Office Extend AP setup

nevbuckland · ‎07-07-2010

I have finally got my office extend AP to connect to my companies 5508 controller by enabling NAT on the management interface and can see all the cooperate SSID's. However when I try to connect to the SSID my client either gets a local IP address from my home router or then cannot get any IP address.

Does anyone have any ideas where the issue may be?

Thanks

bill.wittke · ‎07-08-2010

I had a similiar issue when I first set my OEAP up.

1. On the NAT config...this is a known bug. With NAT enabled, if any of your internal AP's need to reconnect to the controller, they will not be able to. Be sure to enable/disable NAT only when you need the OEAP to connect. It is a pain; but Cisco is working on a fix.

2. On the IP problem...mine problem ended up being that the SSID was set up for "Local Switching". We do this because we run several AP's in HREAP mode. So far the only solution I have found was to create a new SSID without local switching for my OEAP devices.

Hope that helps.

Thomas Obbekaer Thomsen · ‎11-18-2010

Do you know of a open BugID on this NAT problem ?

bill.wittke · ‎11-18-2010

Yes there is an open issue with TAC. I don't know the case # at the moment. I have been told that it will be resolved in the next release.

James_46_2 · ‎06-30-2011

Does anyone know if there is any update on this one? Just tested with version

7-0-116-0 and the problem still exists.

weterry · ‎06-30-2011

The "Local APs not working with NAT" is resolved in 7.0.116.0.

However, now there is an issue where if you have an OEAP enabled with "Least Latency Join" and you have NAT enabled on the 5508, then the OEAP can't join...... (7.0.116.0 only). Just go back to 7.0.98.0 (or get the AP to join locally) and disable Least Latency Join from the AP OEAP config if that is what you have.

James_46_2 · ‎06-30-2011

Thanks for the reply, i have tested in the lab with version 7.0.116.0 and i cannot get the local APs to connect. The local AP is trying to bring up a DTLS connection to 20.20.20.3 - which is my nat'd address.

Here is part of the AP log:

Mar 1 00:18:38.244: %CDP_PD-2-POWER_LOW: All radios disabled - NEGOTIATED WS-C3560-48PS (0015.62b8.4687)

Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)

*Mar 1 00:18:47.922: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.

Translating "CISCO-LWAPP-CONTROLLER"...domain server (255.255.255.255)

*Mar 1 00:18:56.922: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER

*Mar 1 00:19:05.922: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-LWAPP-CONTROLLER

*Mar 1 00:19:15.922: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Jun 30 14:58:06.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 20.20.20.3 peer_port: 5246

*Jun 30 14:58:06.000: %CAPWAP-5-CHANGED: CAPWAP changed state to

*Jun 30 14:58:28.325: %CDP_PD-2-POWER_LOW: All radios disabled - NEGOTIATED WS-C3560-48PS (0015.62b8.4687)

*Jun 30 14:58:35.999: DTLS_CLIENT_ERROR: ../dtls/dtls_connection_db.c:1924 Max retransmission count reached!

*Jun 30 14:58:35.999: %DTLS-3-HANDSHAKE_RETRANSMIT: Max retransmit count for 20.20.20.3 is reached.

*Jun 30 14:59:06.000: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 20.20.20.3:5246

*Jun 30 14:59:06.000: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY

*Jun 30 14:59:06.001: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY

*Jun 30 14:59:16.006: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Jun 30 14:59:16.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 20.20.20.3 peer_port: 5246

*Jun 30 14:59:16.000: %CAPWAP-5-CHANGED: CAPWAP changed state to

*Jun 30 14:59:45.999: DTLS_CLIENT_ERROR: ../dtls/dtls_connection_db.c:1924 Max retransmission count reached!

*Jun 30 14:59:45.999: %DTLS-3-HANDSHAKE_RETRANSMIT: Max retransmit count for 20.20.20.3 is reached.

*Jun 30 15:00:15.999: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 20.20.20.3:5246

*Jun 30 15:00:16.000: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY

weterry · ‎06-30-2011

What is supposed to be happening is that the AP gets two discovery responses in 7.0.116.0. One has the unnat'd IP, the other is the NAT'd.

You'll try the NAT'd address, fail, and then you should try the non-NAT'd address....

Can you maybe run some of the debug capwap things? I think "debug capwap client events" and maybe error?

I'd also do a "debug ip udp" (seperately) during this (or you could just get a packet capture which would be easier).

