Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

H-REAP behavior when loss connection to the WLC

Hi guys,

I am testing a senario when H-REAP AP losses connection to the WLC and the behavior does not seem to be correct.

basically I have two APs cofigured in H-REAP mode and joined a WLC, the APs and WLC are connected to the same switch. I have an ACS server doing the authentication. I have configured a H-REAP group, with the two H-REAP APs added in, and I have the ACS server configured in this H-REAP group.

I then created a SSID with local-switching enabled, and vlan-mapping configured. everything works fine when the H-REAP APs are connected to the WLC. I then shut down the port connecting to the WLC from the switch, I could authenticate in the first few seconds (I have added both H-REAP APs in the ACS as AAA clients, and from the logs I can confirm that the auth request was sent from the H-REAP APs not the WLC anymore noce i shut down the WLC port).      

the porblem is that after few minites, authentication starts to fail and I noticed that auth request was sent via a different IP address from the H-REAP AP, then I connected to the console of the AP and noticed that the H-REAP AP was trying to discover WLC, and since the WLC port was down, so it reverts back to WLC discover through DHCP, which causing the address change and auth failure.

my understanding is that for H-REAP APs, they should go to standalone mode once connectivity to WLC is lost, and keep serving clients, and in this case, authenticate new clients via ACS as well, until the connectivity to the WLC is restored and go back to central-auth, local switching mode.

can anyone please confirm if what I have observed here is an expected behavior or anything I have missed out? to me this does not seem to be correct as if we lost WAN connectivity in real network, then H-REAP APs will start to reboot until connection to the WLC is restored.

any comments would be appreiated. thanks.

Andy            

Everyone's tags (4)
6 REPLIES
Cisco Employee

H-REAP behavior when loss connection to the WLC

for AP who's the dhcp server onboard WLC/external or static ip?

Are ACS/AP IP/Wireless client are same or different vlan?

I have added both H-REAP APs in the ACS as AAA clients.

Are you using local authentication for hreap only or not?

does debug capwap showed switching from connected to standlone?

for local auth, even if AP couldn't join WLC it should still access the ACS using AP's IP.

New Member

H-REAP behavior when loss connection to the WLC

hi Saravanan,

I have AP dhcp server configured on the local switch, the topology looks like below:

WLC2504 <---> 3560 SW <---> H-REAP AP x2

                              |

                              |

                              |

                          WAN

                              |

                              |

                              |

                    central site switch    <---> ACS

so the DHCP server is configured on the 3560 switch, both APs joined the 2504 and in H-REAP mode, authentication will be through the ACS server on the other side over the WAN link (I just used layer 3 interface to similute the WAN).

APs are placed on vlan 15 and users are mapped to vlan 20 on the local switch, so not on the same subnet, and two DHCP pools configued for APs and clients.

under the SSID configuration, I do not have "H-REAP local auth" checked under the advanced tab, only local switching is enabled.

WLC running code version 7.0.116.0.

regarding the debugs, do I collect from the AP side as the WLC is offline now? the console logs from the AP just showing the AP is going through normal joining process, like a local mode AP, I think even when the AP is assigned with static IP, it will be same behavior as it will revert back to DHCP if no WLC found as normal local mode AP join process.

so basically the behavior of the H-REAP AP seems to be the same as the local mode AP, which does not seem to be correct, I thought for H-REAP mode, AP should not reload or revert back to DHCP for WLC discovery, it should stay in standalone mode when connectivity to the WLC is lost.

thanks for your help.

New Member

H-REAP behavior when loss connection to the WLC

has anyone tested this before or had similar issue previously? basically the H-REAP AP seem to behave the same as local mode AP, when connectivity to the WLC is lost.

appreciate any comment on this.

Thanks.

H-REAP behavior when loss connection to the WLC

Any AP will fall back to DHCP, if the gateway is not reachable,

Can you explain how you made the WLC unreachable

Regards

NikhiL

New Member

H-REAP behavior when loss connection to the WLC

hi Nikhil,

I disconnect the WLC from the network by shutting down the switchport connecting to the WLC.

I have done another test with different platform, 5508 running 7.0.116.0 and 3500 series APs in H-REAP mode, with H-REAP APs assigned static IP address, this works as expected when I shut down the port connecting to the 5508, from the AP console log, it went into standalone mode and keeps searching for WLC, but no reload:

=========================================================

Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
*Jul  4 13:23:43.808: %LWAPP-3-CLIENTEVENTLOG: Switching to Standalone mode
*Jul  4 13:23:43.877: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.25.25:5246
*Jul  4 13:23:43.947: %WIDS-5-DISABLED: IDS Signature is removed and disabled.
*Jul  4 13:23:43.950: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY

Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)

Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)

Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)

Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)

Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)

Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)

Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)

Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)

=========================================================

previously I have tested 2504 WLC with 1131 and 1040 APs with the same method, only difference is that I used DHCP for H-REAP APs.

not sure if this is a known issue, but this should not be platform specific.

have you seen this issue before?

thanks.

H-REAP behavior when loss connection to the WLC

If i understand your network correctly, your HREAP network, which is vlan 15 gateway is in your 3560 switch,

Hope your AP port is trunk with native vlan as 15

You also have mentioned HREAP local switching is unchecked, but you have HREAP groups configured and you have added ACS also to the HREAP group.

Are you still testing with 2504 and 1131/1040 or some other models

Regards

NikhiL

1197
Views
0
Helpful
6
Replies
CreatePlease to create content