Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CISCO-LWAPP-CONTROLLER

Hello,

I am trying to get this officeextend working.

I connected the ap and checked the H-Reap box and then officeextend and gave it a public ip. This public ip is NAT'd to the dmz controller on the firewall. (The dmz controller is 5508 running code 6.0.199.4)

I have connected this officeextend 1132 ap to a broadband connection and this gets an ip of 192.168.1.23 on its fa0 interface. all good till now.

when i console onto the officeextend 1132 AP, i get an error msg could not resolve Cisco-LWAPP-Controller.abc.uk....domain server (192.168.1.254) and Cisco-CAPWAP-Controller.home.uk...think it needs DNS set to the public ip on the local asdl box, is it ?

if this is the case, I am not sure if i can do this as this is controlled by the ISP

33 REPLIES
New Member

CISCO-LWAPP-CONTROLLER

any ideas ?

Hall of Fame Super Silver

Re: CISCO-LWAPP-CONTROLLER

Are you translating udp 5247 & 5247 in your FW to point back to the WLC? Also you need to e tee the WLC name and the public NAT'd ip for the primary wlc. If you didn't do that you can always enter that info from the console.

capwap ap controller ip address

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
New Member

CISCO-LWAPP-CONTROLLER

Cheers Scott.

I had checked the H-Reap and then tciked on officeextend and gave the officextend DMZ WLC name and public ip address on the AP. Then i connected to the broadband connection and it seems to look for Cisco-LWAPP-Controller.abc.uk.... (abc is my domain name for broadband connection)

And we have two firewalls - the first one being perimeter firewall. I have nat'd this 5246 and 5247 on the perimeter firewall and allowed acl on the outside interface to allow 5246 and 5247 on the internal firewall, hope this is correect ?

Hall of Fame Super Silver

Re: CISCO-LWAPP-CONTROLLER

That should be fine. As long as the traffic (udp 5246&5247) gets back to the management interface of the wlc you are fine. Don't worry about the Cisco-lwapp-controller... It's just part of the join process.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
New Member

CISCO-LWAPP-CONTROLLER

but the problem is the AP when connected to broadband connection gets stuck at Cisco-LWAPP-Controller.abc.uk....

i have entered the public ip and dmz officeextend wlc on the high availablity and checked officeextend and h-reap, anything else i need to do?

I am doing this from scratch again and will update you if i have any success in the meantime do you have any thoughts on the above scott ?


Thanks

Hall of Fame Super Silver

Re: CISCO-LWAPP-CONTROLLER

Did you enter the NAT'd public ip address in the management interface? Do you see the translation coming in from the public interface and being sent to the wlc. Try to console into the ap and set the controller ip address (public). I had to do that on a 1131 that I was testing for that to join.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
New Member

CISCO-LWAPP-CONTROLLER

ok thanks will trt this scott and by the way do i need to enter the public ip address (66.111.22.12) on the management interface on the WLC ? bcos i have not done this. i was under the impression that the firewall will nat back to the ip of dmz controller

Hall of Fame Super Silver

Re: CISCO-LWAPP-CONTROLLER

Oh no... You need that public ip entered in the management interface.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
New Member

CISCO-LWAPP-CONTROLLER

I have added this now scott on the management interface but still cant get the AP to join the controller. This AP is connected to a broadband wireless router connected back to a ADSL router that has the DNS settings

(also i cant see any traffic hitting on ports 5246 and 5247 on the firewall. so think this AP is not trying to go out )

it comes up with

CAPWAP-5-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.

Translating "CISCO-CAPWAP-CONTROLLER.Abc.uk"...domain server (192.168.1.254)
*Apr  8 16:25:39.983: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.

Translating "CISCO-LWAPP-CONTROLLER.Abc"...domain server (192.168.1.254)
*Apr  8 16:25:42.095: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER.Abc.uk

config on AP

service password-encryption

!

hostname AP6400.f14d.b6ba

!

logging rate-limit console 9

enable secret 5 $1$ACEH$BuOIS/RYEP5ZXvWxbyCFS/

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login reap_eap_methods group radius

!

aaa session-id common

eap profile lwapp_eap_profile

method fast

!

!

crypto pki trustpoint Cisco_IOS_MIC_cert

revocation-check none

rsakeypair Cisco_IOS_MIC_Keys

!

crypto pki trustpoint cisco-root-cert

revocation-check none

rsakeypair Cisco_IOS_MIC_Keys

!

crypto pki trustpoint airespace-device-root-cert

revocation-check none

rsakeypair Cisco_IOS_MIC_Keys

!

crypto pki trustpoint airespace-new-root-cert

revocation-check none

rsakeypair Cisco_IOS_MIC_Keys

!

crypto pki trustpoint airespace-old-root-cert

revocation-check none

rsakeypair Cisco_IOS_MIC_Keys

username Cisco secret 5 $1$2zkE$CaKkr5zDUWwltKRFvrIto0

!

!

ip ssh version 2

!

!

interface Dot11Radio0

no ip route-cache

mbssid

speed  basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

power client local

packet retries 64 drop-packet

!

interface Dot11Radio0.2

encapsulation dot1Q 2 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip route-cache

mbssid

power client local

packet retries 64 drop-packet

!

interface Dot11Radio1.2

encapsulation dot1Q 2 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

ip address dhcp client-id FastEthernet0

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

no ip http server

logging trap errors

logging origin-id string AP:6400.f14d.b6ba

logging facility kern

logging snmp-trap notifications

logging snmp-trap informational

logging snmp-trap debugging

logging 255.255.255.255

radius-server local

  no authentication eapfast

  no authentication leap

  no authentication mac

  nas 66.11.22.33 key 7 111D110C041B18030A2632253C363832

  group hreap

  !

!

!

control-plane

!

!

line con 0

line vty 0 4

transport input none

line vty 5 15

transport input none

!

end

Hall of Fame Super Silver

CISCO-LWAPP-CONTROLLER

Did you try to enter the following: capwap ap controller ip address 66.111.22.12

Also... what model AP is this? 

-Scott
*** Please rate helpful posts ***
New Member

Re: CISCO-LWAPP-CONTROLLER

yep done this but no joy

these are 1131 ap

Hall of Fame Super Silver

Re: CISCO-LWAPP-CONTROLLER

That is the same AP I used to test with besides an AP600. If you entered that command, you should see something hit your FW on the public side. 

-Scott
*** Please rate helpful posts ***
New Member

Re: CISCO-LWAPP-CONTROLLER

Still no joy

this is the console output for the AP. does this give you any thoughts ?


AP6400.f14d.b6ba#sh capwap client config
configMagicMark         0xF1E2D3C4
chkSumV2                15914
chkSumV1                34739
swVer                   7.0.98.0
adminState              ADMIN_ENABLED(1)
name                    AP6400.f14d.b6ba
location                default location
group name
mwarName                CNWL-WLC-OfficeExtend
mwarIPAddress           82.45.135.166
mwarName
mwarIPAddress           0.0.0.0
mwarName
mwarIPAddress           0.0.0.0
ssh status              Disabled
Telnet status           Disabled
numOfSlots              2
spamRebootOnAssert      1
spamStatTimer           180
randSeed                0x0
transport               SPAM_TRANSPORT_L3(2)
transportCfg            SPAM_TRANSPORT_DEFAULT(0)
initialisation          SPAM_PRODUCTION_DISCOVERY(1)
ApMode                  H-REAP
ApSubMode               Not Configured
AP Rogue Detection Mode Disabled
OfficeExtend AP         [1] Enabled
OfficeExtend AP JoinMode[0] Standard
Discovery Timer         10 secs
Heart Beat Timer        30 secs
Led State Enabled       1
Primed Interval         0

Hall of Fame Super Silver

Re: CISCO-LWAPP-CONTROLLER

Do you see anything hitting your FW? I think that is the key, because if you set the controller public ip address the ap will try to connect to that ip using udp 5246 and the 5247 if data encryption was enabled. From the ap, you should also be able to ping that public ip.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
New Member

Re: CISCO-LWAPP-CONTROLLER

I cant ping that address prob bcos icmp is not allowed.  When i look at the perimeter firewall i can see untranslated NAT as 1000 packets (and increases as AP is trying on port 5246) and on port 5247 its 0. I have allowed acl for 5246 and 5247 to reach the inside firewall but cant see any packets hitting the inside fireall at all

Should the source and dest port be 5246 and 5247 on the firewall (or just source as 5246 and 5247 and dest as any port)

Hall of Fame Super Silver

Re: CISCO-LWAPP-CONTROLLER

You will not see udp 5247 until the connection is made. So if you see an entry from the broadband connection trying to connect on udp 5246, then you need to see how that connection is hitting your other FW. That traffic needs to pass to you internal FW then to the WLC. Your doing a NAT translation on your outside FW, but how is the traffic being allowed back in? Can you see if the FW is dropping the packet.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
New Member

Re: CISCO-LWAPP-CONTROLLER

bascially i am doing a NAT translation on the perimiter firewall and on the internal firewall i am NAT back that address to the WLC DMZ controller. also on the dmz controller i have to the public ip on the management.

if i do sh nat on the permiter firewall i can see untranslated hits as 10000 but translated as 0. and the access list that allows port 5246 and 5247 shows 0 packets allowed. so something wrong here. i have allowed 5246 and 5247 on the inside firewall as well but cant see any traffic of 5246 and 5247 hitting it. so i think its the permiter firewall NAT thats stopping it

should the source and dest port be 5246  and 5247 ( or only 5246 and 5247 as the source and dest any )

Hall of Fame Super Silver

Re: CISCO-LWAPP-CONTROLLER

Okay... If you are consoled into the ap and you enter the public up address, do you see in the log that the ap is trying to connect to your public ip address.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
New Member

Re: CISCO-LWAPP-CONTROLLER

nope not really it just says

Translating "CISCO-CAPWAP-CONTROLLER.Aeronet.uk"...domain server (192.168.1.254)
*Apr  8 18:59:39.476: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.

Translating "CISCO-LWAPP-CONTROLLER.Aeronet.uk"...domain server (192.168.1.254)
*Apr  8 18:59:41.568: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER.Aeronet.uk

*Apr  8 18:59:43.655: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-LWAPP-CONTROLLER.Aeronet.uk
*Apr  8 19:00:23.659: %CAPWAP-5-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.

i have added capwap ap controller ip xxx and capwap ap primary-base (controler name)

But on the perimet firewall i can untraslated hits on port 5246.

Hall of Fame Super Silver

Re: CISCO-LWAPP-CONTROLLER

That doesn't look right. What I see on my 1131 was that it was doing a broadcast to my public ip and then the internal if the public fails. You have another ap to try.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
New Member

Re: CISCO-LWAPP-CONTROLLER

yes will try this tomorrow. but the fact i can see hits on 5246 makes me puzzle

I have pasted the config above . can you have a look at let me know the if the public ip is in the correct location of the config?

this is the output and i dont think it looks lits trying to connect to public ip

Translating "CISCO-CAPWAP-CONTROLLER.abc.uk"...domain server (192.168.1.254)
*Apr  8 19:29:03.040: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.

Translating "CISCO-LWAPP-CONTROLLER.abc.uk"...domain server (192.168.1.254)
*Apr  8 19:29:05.945: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER.abc.uk

*Apr  8 19:29:08.040: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-LWAPP-CONTROLLER.abc.uk
*Apr  8 19:29:48.044: %CAPWAP-5-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
Not in Bound state.
*Apr  8 19:29:57.550: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination.
*Apr  8 19:29:57.550: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0 assigned DHCP address 10.151.63.116, mask 255.255.255.0, hostname AP6400.f14d.b6ba

Translating "CISCO-CAPWAP-CONTROLLER.abc.uk"...domain server (192.168.1.254)
*Apr  8 19:30:04.549: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.

Translating "CISCO-LWAPP-CONTROLLER.abc.uk"...domain server (192.168.1.254)
*Apr  8 19:30:06.644: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER.abc.uk

Hall of Fame Super Silver

Re: CISCO-LWAPP-CONTROLLER

Yeah... The thing is, you should see this getting passed to your other FW then to the WLC.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
New Member

Re: CISCO-LWAPP-CONTROLLER

hi scott,

sorted this one out as apparantly on the perimeter firewall the permit 5246 and 5247 was after the deny statemetns silly me and hence it was not allowing

But now i can see packets hitting the firewall on 5246 and allowing to the inside firewall . but cant see the ap on the dmz wlc. also i cant see the return traffic from the inside firewall

on the perimet firewall i can see packets of 12223 hitting the firewall from the AP. should that be allowed as awell ?

any debug commands on the wlc to see whats happenening ?

Hall of Fame Super Silver

Re: CISCO-LWAPP-CONTROLLER

You can try that.. Allow also udp 12222 & 12223.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
New Member

Re: CISCO-LWAPP-CONTROLLER

looks like packets are hitting the wlc on 5246 but the wlc is not responding to those (As per packet capture on the fireall interface wlc is connected)

is there any settings that need to be enabled on the wlc ? the wlc is using the firewall as gateway . i have added the public address in the nat of the management interface

Hall of Fame Super Silver

Re: CISCO-LWAPP-CONTROLLER

That is really all you need. Do you see anything in the wlc log. What do you see on the ap?

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
New Member

Re: CISCO-LWAPP-CONTROLLER

ap still comes up with the same message. trying to find controller ( think that happens if i cant speak to the controller  ont he public address as its happening to another AP (not used) as well)

strangely enough i cant ping the default gateway (firewall) - sometime it does and sometime it doesnt?

where can i see the logs for the wlc?

Hall of Fame Super Silver

Re: CISCO-LWAPP-CONTROLLER

On the monitor page on the lower right is the log. There is a link to open up the log page too. You can also try to do some debug in the ap mac address but if it's not hitting the wlc you will not see anything.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: CISCO-LWAPP-CONTROLLER

Is your inside FW rules setup okay? You see hits on those ports?

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
7519
Views
0
Helpful
33
Replies