This is no ap-manager right? so the MGMT interface is the AP-MGR and it has the NAT on it too?

James_46_2 · ‎07-01-2011

I have found that if the AP has been previously registered with the controller and then rebooted these will work but still an issue with a new AP which hasn't connected to the controller. The Controller replies to the discovery request but the AP doesn't join the controller:

Jul 1 09:35:43.000: DTLS_CLIENT_ERROR: ../dtls/dtls_connection_db.c:1924 Max retransmission count reached!

*Jul 1 09:35:43.000: %DTLS-3-HANDSHAKE_RETRANSMIT: Max retransmit count for 20.20.20.3 is reached.

*Jul 1 09:36:12.999: %CAPWAP-3-EVENTLOG: Wait DTLS timer has expired

*Jul 1 09:36:12.999: %CAPWAP-3-EVENTLOG: Dtls session establishment failed

*Jul 1 09:36:12.999: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 20.20.20.3:5246

*Jul 1 09:36:12.999: %CAPWAP-3-EVENTLOG: CAPWAP State: DTLS Teardown.

*Jul 1 09:36:13.000: %CAPWAP-3-EVENTLOG: DTLS session cleanup completed. Restarting capwap state machine.

*Jul 1 09:36:13.000: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY

*Jul 1 09:36:13.004: %CAPWAP-3-EVENTLOG: Starting Discovery.

*Jul 1 09:36:13.004: %CAPWAP-3-EVENTLOG: CAPWAP State: Discovery.

*Jul 1 09:36:13.004: %CAPWAP-3-EVENTLOG: WTP descriptor: version=117470208

*Jul 1 09:36:13.005: %CAPWAP-3-EVENTLOG: Discovery Request sent to 255.255.255.255 with discovery type set to 0

*Jul 1 09:36:13.005: %CAPWAP-3-EVENTLOG: Discovery Response from 192.168.1.10

*Jul 1 09:36:13.006: %CAPWAP-3-EVENTLOG: Discovery Response from 192.168.1.10

*Jul 1 09:36:23.004: %CAPWAP-3-EVENTLOG: Selected MWAR 'Extend' (index 0).

*Jul 1 09:36:23.004: %CAPWAP-3-EVENTLOG: Ap mgr count=1

*Jul 1 09:36:23.004: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Jul 1 09:36:23.004: %CAPWAP-3-EVENTLOG: Choosing AP Mgr with index 0, IP = 0x14141403, load = 2..

*Jul 1 09:36:23.004: %CAPWAP-3-EVENTLOG: Synchronizing time with AC time.

*Jul 1 09:36:23.000: %CAPWAP-3-EVENTLOG: Setting time to 09:36:23 UTC Jul 1 2011

*Jul 1 09:36:23.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 20.20.20.3 peer_port: 5246

*Jul 1 09:36:23.000: %CAPWAP-3-EVENTLOG: CAPWAP State: DTLS Setup.

*Jul 1 09:36:23.000: %CAPWAP-5-CHANGED: CAPWAP changed state to

*Jul 1 09:36:53.000: DTLS_CLIENT_ERROR: ../dtls/dtls_connection_db.c:1924 Max retransmission count reached!

*Jul 1 09:36:53.000: %DTLS-3-HANDSHAKE_RETRANSMIT: Max retransmit count for 20.20.20.3 is reached.

weterry · ‎07-01-2011

When you say an AP that hasn't joined before, you mean like a new AP out of the box? Perhaps the Recovery image doesn't know how to handle multiple Discovery Responses.... interesting.

%CAPWAP-3-EVENTLOG: Discovery Request sent to 255.255.255.255 with discovery type set to 0

%CAPWAP-3-EVENTLOG: Discovery Response from 192.168.1.10 <-- Response with Local Address

%CAPWAP-3-EVENTLOG: Discovery Response from 192.168.1.10 <-- Response with NAT Address

%CAPWAP-3-EVENTLOG: Selected MWAR 'Extend' (index 0).

%CAPWAP-3-EVENTLOG: Ap mgr count=1

%CAPWAP-3-ERRORLOG: Go join a capwap controller

%CAPWAP-3-EVENTLOG: Choosing AP Mgr with index 0, IP = 0x14141403, load = 2..<-- Chooses NAT Address...

...

And from here it times out to 20.20.20.3 and then rediscovers, instead of using the 2nd Discovery Response?

If that is a true statement, then it would appear to me your only option is to figure out a way to get the AP joined to a WLC before they go to a NAT/OEAP WLC?