Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Flexconnect over IPSEC

I have a deployment of 1602 AP's in flexconnect mode connected to a controller over IPSEC. I am assigning the controller address to the AP's via DHCP option 43 and this works without an issue.

If I set a static IP on one of the AP's and use DNS method to assign controller address, the association never happens.

From AP:

*Jan 29 17:02:36.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip:x.x.x.x peer_port: 5246

*Jan 29 17:03:35.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to x.x.x.x:5246

*Jan 29 17:03:46.055: %CAPWAP-3-ERRORLOG: Go join a capwap controller

From Controller:

*spamApTask0: Jan 29 12:13:02.633: xx:xx:xx:xx:xx:xx Discovery Response sent to y.y.y.y:62551

If I remove IPSEC and go straight layer 3, the AP associates.

I saw some posts about MTU issues in older versions, but I was under the impression they were resolved in newer versions.

Has anyone had the same issue or does anyone have any tips?

Thanks,

8 REPLIES
Hall of Fame Super Silver

Flexconnect over IPSEC

Have you looked at this post?

https://supportforums.cisco.com/message/4137649#4137649

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

Flexconnect over IPSEC

I didn't read that post, I'm not having an issue with client connections, just ap to controller communication.

I am going all local switching, so I'd rather not affect the client mtu size.

New Member

Flexconnect over IPSEC

* I am doing local switching.

Hall of Fame Super Silver

Flexconnect over IPSEC

Dan,

The only thing that I can think of is if IPSEC is breaking the CAPWAP UPD 5246 & 5247.  Since when you remove the IPSEC and the AP joins, then something over the IPSEC is preventing the the join.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

Flexconnect over IPSEC

I just thought it was odd that if the AP gets its IP from DHCP it works but when set static and using DNS to resolve controller address it doesnt work. I am going to change my topology to use layer3 without IPSEC tunnel, but idealy I would continue using IPSEC.

Hall of Fame Super Silver

Flexconnect over IPSEC

Once the AP knows of the WLC, it doesn't need option 43 anymore nor DNS, it will keep and know of the last WLC it joined.  This is the thing.... if the AP already has joined the WLC and when you enable IPSEC and the AP then can't join the WLC, there is an issue with UDP 5246 and UDP 5247 as these are the ports that the WLC and AP uses for the join.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

Flexconnect over IPSEC

Ok, I see. Thanks for the additional clarification. I will invetigate further and see what I can figure out.

Thanks!

Hall of Fame Super Silver

Flexconnect over IPSEC

From what you have tested, makes it seem like those ports are being blocked.  The good part is that they have joined on the same site with a layer 3 connections, so that rules out a lot of other testing:)

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
403
Views
0
Helpful
8
Replies
CreatePlease login to create content