Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

AP over VPN IPsec Not Joining 5760

Hello,

We have several APs that connect to our wireless controllers from a VPN Ipsec connection. On the WiSM2 they functioned fine but when we upgraded to the 5760 controllers, they failed.

I noticed that the CAPWAP Path MTU for these APs on the WiSM2 were 1437, on the 5760 they show as 1500. Would this be causing an issue for the join request?

The AP shows:-

*Jan 30 22:08:40.315: %CAPWAP-5-SENDJOIN: sending Join Request to <ip>

*Jan 30 22:08:45.315: %CAPWAP-5-SENDJOIN: sending Join Request to <ip>

., 1)30 22:09:15.479: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(UNKNOWN_MESSAGE_TYPE (5)

The capwap debug on the 5760 shows:-

Invalid length (10) countedlen 6 sizeUserPayload 277 for vendor-specific element 0x00409600-unknown from AP <mac>

Failed to validate vendor specific message element

*%LWAPP-3-VALIDATE_ERR: 1 wcm:  Validation of SPAM Vendor Specific Payload failed - AP

....

Invalid length (7) countedlen

LWAPP message validation failed for SPAM Vendor Specific Payload(104) in message of len=7 from AP <mac>

....

Ideas?

- Trevor

8 REPLIES
VIP Purple

Re: AP over VPN IPsec Not Joining 5760

Hi,

Do you have this issue only with APs coming across VPN ?

Have you got other APs register to your 5760 without any problem ?

Rasika

New Member

AP over VPN IPsec Not Joining 5760

This issue is only with APs coming across VPN. I have almost 500 APs on the internal network that have connected fine.

It works fine across VPN connecting to the WiSM2 but not the 5760.

- Trevor

VIP Purple

Re: AP over VPN IPsec Not Joining 5760

Hi Trevor,

I think you should contact Cisco TAC & get their input on this.

You can play with reduce MTU size in your 5760, since you have a big production environment it is always good to do that under TAC direction.

HTH

Rasika

**** Pls rate all useful responses ****

New Member

AP over VPN IPsec Not Joining 5760

Hi Rasika,

Where would I change the MTU size on the 5760?  I have a lab 5760 setup that I can test this on without making any changes on the production version.

Thanks,

- Trevor

VIP Purple

Re: AP over VPN IPsec Not Joining 5760

Hi Trevor,

You can change the system MTU size of 5760 as below. But as per the values you can set it minimum 1500 bytes which is the default. So you can't reduce it to mach what it was in WiSM

5760-1(config)#system mtu ?

  <1500-9198>  MTU size in bytes

HTH

Rasika

**** Pls rate all useful responses ****

New Member

Wow I feel bad not replying

Wow I feel bad not replying to this one! The issue was due to ICMP not being open between the VPN IP and the 5760 management.

Cheers,

 - Trevor

 

New Member

I've been having similar

I've been having similar issues since we upgraded from WiSM to 5760.

 

I have a few remote offices that have a 10M half duplex WAN link, and the AP's have a hard time joining the controller.  Sometimes they will join after DAYS.  The MTU size at one site is less than 1500, so I'm not sure if that is an issue since you cannot set the MTU on the 5760 to less than 1500.

 

I upgraded our code to 03.07.00 and now I have 3 sites where the AP's are not coming back.

 

I've had a few TAC cases open with no luck.

New Member

Hey Joe,The issue for me was

Hey Joe,

The issue for me was due to capwap packet fragmentation not working. We have strict firewall rules and discovered that ICMP was required to be open as the VPN IP was trying to send a ICMP 'packet to large' message to the 5760. Once ICMP was open that fixed the capwap issue for the APs connected across the VPN. 

This link helped as well understanding capwap:-

http://what-when-how.com/deploying-and-troubleshooting-cisco-wireless-lan-controllers/capwap-fragmentation-and-path-mtu-discovery-cisco-wireless-lan-controllers/

Cheers,

 - Trevor

 

 

 

349
Views
0
Helpful
8
Replies
CreatePlease to create content