Capwap problem

SOLVED
MarcP
Kind of a big deal

Capwap problem

Hey all,

 

having some trouble regarding to some of my old cisco air-lap1131 accesspoints...

After updating the Wireless Lan Controller to a newer version the APs stopped talking to the wlc.

 

While troubleshooting this on the MX site I made following capture:

 

--- Start Of Stream ---
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on all_lan_sniff, link-type EN10MB (Ethernet), capture size 262144 bytes
14:46:57.115267 IP 10.215.1.130.61267 > 255.255.255.255.53: 48949+ A? CISCO-CAPWAP-CONTROLLER. (41)
14:46:57.115389 IP 10.215.1.130.61267 > 255.255.255.255.53: 48949+ A? CISCO-CAPWAP-CONTROLLER. (41)
14:47:00.113883 IP 10.215.1.130.61267 > 255.255.255.255.53: 48949+ A? CISCO-CAPWAP-CONTROLLER. (41)
14:47:00.114000 IP 10.215.1.130.61267 > 255.255.255.255.53: 48949+ A? CISCO-CAPWAP-CONTROLLER. (41)
14:47:03.111740 IP 10.215.1.130.61267 > 255.255.255.255.53: 48949+ A? CISCO-CAPWAP-CONTROLLER. (41)
14:47:03.111856 IP 10.215.1.130.61267 > 255.255.255.255.53: 48949+ A? CISCO-CAPWAP-CONTROLLER. (41)
14:47:06.110798 IP 10.215.1.130.40441 > 255.255.255.255.5246: UDP, length 189
14:47:06.110930 IP 10.215.1.130.40441 > 255.255.255.255.5246: UDP, length 189
14:47:07.126931 ARP, Request who-has 10.215.1.130 tell 10.215.1.1, length 28
14:47:07.127256 ARP, Reply 10.215.1.130 is-at 70:ca:9b:d9:df:8e, length 46
14:47:16.106503 IP 10.215.1.130.51988 > 255.255.255.255.53: 22306+ A? CISCO-LWAPP-CONTROLLER. (40)
14:47:16.106635 IP 10.215.1.130.51988 > 255.255.255.255.53: 22306+ A? CISCO-LWAPP-CONTROLLER. (40)
14:47:19.104630 IP 10.215.1.130.51988 > 255.255.255.255.53: 22306+ A? CISCO-LWAPP-CONTROLLER. (40)
14:47:19.104756 IP 10.215.1.130.51988 > 255.255.255.255.53: 22306+ A? CISCO-LWAPP-CONTROLLER. (40)
14:47:22.102986 IP 10.215.1.130.51988 > 255.255.255.255.53: 22306+ A? CISCO-LWAPP-CONTROLLER. (40)
14:47:22.103109 IP 10.215.1.130.51988 > 255.255.255.255.53: 22306+ A? CISCO-LWAPP-CONTROLLER. (40)
14:47:22.127438 ARP, Request who-has 10.215.1.130 tell 10.215.1.1, length 28
14:47:22.127743 ARP, Reply 10.215.1.130 is-at 70:ca:9b:d9:df:8e, length 46
--- End Of Stream ---

 

Unfortunatelly the APs do not reach the WLC and I can´t see if it is maybe blocked? The DNS Server is reachable by ping, from the MX (on DNS its configured to forward these requests to the correct IP).

Staff in location already resetted the AP to factory defaults, same problem.

 

Does anyone know how to go on troubleshooting? Or a setting which has to be done?

1 ACCEPTED SOLUTION
NolanHerring
Kind of a big deal

You'll need to use the HEX format for that IP address

Change the TYPE from IP to HEX

Change the VALUE from 10.0.1.199 to f1040a0001c7

The forwarding rules are things that I've had to do on cisco gear (sometimes, not often) in order to get the AP to 'reach' the WLC for the first time.

I'm not entirely certain how it would be setup on the MX itself, but off the cuff that looks correct. Assuming the IP of 10.215.1.130 is the WLC?

Also, is it possible for you to get console access to one of the 1131 access points? If so, console in, reboot it, and wait for the ouput via CLI to start repeating itself, and upload here. This will tell us exactly what is going on and why the AP can't reach the WLC.

Nolan Herring | nolanwifi.com
TwitterLinkedIn

View solution in original post

7 REPLIES 7
NolanHerring
Kind of a big deal

Can you provide a screenshot of how you have Option 43 configured?

You'll need to setup a DHCP option 'custom' code = 43 and Type = HEX

Use this tool to convert your WLC IP to HEX for the OPTION 43

https://shimi.net/services/opt43/

Might be worth trying to set up the port forwarding via the following guide using these ports. Not sure if this will work though.

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_MX

ip forward-protocol udp 12222
ip forward-protocol udp 12223
ip forward-protocol udp 5246
ip forward-protocol udp 5247
Nolan Herring | nolanwifi.com
TwitterLinkedIn
MarcP
Kind of a big deal

Option 43 is set:

 

2019-04-12 08_20_32-DHCP Configuration - Meraki Dashboard.png

 

 

Firmware version is 8.0.152.0, last major release, which supports these old APs 

 

 

Port forwarding like this?

 

2019-04-12 08_24_34-Firewall Configuration - Meraki Dashboard.png

NolanHerring
Kind of a big deal

You'll need to use the HEX format for that IP address

Change the TYPE from IP to HEX

Change the VALUE from 10.0.1.199 to f1040a0001c7

The forwarding rules are things that I've had to do on cisco gear (sometimes, not often) in order to get the AP to 'reach' the WLC for the first time.

I'm not entirely certain how it would be setup on the MX itself, but off the cuff that looks correct. Assuming the IP of 10.215.1.130 is the WLC?

Also, is it possible for you to get console access to one of the 1131 access points? If so, console in, reboot it, and wait for the ouput via CLI to start repeating itself, and upload here. This will tell us exactly what is going on and why the AP can't reach the WLC.

Nolan Herring | nolanwifi.com
TwitterLinkedIn
MarcP
Kind of a big deal

Using I, not Hex was the Problem... :S

 

why isn´t it possible to use the IP? Don´t get that.

PhilipDAth
Kind of a big deal
Kind of a big deal

Did you know they in WLC firmware updates Cisco regularly drop support for older AP's?

 

I bet you have upgraded to a release that no longer supports your older APs - and 1131's are pretty old.  Check the release notes.


@PhilipDAth wrote:

Did you know they in WLC firmware updates Cisco regularly drop support for older AP's?

 

I bet you have upgraded to a release that no longer supports your older APs - and 1131's are pretty old.  Check the release notes.


Good catch Phil, totally skipped my mind.

 

For reference @MarcP , the latest version 1131 supports is 8.0.x

Nolan Herring | nolanwifi.com
TwitterLinkedIn

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels