1252 Won't join 5508 over WAN

Unanswered Question
Jun 28th, 2010
User Badges:

I have an interesting issue. I have a remote building connected to my main campus over an MPLS 4xT1 WAN. I have a 4402 (version 7.0.98.0) running 17 1252 AP's using H-REAP. Now I want to upgrade to a 5508 controller (also version 7.0.98.0), but the 1252 AP's won't join the 5508 from the remote building. When I connect the 1252's from any other vlan on main campus, they join just fine. The error message I get on the controller is:


*spamApTask6: Jun 28 13:53:40.973: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:629 Failed to complete DTLS handshake with peer x.x.x.x


I have been through all the Cisco documents related to this that I can find. I can ping the AP's from the controller.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Leo Laohoo Mon, 06/28/2010 - 15:55
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Try the following:


1.  Go to Controller > Advanced > Master Controller Configuration > and tick the Master Controller Mode;

2.  Make sure you have DNS entry for CONTROLLER-LWAPP-CISCO.COM;

3.  Console into the LWAP and enter the command in enable mode:  lwapp ap controller ip address


Hope this helps.  Please don't forget to rate useful posts.  Thanks.

reggiestration Tue, 06/29/2010 - 05:43
User Badges:

1. I'm not sure about Master Controller mode, as I have other AP's and controllers on the same network that I don't want to join to this controller.

2. I'm using DHCP option 43

3. I did try this, with no better result.


Thanks for your help! Any other suggestions? Anyone know the difference between 4402 and 5508 controllers and what they need to establish dtls encryption?


(Cisco Controller) >show dtls connections

       AP Name         Local Port        Peer IP        Peer Port                Ciphersuite
-------------------- ------------- ----------------  -------------     ------------------------------
                       Capwap_Ctrl    10.x.0.4      36498           < Connection not established or unknown >
                       Capwap_Ctrl    10.x.0.11      36486           < Connection not established or unknown >

Compare this to the existing 4402 controller over the same WAN link:



(Cisco Controller) >show dtls connections                                                                       
       AP Name         Local Port        Peer IP        Peer Port                Ciphersuite
-------------------- ------------- ----------------  -------------     ------------------------------
Axxxxxxxxx      Capwap_Ctrl    10.x.0.16      36493           TLS_RSA_WITH_AES_128_CBC_SHA

Leo Laohoo Tue, 06/29/2010 - 15:08
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Are you sure the LWAP in question is getting a valid IP address?


Have you tried to delete the private-config?  Command:  "clear lwapp private"

reggiestration Tue, 06/29/2010 - 18:41
User Badges:

Yes, the AP's are getting ip addresses. I can ping them from the controller. I have also tried resetting them to default and clearing the private config.

barryfowles Wed, 05/18/2011 - 06:17
User Badges:

Hi,


I'm having a similar problem connect via MPLS from a branch office. Did youmanage to resolve this? I've got a feeling it is to do with MTU size.


Thanks

Actions

This Discussion