Flexconnect over IPSEC

Daniel Graham · ‎01-29-2014

I have a deployment of 1602 AP's in flexconnect mode connected to a controller over IPSEC. I am assigning the controller address to the AP's via DHCP option 43 and this works without an issue.

If I set a static IP on one of the AP's and use DNS method to assign controller address, the association never happens.

From AP:

*Jan 29 17:02:36.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip:x.x.x.x peer_port: 5246

*Jan 29 17:03:35.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to x.x.x.x:5246

*Jan 29 17:03:46.055: %CAPWAP-3-ERRORLOG: Go join a capwap controller

From Controller:

*spamApTask0: Jan 29 12:13:02.633: xx:xx:xx:xx:xx:xx Discovery Response sent to y.y.y.y:62551

If I remove IPSEC and go straight layer 3, the AP associates.

I saw some posts about MTU issues in older versions, but I was under the impression they were resolved in newer versions.

Has anyone had the same issue or does anyone have any tips?

Thanks,

Scott Fella · ‎01-29-2014

Have you looked at this post?

https://supportforums.cisco.com/message/4137649#4137649

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Daniel Graham · ‎01-29-2014

I didn't read that post, I'm not having an issue with client connections, just ap to controller communication.

I am going all local switching, so I'd rather not affect the client mtu size.

Daniel Graham · ‎01-29-2014

* I am doing local switching.

Scott Fella · ‎01-29-2014

Dan,

The only thing that I can think of is if IPSEC is breaking the CAPWAP UPD 5246 & 5247. Since when you remove the IPSEC and the AP joins, then something over the IPSEC is preventing the the join.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Daniel Graham · ‎01-29-2014

I just thought it was odd that if the AP gets its IP from DHCP it works but when set static and using DNS to resolve controller address it doesnt work. I am going to change my topology to use layer3 without IPSEC tunnel, but idealy I would continue using IPSEC.

Scott Fella · ‎01-29-2014

Once the AP knows of the WLC, it doesn't need option 43 anymore nor DNS, it will keep and know of the last WLC it joined. This is the thing.... if the AP already has joined the WLC and when you enable IPSEC and the AP then can't join the WLC, there is an issue with UDP 5246 and UDP 5247 as these are the ports that the WLC and AP uses for the join.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Daniel Graham · ‎01-29-2014

Ok, I see. Thanks for the additional clarification. I will invetigate further and see what I can figure out.

Thanks!

Scott Fella · ‎01-29-2014

From what you have tested, makes it seem like those ports are being blocked. The good part is that they have joined on the same site with a layer 3 connections, so that rules out a lot of other testing:)

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***