Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

routing LWAPP through a VPN?

i know this is probably a novice question, but i really cant find the answer... what i would like to know is if i can route LWAPP through a VPN connection from one LAN to another through a PIX 506E ASA.

what i would like to do is have a 4400 WLAN Controler at our main office, and have several satelite offices that are not connected via Point to Point connections or local to be able to get the WLAN configuration information for the Aironet AP's that are active in the office.

2 REPLIES
Cisco Employee

Re: routing LWAPP through a VPN?

Yes, the feature for supporting remote APs is HREAP.

http://www.cisco.com/en/US/products/ps6305/products_configuration_guide_chapter09186a00808e5190.html

The caution is around bandwidth and latency over those links. These are some of the main factors to be considered for the WAN link:

Ensure that the bandwidth of the WAN link is at least 128kbps.

Ensure that the latency or round-trip delay between the two sites across the WAN link is not more than 100ms because more than a 100ms delay can create authentication problems to the client, especially when central authentication is implemented.

New Member

Re: routing LWAPP through a VPN?

I have a problem with losing LWAPP fragments through the IPSec tunnel (between two PIX) when the WLAN is in "central switching mode". It is fragements from WLC AP-Manager interface to AP that is lost.

The fragements are set with the DF bit. 1.st Fragment is 1476 byte and this is less than the standard MTU on PIX IPsec tunnel but larger than MTU minus IPSec Overhead. I've tried to increase the MTU in PIX VPN tunell but no good result. On PIX v7 you can ignore the DF bit and stillroute the traffic, but this is not a option on PIX 501 or PIX 506 that I use (version 6.3).

Is there any way to tell the WLC not to set the DF bit? Or to reduce the size of the fragment so that the traffic is routed over the IPSec Tunnel?

661
Views
0
Helpful
2
Replies
CreatePlease to create content