621248
flashfs[3]: Bytes available: 2118656
flashfs[3]: flashfs fsck took 11 seconds.
flashfs[3]: Initialization complete.
flashfs[4]: 0 files, 1 directories
flashfs[4]: 0 orphaned files, 0 orphaned directories
flashfs[4]: Total bytes: 11999232
flashfs[4]: Bytes used: 1024
flashfs[4]: Bytes available: 11998208
flashfs[4]: flashfs fsck took 0 seconds.
flashfs[4]: Initialization complete....done Initializing flashfs.
Warning: the compile-time code checksum does not appear to be present.
Radio0 present 8764 8000 0 A8000000 A8010000 0
Rate table has 244 entries (64 SGI/104 BF variants)
Radio1 present 8764 8000 0 88000000 88010000 4
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
memory validate-checksum 30
^
% Invalid input detected at '^' marker.
login authentication default
^
% Invalid input detected at '^' marker.
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
Warning: the compile-time code checksum does not appear to be present.
cisco AIR-CAP2602E-A-K9 (PowerPC) processor (revision A0) with 180214K/81920K bytes of memory.
Processor board ID FGL1651S1P0
PowerPC CPU at 800Mhz, revision number 0x2151
Last reset from power-on
LWAPP image version 7.4.100.0
1 Gigabit Ethernet interface
2 802.11 Radios
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 44:03:A7:F1:B8:90
Part Number : 73-14511-02
PCA Assembly Number : 800-37898-01
PCA Revision Number : A0
PCB Serial Number : xxxxxxxxxxx
Top Assembly Part Number : 800-38357-01
Top Assembly Serial Number : FGL1651S1P0
Top Revision Number : A0
Product/Model Number : AIR-CAP2602E-A-K9
% Please define a domain-name first.
Press RETURN to get started!
*Mar 1 00:00:12.227: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed
*Mar 1 00:00:12.231: %IFMGR-7-NO_IFINDEX_FILE: Unable to open nvram:/ifIndex-table No such file or directory
*Mar 1 00:00:15.727: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:19.379: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0
*Mar 1 00:00:25.727: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1
*Mar 1 00:00:28.251: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C2600 Software (AP3G2-K9W8-M), Version 15.2(2)JB, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Mon 10-Dec-12 23:52 by prod_rel_team
*Mar 1 00:00:28.251: %SNMP-5-COLDSTART: SNMP agent on host AIR-CAP2602E-A-K9 is undergoing a cold start
*Mar 1 00:00:28.323: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 1 00:00:28.323: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to resetlwapp_crypto_init: MIC Present and Parsed Successfully
*Mar 1 00:00:28.459: %SSH-5-ENABLED: SSH 2.0 has been enabled
*Mar 1 00:00:28.883: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
*Mar 1 00:00:29.303: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Mar 1 00:00:29.327: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar 1 00:00:29.327: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Mar 1 00:00:31.851: %SOAP_FIPS-2-SELF_TEST_HW_SUCCESS: HW crypto FIPS self test passed
*Mar 1 00:00:31.851: DPAA Initialization Complete
*Mar 1 00:00:31.851: %SYS-3-HARIKARI: Process DPAA INIT top-level routine exited
*Mar 1 00:00:32.467: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up%Default route without gateway, if not a point-to-point interface, may impact performance
*Mar 1 00:00:57.203: Logging LWAPP message to 255.255.255.255.
*Mar 1 00:01:00.883: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Mar 1 00:01:01.931: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 192.168.20.202, mask 255.255.255.0, hostname AIR-CAP2602E-A-K9
*Mar 1 00:01:01.979: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:01:02.979: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 1 00:01:03.071: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:01:03.079: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Mar 1 00:01:03.087: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Mar 1 00:01:04.107: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:01:05.107: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (192.168.20.147)
*Mar 1 00:01:12.859: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Mar 1 00:01:12.859: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
*Mar 1 00:01:22.859: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Sep 25 14:31:04.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 81.47.22.16 peer_port: 5246
*Sep 25 14:31:33.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2051 Max retransmission count reached!
*Sep 25 14:32:03.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 81.47.22.16:5246
*Sep 25 14:32:03.999: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Sep 25 14:31:04.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.20.24 peer_port: 5246
*Sep 25 14:31:04.411: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.20.24 peer_port: 5246
*Sep 25 14:31:04.411: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.20.24
*Sep 25 14:31:04.415: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.
*Sep 25 14:31:04.415: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.
*Sep 25 14:31:04.415: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Sep 25 14:31:04.415: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 192.168.20.24
User Access Verification
Username:
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
09-26-2013 12:03 AM
The issue is to do with the AP version.
The new AP shipped with a version 14.something, all the other APs and the one you tested with are 15.2.
Manually upgrading the AP to 15.2 then allowed it to try the external IP, fail and try the internal IP as expected.
I then tested turning off the NAT on the controller, bringing the AP up with its original 14. version, letting the controller upgrade the AP then turning NAT back on.
This worked and was much easier than manual upgrade, so I'll be using this process for future new APs that come with a old version. I didn't notice any loss of the OEAPs when I turned NAT off temporarily on the controller. Is that setting only used during discovery?
Thanks for your assistance.
09-26-2013 11:57 PM
Hi guys
Coworker of Willlem here.
Back in June I opened a TAC with Cisco concerning this problem, and they filed a bug for this.
https://tools.cisco.com/bugsearch/bug/CSCuh49325
It might be possible that this bug is fixed in the version Stewart mentioned above.
Cheers
Chris
10-29-2013 01:19 PM
Hi,
I think I´ve excatly the same issue with different AP models (2602,1131,1242AG, ) . I´m using a 5508 with AIR OS 7.4.110.0 & OEAP & Flexconnect APs connected over MPLS ( also inserted this command: config network ap-discovery nat-ip-only disable ) .
Sometimes the Accesspoints disconnecting and can´t re joning . The APs need sometimes 2 hours or 2 until 3 days
for rejoing .
I got the same messages into the log ( copied from above )
13:51:16.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: x.x.x.x peer_port: 5246
25 13:51:30.000: DTLS_CLIENT_ERROR: ../dtls/dtls_connection_db.c:1924 Max retransmission count reached!
25 13:51:30.000: %DTLS-3-HANDSHAKE_RETRANSMIT: Max retransmit count for x.x.x.x is reached.
After we added "ip route WLC NAT IP null0 " on our remote sites then it seems to be ok.
Cheers
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: