Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Problems with Office Extend on 2504 not on 5508

Has anyone out there experienced this problem.

The OEAP works fine on the 5508 but when i set up a 2504 controller the same way with NAT IP on the management interface end portforwarding of the CAPWAP ports the OEAP cannot connect.

The log from the OEAP joining the 5508 looks like this:

*Jan 01 08:00:10.028: CAPWAP State: Discovery.

*Jan 01 08:00:10.137: Discovery Request sent to 80.x.y.z with discovery type set to 0

*Jan 01 08:00:12.303: Discovery Response from 80.x.y.z

*Jan 01 08:00:12.319: Dot11 binding decode: Discovery Response

*Jan 01 08:00:20.073: Selected MWAR 'WLC' (index 0).

*Jan 01 08:00:20.073: Ap mgr count=1

*Jan 01 08:00:20.073: Go join a capwap controller

*Jan 01 08:00:20.074: Choosing AP Mgr with index 0, IP = 80.x.y.z, load = 30..

*Jan 01 08:00:20.074: Synchronizing time with AC time.

*Nov 08 08:41:32.000: CAPWAP State: DTLS Setup.

*Nov 08 08:41:33.829: Dtls Session Established with the AC 80.x.y.z, port= 5246

*Nov 08 08:41:33.829: CAPWAP State: Join.

*Nov 08 08:41:33.829: Join request: version=7.0.220.0

*Nov 08 08:41:33.830: Join request: hasMaximum Message Payload

*Nov 08 08:41:33.831: Dot11 binding encode: Encoding join request

*Nov 08 08:41:33.831: Sending Join Request Path MTU payload, Length 1376

*Nov 08 08:41:33.992: Join Response from 80.x.y.z

*Nov 08 08:41:33.993: PTMU : Setting MTU to : 1485

*Nov 08 08:41:33.993: Dot11 binding decode: Join Response

*Nov 08 08:41:33.994: Starting Post Join timer

------------------------------------------------------------------------------------

------------------------------------------------------------------------------------

The log from the OEAP joining the 2504 looks like this:

*Nov 08 09:17:20.022: CAPWAP State: Discovery.

*Nov 08 09:17:20.117: Discovery Request sent to 77.x.y.z with discovery type set to 0

*Nov 08 09:17:20.906: Discovery Response from 77.x.y.z

*Nov 08 09:17:20.907: Dot11 binding decode: Discovery Response

*Nov 08 09:17:29.969: Selected MWAR 'WLC01' (index 0).

*Nov 08 09:17:29.969: Ap mgr count=1

*Nov 08 09:17:29.969: Go join a capwap controller

*Nov 08 09:17:29.969: Choosing AP Mgr with index 0, IP = 10.x.y.z, load = 1..

*Nov 08 09:17:29.969: Synchronizing time with AC time.

*Nov 08 09:17:30.000: CAPWAP State: DTLS Setup.

*Nov 08 09:18:29.999: Wait DTLS timer has expired

*Nov 08 09:18:29.999: Dtls session establishment failed

*Nov 08 09:18:29.999: CAPWAP State: DTLS Teardown.

When joining the 2504 the OEAP tries to join a AP MGR with the internal LAN IP address.

Any suggestions ?

I will say that i have not yet installed the DTLS license on the 2504 - but would this affect the AP Mgr IP chosen ?

25 REPLIES

Problems with Office Extend on 2504 not on 5508

DTLS is a requirement for OEAP to work.

Try loading the DTLS license, rebooting and see if the OEAP joins.

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered

Problems with Office Extend on 2504 not on 5508

Well i can see that if i put the OEAP on the LAN with the WLC, it will actually join (for a shot while) with encrypton set to "plain text".  In the log on the OEAP it will say something about the OEAP will rejoin because the controller does not support DTLS.

But what worries me is still the above where i get a LAN IP from the 2504, but not from the 5508 when trying to use the OEAP from the WAN.

Problems with Office Extend on 2504 not on 5508

We have now installed the DTLS license on the 2504, but as I suspected it still does not work.

The AP tries to establish the DTLS connection, but as above it tries this to the LAN IP address.

This seems like some of the excact same problems that was with the 5508 in the first version that "supported" OEAP.

Can anyone verify ? (Or do i have to open a case ?) :-)

Re: Problems with Office Extend on 2504 not on 5508

Does the 2500 support OE? I was under the impression only the 5508s and WISM2 did ...?

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Re: Problems with Office Extend on 2504 not on 5508

Yes it supports OE.

(Not very well at the moment )

Unless there has been some great misunderstanding on the Cisco website, and at various techupdates :-)

http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps11630/data_sheet_c78-645111.html

See Table 1 for features. And Table 7 for the license to use DTLS.

Re: Problems with Office Extend on 2504 not on 5508

learn something new every day ... I didnt know that ...

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
Hall of Fame Super Gold

Problems with Office Extend on 2504 not on 5508

Does the 2500 support OE? I was under the impression only the 5508s and WISM2 did ...?

I also thought the 210X/2504 doesn't support OE.  I know the 4400 will support OE after upgrading the firmware to 7.0.116.0.

Oh well, I'm never a big fan of the 2K-series WLC.

Problems with Office Extend on 2504 not on 5508

What ???

I think you might be mistaken.

Can you please find me where it says that the 4400 will support OE ?

I know that the Flex7500 will support OE in version 7.2, but i never heard anything about 4400.

And still no one to venture a guess as to what is wrong with the 2504 vs 5508 setup - Im thinking "bug", but I do that a lot

Hall of Fame Super Gold

Problems with Office Extend on 2504 not on 5508

What ???

I think you might be mistaken.             

Can you please find me where it says that the 4400 will support OE ?

And I was/am.  4400 doesn't support OE.

Problems with Office Extend on 2504 not on 5508

So I did the TAC case, and i turns out I was hitting the CSCts52998 bug.

TAC was nice enough to provide me with a new software and the problem was fixed.

(Just had to remember setting "config network ap-discovery nat-ip-only" to disable - or else the APs on the LAN could not join the controller)

Problem solved.

New Member

Re: Problems with Office Extend on 2504 not on 5508

Hi,

What is the wlc software version that fixes the issue?

I am having similar issue on 2504.

I upgraded to ver 7.1.91 and still having problem.

I did a packet capture and wlc is always replying the LAN ip inside CAPWAP discovery response.

It causes the OEAP 602 (from internet) to join LAN ip.

When does wlc reply NAT IP (wan ip) configured under management interface?

Sent from Cisco Technical Support iPhone App

Re: Problems with Office Extend on 2504 not on 5508

I think it was a version called:

7.0.223.1 (I think i still have it here somewhere).

I also think (dough i have not had time to test it that much) that it is also solved in 7.2.1.69 i have in my lab.

When you configure NAT on the management interface, the management interface should always reply with the NAT Address.

If you want it also to reply with the LAN address you should disable this (taken from the release notes of 7.0.220):

Configuring NAT Discovery

The following command has been introduced in this release. This command enables you to configure the use of NAT IP in an AP discovery response:

config network ap-discovery nat-ip-only {enable | disable}

Where:

enable— Enables use of NAT IP only in discovery response. This is the default.

disable—Enables use of both NAT IP and non NAT IP in discovery response.

Re: Problems with Office Extend on 2504 not on 5508

Apparently 7.0.230 has just been released on CCO.

I thought that it was supposed to be 7.2 that should be released at this point.

(I want to see H-REAP renamed to FlexConnect in a official release :-) )

Hall of Fame Super Silver

Re: Problems with Office Extend on 2504 not on 5508

You need 7.0.220.8 from TAC if your using a 2504. This enables data encryption which you need. 7.2 when it comes out will have data encryption built into the code. I have a 2504 that I'm testing with the 7.0.220.8. Also required is that you disable NAT discovery in order to get it to work.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
New Member

Re: Problems with Office Extend on 2504 not on 5508

Thanks guys.

Still no luck with 7.1.91.

I will try 7.0.220

Sent from Cisco Technical Support iPhone App

Hall of Fame Super Silver

Re: Problems with Office Extend on 2504 not on 5508

You need to open a tac case and get the 7.0.220.8 in order to ue the 2504 for OfficeExtend.  7.0.220.0 will not work.

-Scott
*** Please rate helpful posts ***
Silver

Re: Problems with Office Extend on 2504 not on 5508

7.0.230 was released and is on CCO, so you want that code and not the TAC special anymore. The 2504 bug is fixed in this release.

New Member

Problems with Office Extend on 2504 not on 5508

Yeah,

I saw Resolved Caveats:CSCts52998 in 7.0.230 released notes.

I am gonna try this release since this is available on CCO.

Thanks for the info Thomas and blakekrone.

New Member

Re: Problems with Office Extend on 2504 not on 5508

Yes.

7.0.230 resolves the issue.

Sent from Cisco Technical Support iPhone App

New Member

Re: Problems with Office Extend on 2504 not on 5508

I had a very similar problem, it turned out that the 2504 controller we were sold was missing the DTLS Encryption license.  After installing that (free download), we got a step closer, however because we have the 2504 in a DMZ environment with an Inside and an Outside, the AP's associate in a rather hit and miss fashion, sometimes only associating to the 2504 after a reset of the controller???

Also upon reboot of the controller it appears to lose the country setting under time, despite having a valid NTP source enabled?????  <--- NTP/Time is important to AP association so this is the thing that currently has my focus....

My controller is a AIR-CT2504-K9 running the latest s.ware: 7.2.110.0 default base license with an added DTLS Encryption License, connecting through a Checkpoint R75.2 firewall.

My AP is AIR-OEAP602I-N-K9

Currently our NTP is an internal stratum 2 source

It looks like this in toplogy:-

[Internal Network]--><--[Firewall]--><-- Management interface[2504 controller]outside int(virtual) with NAT and AP management enabled--><--[Internet]----><--[Home Internt Feed]--><--oep602i-ap - - - - <-- laptop

Even though we are using a virtual outside interface to associate the AP's it appears we still have to have AP management enabled on the default management interface of the controller in order for this to work.

It seems to be dependant on which way the wind is blowing as to whether an AP will associate in this topology? 

Has anyone else come across anything like this?  I'd raise a TAC case but current experience suggests the best that will do is cause me a week or so of pain waiting 72 hours for each update with a tech asking me to repeat at least 5 things I have already tried....

I am pretty sure we are missing something fairly basic here - just wondered if anyone might be able to nudge me in the right direction?     

New Member

Re: Problems with Office Extend on 2504 not on 5508

I have come to the conclusion that Office-Extend will only work in a stable fashion if you configure the 2504 controller in a one-legged way.

i.e. ONLY use the management interface for AP management, with NAT enabled. 

In our DMZ environment which has an inside switch and and outside switch, I therefore have to connect the management interface to the outside switch.  With associated NAT and rules on the Checkpoint firewall to support this. 

Based on testing this in a two legged way, i.e. Inside = management interface and Outside = virtual ap management interface, based on the CLI debugging it would seem that the DTLS session is unable to lock into the MWAR, and simply hangs then timesout.  I guess the box just isn't designed to work this way?

I'm happy to work in a one-legged way for this to be stable though, so - on with the show I guess.

Re: Problems with Office Extend on 2504 not on 5508

Interesting conversation .. I've done a number of non office extends leg in's. On one particular I actually had a few ip conflicts and was advised that perhaps the controller was leaking packets from one port to another.

I was advised then that legging in was not a supported design.

Specific to office extends, your findings are interesting and I will take note !

Sent from Cisco Technical Support iPhone App

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
Hall of Fame Super Silver

Re: Problems with Office Extend on 2504 not on 5508

I have not had an issue with my 2504 I run at home. But again, I don't have a dmz, I just do a nat translation for UDP 5246 & 5247 back to the 2504. I have a 1252, 1142 and 3600 running and I have been able to connect an OEAP 600 and other AP's with no issues. I also only have one connection I'm using on the 2504. This has worked for me when it was first available with a TAC special image.

Sent from Cisco Technical Support iPad App

-Scott
*** Please rate helpful posts ***
New Member

Re: Problems with Office Extend on 2504 not on 5508

@Scott - generally I agree with your view that there is nothing wrong with the 2504.  I was trying to fit it into a topology which it wasn't really intended for I guess.  Since reconfiguring it in a one-legged fashion within our DMZ, it has however been as stable as a non-radioactive core ;p

Hall of Fame Super Silver

Re: Problems with Office Extend on 2504 not on 5508

Okay, must of misunderstood what you were doing. With the 5508 and the 2504, APs must be able to hit the management interface in order to join. You will not be able to isolate the ap manager interface. If you do create an ap manager interface, the ap manager interface has to have connectivity to the management interface.

Sent from Cisco Technical Support iPad App

-Scott
*** Please rate helpful posts ***
4062
Views
0
Helpful
25
Replies
CreatePlease to create content