LWAPP and NAT - AP Join Fails

Unanswered Question
Aug 16th, 2009
User Badges:

I'm trying to get an AP to join my controller at work from my house. I've got standard DSL from Frontier, so no QoS for the LWAPP traffic. The controller sees the DISCOVERY request from the AP, and the AP indicates that it receives the DISCOVERY REPLY by going to the JOIN state, followed my 'no more AP manager IP addresses remain'. I'm suspecting that this is happening due to the face that my RTT is over 100ms. Anyone care to comment? I'm fairly confident I've got all the necessary firewall rules setup correctly. Here's the error output from the AP:


%LWAPP-3-CLIENTEVENTLOG: Controller address 66.xx.xx.xx obtained through DHCP

%LWAPP-3-CLIENTEVENTLOG: Did not get log server settings from DHCP.

%LWAPP-3-CLIENTEVENTLOG: Performing DNS resolution for CISCO-LWAPP-CONTROLLER.pickles.pic

%LWAPP-3-CLIENTERRORLOG: DNS Name Lookup: could not resolve CISCO-LWAPP-CONTROLLER.pickles.pic

%LWAPP-5-CHANGED: LWAPP changed state to JOIN

%LWAPP-3-CLIENTERRORLOG: Join Timer: did not recieve join response (controller - VPN-4402-01)

%LWAPP-3-CLIENTERRORLOG: Set Transport Address: no more AP manager IP addresses remain

%SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: DID NOT GET JOIN RESPONSE.

%LWAPP-5-CHANGED: LWAPP changed state to DOWN


Regards,

Scott

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Leo Laohoo Sun, 08/16/2009 - 16:03
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Hi Scott,


1. How many AP's can your controller handle and how many AP's are currently attached to the controller?


2. Sounds like you are trying to implement the new OfficeExtend feature.

http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns430/solution_overview_c22-523307_ps10315_Product_Solution_Overview.html

Scott Pickles Sun, 08/16/2009 - 17:02
User Badges:

leolaohoo -


I've been working with this stuff since it was AireSpace, so I'm familiar with all kinds of issue(s) one could have joining a controller. In this case, it isn't the literal meaning of the error as you suggest (i.e. reached the max number of APs for the ap-manager interface or for the controller in total). This is a 4402-50 running 5.2.178.0, with only 4 APs. I'm not attempting the OfficeExtend feature since this isn't a 5508 controller - just trying to see if I can prove whether or not an AP can be remoted to a SOHO. I will probably put the AP in H-REAP mode and see if it works since the deployment guide for H-REAP indicates you can do this. However, I just have this gut feeling that the JOIN REPLY just isn't getting here within the 100ms RTT limit to make it valid and it's as though the AP just never 'hears' it.


Regards,

Scott

Robert.N.Barrett_2 Mon, 08/17/2009 - 03:57
User Badges:
  • Bronze, 100 points or more

Have you tried mapping the CAPWAP UDP ports 5246 and 5247 from your SOHO router to your AP?

Scott Pickles Mon, 08/17/2009 - 04:54
User Badges:

Robert -


Yes, I did in fact. As you point out, the 5.2.178.0 code on my controller is going to 'speak' capwap, but can fall back to LWAPP for APs that are still running pre-5.2 code locally. This is the case with my AP, so it's performing all of this via LWAPP until it joins and updates its code. I could force the code update, but I'd rather not just yet. I think what I'll do is expose the AP using a public IP address and test that.


Regards,

Scott

dancampb Mon, 08/17/2009 - 06:16
User Badges:
  • Cisco Employee,

It depends on what controller you are using. If you have a 5508 you just need to go under the management interface on the controller, enable NAT, and enter the public address translation for the management interface.


What's going on is when the controller responds with the discovery request it gives the address for the AP to join. If you don't have this NAT statement on the controller configured the AP will be given the controller's internal address (192.168.x.x for example) and tries to send its join request there.


If you are using a 2100/4400/wism this NAT functionality for the ap-manager interface isn't available as it is on the 5508.

Scott Pickles Tue, 08/18/2009 - 08:44
User Badges:

Hmmm, sounds interesting. Lemme check to see if providing a static NAT for the controller to the ap-manager interface does the trick...

dancampb Tue, 08/18/2009 - 11:45
User Badges:
  • Cisco Employee,

Setting up static NAT won't do the trick. The ap-manager's address is embedded into the discovery reply. The issue is that the AP will receive the address that is actually configured for the ap-manager and the AP will send its join request to that address.

Robert.N.Barrett_2 Tue, 08/18/2009 - 12:16
User Badges:
  • Bronze, 100 points or more

Forgot to also ask where you are using NAT? On the home router, work router(s), all the above?


Since you've got the whole CAPWAP/LWAPP thing going on, it might make sense to try a local join, and then take the AP back out on the road.

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode