routing LWAPP through a VPN?

Unanswered Question
Dec 29th, 2007

i know this is probably a novice question, but i really cant find the answer... what i would like to know is if i can route LWAPP through a VPN connection from one LAN to another through a PIX 506E ASA.

what i would like to do is have a 4400 WLAN Controler at our main office, and have several satelite offices that are not connected via Point to Point connections or local to be able to get the WLAN configuration information for the Aironet AP's that are active in the office.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
pmays Mon, 12/31/2007 - 08:21

Yes, the feature for supporting remote APs is HREAP.

The caution is around bandwidth and latency over those links. These are some of the main factors to be considered for the WAN link:

Ensure that the bandwidth of the WAN link is at least 128kbps.

Ensure that the latency or round-trip delay between the two sites across the WAN link is not more than 100ms because more than a 100ms delay can create authentication problems to the client, especially when central authentication is implemented.

I have a problem with losing LWAPP fragments through the IPSec tunnel (between two PIX) when the WLAN is in "central switching mode". It is fragements from WLC AP-Manager interface to AP that is lost.

The fragements are set with the DF bit. Fragment is 1476 byte and this is less than the standard MTU on PIX IPsec tunnel but larger than MTU minus IPSec Overhead. I've tried to increase the MTU in PIX VPN tunell but no good result. On PIX v7 you can ignore the DF bit and stillroute the traffic, but this is not a option on PIX 501 or PIX 506 that I use (version 6.3).

Is there any way to tell the WLC not to set the DF bit? Or to reduce the size of the fragment so that the traffic is routed over the IPSec Tunnel?


This Discussion