WLAN and DHCP with WLC controller

Hi,
I've a question about how works dhcp for wifi clients.
On the WLAN edit I've seen that my option are:
1) DHCP override-> i insert the dhcp server address here
2) without DHCP override -> the WLAN will use the DHCP server configured under the management interface
Based upon these informations: why I can configure DHCP server also in other interfaces and not only in the "management" interface ?
If I configure 2 DHCP servers on a "user interface" ( without the "override" option in WLAN ) my clients will use these DHCP or the DHCP on the "management" interface ?
Many thanks in advance
Luigi

from the on-line help it seems different ;-/
=====
DHCP Server (Override)
When selected, you can enter the IP address of your DHCP server. This is a required field for some WLAN configurations. There are three valid configurations:
DHCP Server Override ON, a valid DHCP Server IP address, and DHCP Address Assignment Required: Requires all WLAN clients to obtain an IP address from the DHCP Server.
DHCP Server Override ON, a valid DHCP Server IP address, and DHCP Address Assignment Not Required: Allows all WLAN clients to obtain an IP address from the DHCP Server or use a static IP address.
DHCP Server Override OFF: Forces all WLAN clients to use the DHCP setting in the Management Interface, not the static address.
===========
It seems that i can Use external DHCP server, putting the address :
- in the box that appair when i flag the "override" option
- or in the management interface
I think documentation is not so clean
many thanks
Luigi

Similar Messages

  • Guest anchor WLAN and DHCP

    hi,
    I am trying to setup a guest WLAN using a local controller and  a controller in my DMZ using the mobility-anchor configuration.
    Ideally I'd like to use an external DHCP server in my DMZ, but for now, I'd be happy getting the local DHCP server on the DMZ controller working.
    Local Controller config
    Configured mobility-groups, verified mobility group is working
    Created WLAN called "guest" - assigned it to the management interface.
    Have tried the following with regards to DHCP on this WLAN.
         Set it to "override" and specified the DMZ controller's mangement interface
         Set DHCP to "assignment required" and specified the DMZ controller's management interface for the DHCP server for the local controller's management      interface
         Left DHCP server blank on the local controller's management interface
    Setup the DMZ controller as the mobility anchor for the "guest" WLAN
    DMZ controller config
    Configured mobility-groups, verified mobility group is working
    Created WLAN called "guest"
    Created a dynamic interface called "guest" associated to the "guest" WLAN
    Setup mobility anchor for the "guest" interface,  mobility-anchor = local controller
    Created an internal DHCP server scope and enabled it
    Have tried the following with regards to DHCP on the "guest" WLAN
         Set DHCP to "assignment required" and specified the IP address of the controllers management interface as the DHCP server on the "guest"      dynamic interface
         Set DHCP to "assignment required" and specified the IP address of the  controllers "guest" dynamic interface as the DHCP server on the "guest"       dynamic interface
         Set DHCP to "override" and specified the DMZ controller's management interface IP
         Set DHCP to "override" and specified the DMZ controller's "guest" interface IP
    After all this,  my client still cannot get an IP address via DHCP.  I verfiied the client is associating to the AP.
    Any help would be appreciated.
    Thanks
    Lee

    on the DMZ controller, what is the output of a debug client < mac address of the client>  You may also want to capture debug mobility handoff enable, from both WLC.
    For the guest, the DHCP is going to come from the DMZ controller, so there is no real need to configure anything on the internal WLC.  One thing of note, the WLAN config on both the DMZ and Internal must match exactly with the exception of the linked interface, otherwise you will not anchor.
    while runnign the debug, show dhcp proxy, for the WLC to be the DHCP server, proxy needs to be enabled.

  • HREAP, Local Switched WLAN and DHCP Address required

    Hi All,
    if i have configure an HREAP AP with a local switched Wlan with "dhcp ADDRESS REQIRED", from my understanding a client will be provided with an ip address from the hreap local infrastructure. How will the controler ensure that no static ip client is able to access the network?
    Any Help Welcome.
    Regards, Michael

    I posted about this subject on my site (see link below). Since the posting I learned that the client needs to minimumally pass a DHCP discovery packet for the controller to then allow traffic to pass to the client. This is how it "safe guards" someone putting a static address on their box ...
    http://www.my80211.com/cisco-wlc-cli-commands/2009/12/30/wlc-dhcp-address-assignment-required-option.html

  • WGB with AP1310 and LAP with WLC in 4.1

    I make a WGB with a autonomous AP1310 and an LAP manage by a WLC2006 in 4.1 version.
    The bridge is up and working, but it's very strange:
    - The bridge is up and i can always ping the IP of the BRI interface of the 1310.
    - When the bridge go up, i see the IP of computer behind the 1310 in a Wireless client list of the controler, but i can ping it only 25% of time.
    - If i wait a long time, the MAC/IP are leaving the Wireless client list of the controler and i can ping the computeur. At this time, if i do a "debug arp enable" on the controler i didn't see ARP response from the controler for computeur bihind the bridge.
    Does anyone have the same problem ? Does anyone do WBG with controler in 4.1 ? Any issues ?
    Thanx for your help.

    Hello,
    Thanks for your prompt replies.
    @Saritha:
    1. On new document Save call is giving message as "NOT Modified", as i didn't perform any actions.So Yes, I'm able to perform SAVE.
    2. Yes, I have performed other operations like creating a Report.
    @Eric: 3. Yes, the folder which I'm trying to save is writable for the user.
    My Observation: When I'm trying to 'SAVE AS' on new document its giving 500 error as I said earlier.
    1. But, after creating new document, I created a new Report for that document, then 'SAVE AS' working. That means after performing some action/modifying the document 'SAVE AS'  is working for me.
    2. Same issue(500 error) observed when trying to perform 'SAVE AS' call on the EXISTING document as well (which is create in BI Launchpad, refreshing and working fine).
    So, is it mandatory to perform any action (which brings the document to Modify mode [i guess]) before this 'SAVE AS' call ?
    Thanks,
    Ram

  • Time Capsule: Port Forwarding Issue and DHCP with Westell 6100g Modem

    Ok two issues as of right now, but more down the road i think... Anyways, number one, i would like to be able to backup my computer using time machine and my time capsule.. Right now it works properly when inside the local network, was wondering if there was a way to backup when outside the network... i travel a lot and always have my macbook pro with me.. Also, i have a USB hard drive connected to the usb port on back of time capsule but its not showing up anywhere... is that only for printers??? that's not such a big deal, but would be nice to have access to that hard drive from multiple computers... OK so part two of my issues is, i have a WESTELL 6100g modem for DSL verizon service, which is crappy, but that's besides the point, it is a modem/router, so i have the time capsule connected directly to that westell.. the westell only has one Ethernet port, so that's wired to time capsule and then my computers are connected wirelessly and wired through the capsule. It seems that the westell is distributing the IP's and is controlling the port forwarding and what not.. I have tried a few things to give control to the time capsule but that didnt work.. i followed these directions on the web page http://www.dslreports.com/faq/vz/4._Hardware#13600 but it didnt work properly, i couldn't log onto the web at all.. Maybe im doing something wrong.... Anyways, what i really want to do is control everything that the westell is controlling right now with the time capsule... i want to give out IP's and also control port forwarding with the capsule.. Any way of getting that accomplished would be AWESOME... I'm somewhat intelligent when it comes to computers so i should understand everything you are talking about... please help!!!

    wattabing wrote:
    Ok two issues as of right now, but more down the road i think... Anyways, number one, i would like to be able to backup my computer using time machine and my time capsule.. Right now it works properly when inside the local network, was wondering if there was a way to backup when outside the network... i travel a lot and always have my macbook pro with me.
    If you have Back to my Mac (available online service from Apple's MobileMe), then you can perform the following actions with your Time Capsule remotely,
    1. Remote disk access to both the Time Capsule disk and a compatible disk connected via the Time Capsule's USB ports.
    2. Remote configuration.
    Also, i have a USB hard drive connected to the usb port on back of time capsule but its not showing up anywhere... is that only for printers???
    Printer, hub, or compatible disk.
    http://support.apple.com/kb/HT2421
    Anyway, it could be a setup issue for you, assuming you have Back to my Mac (MobileMe) then the procedure for Time Capsule services is shown in the following Apple support kb
    http://support.apple.com/kb/HT3486
    and for USB disk please see the following Apple support kb
    http://support.apple.com/kb/ht2426

  • Manual IP and DHCP conflicts

    My Barricade g died (SMC2804WBRP-G). I replaced it with an Airport Extreme (802.11g).
    With the Barricade g, I had manually assigned IP address to all the computers on the LAN (range 192.168.x.1-192.168.x.99). The router distributed IP addresses to the wireless clients via DHCP range (192.162.x.100-192.168.x.200)
    I've setup the AEBS to Distribute IP addresses and selected Share a single IP address (using DHCP and NAT).
    BUT, the AEBS is assigning some of the manual addresses to wireless client IP requests. Then the computer that is supposed to have a manual IP address doesn't have one. Basically, the manual and DHCP addresses are coming from the same pool and causing conflicts.
    How do I deal with manual IP addresses AND DHCP with this router?
    Thanks

    David,
    Thanks for the input. But, I may have misread my post.
    From my original post.
    'With the Barricade g, I had manually assigned IP address to all the computers on the LAN (range 192.168.x.1-192.168.x.99). The router distributed IP addresses to the wireless clients via DHCP range (192.162.x.100-192.168.x.200).'
    In other words, on the network, LAN=static IPs, Wireless clients=DHCP.
    You can have both static and DHCP on the same network.

  • DHCP Error with WLC 2504 and Aironet 2600 setup across subnets

    Hey guys
    I have just setup a new WLC 2504 controller to manage a WiFi service that will span 6 geographic locations.  The local networks at each location are on different subnets (all 192.168.x.x) and are linked up via IPSEC VPN links, and there is Active Directory spanning the sites, with DNS and DHCP servers running at each location.
    I tested the WLC at our main office with a single AP, and it worked fine.  The AP set itself up, and wireless devices connect with no probs. Great!  Yesterday I headed out to one of our remote sites, and connected an AP to their network - and that seemed to work fine too.  Within a few minutes I was able to see the WiFi network I'd setup, and my smartphone connected to it straight away (as I'd rpeviously connected at the main office), so I was pretty happy that all was working well.
    This morning however I've had notification that wifi performance at the remote site isn't great.  I've got someone to check their ip address, and I've found that their IP address and default gateway match the LAN at the main office where the WLC is based - NOT the LAN where the wireless client is.  Obvioulsy this is not ideal!
    So I guess my question is, what have I done wrong?  (I guess I HAVE done something wrong!?).  And how can I get wireless clients at remote sites to pick up an IP from the DHCP server at THEIR site?
    Any help would be greatly appreciated! 
    Thanks!           

    Hello Tim,
    What mode your APs are in? Local mode? or FlexConnect mode?
    If local mode, then all the traffic will be tunnelled to the WLC and they'll be same as if you are connecting from the WLC location.
    If you use FlexConnect APs (which is recommended for remote sites) you can configure FlexConnect groups on the WLC and add each location in a specific group. In that group you can decide what VLAN the users should be in.
    Check this link for FlexConnect group configuration
    http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_flexconnect.html#wp1230080
    HTH
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • Windows 8.1 compatibility with WLC v7.0.98.218 and DELL DEVICES

    hello,
    We have a lot wlc (4400, WiSM, WS-C3750G-24PS and 5500) running on version 7.0.98.218.
    Windows 7 and Windows 8 clients are able to connect to the WiFi, which has Windows 8.1 can no longer connect.
    we tested two WLAN's, one with security policy: [WPA2] [Auth (802.1X)] and another with [WPA2] [Auth (PSK)], MAC Filtering
    in any of the WLAN's the clients with Windows 8.1 did not bind (cannot connect).
    the outup obtained is attached
    one of the devices which are having problems is a dell laptop E5430.
    We've update the wireless card drivers ... according to the dell ... I did downgrade for old version... upgrade to last versions given by broadcom ... but still the problem
    can you help me ?!?
    Regards,
    Tiago Marques

    To enable that your network is ready for 802.11w and Windows 8 ensure that you are running the latest Cisco Unified releases in your wireless controller network.
    Please find the link :-
    http://www.my80211.com/home/2012/10/19/bug-cscua29504-upgrade-that-code-if-you-want-windows-8-to-wo.html

  • Using ISE for guest access together with anchor controller WLC in DMZ

    Hi there,
    I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
    To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
    As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
    Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
    Thx
    Frank

    So i ran into a similar scenario on a recent deployment:
    We had the following:
    WLC-A on private network (Inside)
    ISE Servers ISE01 and ISE02 (Inside)
    WLC-B Anchor in DMZ for Guest traffic (DMZ)
    ISE Server 3 (DMZ)
    ISE01 and ISE02 are used for 802.1X for the private network WLAN.
    Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
    The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth.  Since we want to do CWA, we use Mac Filtering with ISE as the radius server.  If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to.  Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails.  (This was a limitation of ISE 1.1.  Not sure if this persists in 1.2 or not.
    So what now?  In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to.  Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session.  Note, you do have to allow ISE03 to send a CoA.
    In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node.

  • Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510

    I need to add guest (internet only) wireless to our existing internal wireless and am looking for advice as to the best practice configuration. Existing infrastructure as follows:
    WLC 2504
    1142 LAPs
    4510R+E
    ASA 5510
    Existing configuration as follows:
    WLC management interface and APs addressed on the 192.168.126.0 /25 network
    Internal WLAN mapped to the management interface
    Management interface VLAN ID 0 (untagged) and dynamic AP management enabled
    WLC port 1 (only) connected to 4510 via trunk with native VLAN set to 7 and allowed VLAN set to 7
    4510 connected to ASA inside interface (security level 100)
    Switchport on 4510 connected to ASA configured as switchport access VLAN 99 (our internet VLAN)
    ASA inside interface NOT configured for subinterfaces and is addressed on the 192.168.121.0 /25 network
    What is the best way to add guest wireless to our existing configuration?
    Note: I need the guest wireless to be filtered by Websense as our internal wireless is
    Any advice would be greatly appreciated!

    Thank for the reply Scott. The configuration recommendations from Yahya did not work. I set up as he recommended and also added a dhcp scope on the wlc. Client gets dhcp but cannot even ping the wlc much less anything else. Yahya stated above to configure port 2 on the wlc to an access port on my 4510. Aren't all connections from the wlc supposed to be trunk links to the switch? Shouldn't I just leave the management interface on the wlc untagged and add a dynamic interface for each wlan and tag it with the approriate vlan id? And then leave the (one) physical connection on the wlc (port 1) connected to a trunk link on the 4510 that allows the required vlans?
    Any input would be greatly appreciated...
    JW

  • DNS Registration for clients with WLAN and LAN adapters

    I have read a number of articles and it seems that there are a number of people who have problems with DNS and workstations with both WLAN and LAN adapters. I haven't however found workable solutions.
    Workstation Connection Objective:
    To enable DNS discovery and Ip connection to client workstations regardless of whether the client is using the WLAN or LAN. Enabling users to use either Wireless or LAN adapter adhoc. ie they dock their laptops at their desks, and undock to take their laptops
    to meetings or consulations with peers. I need to be able to discover and connect to the workstations irrespective of the adapter being used at any time.
    Most people seem to try to control which interface is used on the workstations, ie disable WLAN and only use LAN etc. Trying to disable interfaces isn't going to be feasible and its very inflexible.
    I believe I can ensure that the workstations use the NICs in our preferred order:
    1. LAN
    2. WLAN - Our wireless network isn't as fast as the LAN.
    By setting specific DHCP metric for the WLAN Router to be higher(ie 2) than the LAN(1). When the LAN isn't connected traffic will route via the WLAN adapter and when the LAN adapter is connected, its router metric will be lower and it will be the preferred
    gateway/route.
    But how do I solve the DNS resolution for connection to that asset?
    If I disable DHCP Server updates into DNS and allow secure updates from the client. It would be really good if DNS client behaved in the following manner
    1. The LAN adapter(referred to as primary ie LAN) with the lowest metric(ie 1) registers/auto updates DNS with the ip(both A and PTR). Any other Adapters don't register. - ie the WLAN
    2. The Laptop is undocked and the LAN adapter goes offline, the DNS Client then triggers a registration/auto updates its existing DNS entry with the ip from the next adapter(WLAN) with the next lowest gateway metric(2)...hence replacing the first ip registered.
    3. The laptop is docked again, and DNS Client triggers a registration/auto updates its existing DNS entry with the IP from the primary adapter(LAN), replacing the WLAN ip.
    So there is only ever 1 ipaddress registered for a workstation and it will always be a valid address. Then I don't need to be concerned about whether the user has the wireless turned on and docked.
    Being able to discover and communicate with all our workstations in our sites is crucial requirement....
    This microsoft article says, http://technet.microsoft.com/en-gb/library/cc771255.aspx
    Dynamic updates can be sent for any of the following reasons or events:
        * An IP address is added, removed, or modified in the TCP/IP properties configuration for any one of the installed network connections.
        * An IP address lease changes or renews with the DHCP server any one of the installed network connections. For example, when the computer is started or if the ipconfig /renew command is used.
        * The ipconfig /registerdns command is used to manually force a refresh of the client name registration in DNS.
        * At startup time, when the computer is turned on.
        * A member server is promoted to a domain controller.
    However from what I am reading, both adapters(LAN,WLAN), if configured to update DNS, will register their Ip addresses. Which leads to an invalid DNS entry if the laptop is undocked, as the IP for LAN adapter isn't removed.
    Has anyone solved this problem for their organizations without
    1. Controlling which adapter is used - large management overhead
    2. Only allowing one adapter to register with DNS
        - If using LAN adapter for DNS, then anytime the user is using WLAN, their workstation doesn't have a valid DNS entry. Which also impacts Kerberos.
        - If using the WLAN, then we would have to invest a large amount of money into Wireless to provide the necessary bandwidth
    3. Setting GPO's to configure dns updates every 30mins on clients
        - Inconsistent results...which I think is sometimes a worse problem
    4. Defining separate DNS suffixes for their WLAN networks (I read some people did this)
        - This doesn't remove an invalid DNS entry ie the ip(LAN adapter) DNS entry if the laptop is undocked
        - It also creates problems with kerberos, if the host is registered under a separate DNS suffix from the Active Directory domain name

    Hi,
    From my point of view, DNS can't be so smart.
    As a workaround, please try the steps below,
    Disable the DNS register of wireless adapter
    Put "ipconfig /regiserdns" in a bat file
    Everytime when the wired network is undocked, run the bat file.
    If the wired network is docked, wired adapter will register the DNS record.
    When the wired network is undocked, run the bat file, then the wireless adapter will register the DNS record.
    If the wired network is docked again, wired adapter will register the DNS record automatically.
    Best Regards.
    Steven Lee
    TechNet Community Support

  • An issue with WLC 5508 and 7921 phone

    Hello all!
    I have a system with WLC 5508 and some 1242 APs. And I use a lot of 7921 phones.
    One of 7921 phones was in trouble. It loses registration, disconnect conversations...
    I installed the trial WLC and run voice diagnostics.
    I  saw some of "Potentially degraded QoS in downlink direction because of  incorrect packet classification" messages and one "Fair upstream packet  loss ratio: 1,2%, which is less than threshold 2.5%"
    As I understand all of 7921 phones in these area are affected.
    what  does it mean? I set up Platinum QoS for voice WLAN. I don't have any qos  configuration string for AP and WLC ports on switches...
    any ideas?
    thanx in advance

    Sergey:
    There is one application called "WLC Config analyzer". You save your "show run-config" from your WLC in a text file and import it by this application. it will analyze the file for you and tell you what recommendations for voice are missing so you improve them.
    When importing a config file you choose what voice clinets you are using, so you need to choose cisco 7921 to it tells you what config improvemetns is needed based on 7921 needs.
    Here is the link to download the application:
    https://supportforums.cisco.com/docs/DOC-1373
    download the latest versoin.
    BTW, how many voice/data clients are connected to one AP in that area? if I remember correctly if you are utilizing voice then the max number of clients connected to one AP should not exceed 17. If you have more than this number per AP try to minimize the number of users concurrently connected to the AP then try again.
    Hope you'll find the config analyzer useful.
    If useful please don't forget to rate.
    Amjad

  • Help with wireless controller and VLANs

    Hi I'm trying to setup a wireless controller in preparation for a large site go live later this year. I'm struggling to get the controller and the WLAN using the correct VLAN. I want the controller on VLAN 100 and the clients on the WLAN on VLAN 200.                 
    My thought is that I would need a config similar to:
    Switchport for wireless controller management port set to trunk VLAN 100 and 200 with no native VLAN set.
    The management interface on the controller set to VLAN 100.
    A dynamic interface created on VLAN 200.
    When setup like this I can get to the controller on its management address but only from VLAN100 not from another VLAN on site or from other sites over the WAN.
    I have setup a WLAN which is set to use the dynamic interface on VLAN 200.
    I have set the AP to use HREAP and set the native VLAN as 200 and added the dynamic interface into the VLAN mappings
    When I connecting a client to the WLAN I get an address on VLAN 100.
    The switchport for the AP is set to native VLAN 100 and trunk 200 – this setup works for standalone APs at other sites.
    What am I missing?
    Also any idea why the management interface address is not routing? The netmask and gateway are set correctly.
    Thanks
    Paul

    Just to add to Steve's post... You only need to create a dynamic interface for vlan 200 if you have ap's also in local mode.  If your ap's are in H-REAP/FlexConnect mode, you don't need a dynamic interface for vlan 200.
    In you H-REAP/FlexConnect ap, you would set the wlan to vlan mapping there and the switchport configuration would be a trunk allowing vlan 100 (im assuming your native vlan for your ap) and vlan 200.  You should see something like the following:
    Thanks,
    Scott
    Help out other by using the rating system and marking answered questions as "Answered"

  • Help me : Problem with WLC and AP

    Hi,
    We have a few AP on our network which work fine.
    But, those which are behind our fw don't work.
    LAN WI-FI with WLC  <>--------Lan Routed---with Ap (Ok) ------------------
                                     <> -------FW <> Vlan behind Fw and APs not work fine.
    WLC = Software Version                 7.0.220.0
    Logs  on WLC :
    spamApTask2: Jun 04 11:49:59.494: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
    *spamApTask1: Jun 04 11:48:49.323: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
    *spamApTask2: Jun 04 11:47:39.149: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
    *spamApTask1: Jun 04 11:46:28.978: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
    *spamApTask2: Jun 04 11:45:18.806: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
    *spamApTask1: Jun 04 11:44:08.632: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
    *osapiBsnTimer: Jun 04 11:43:51.235: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2202 Failed to complete DTLS handshake with peer 172.37.251.71
    debud dtls :
    *spamApTask1: Jun 04 11:22:42.434: 64:a0:e7:5f:e5:70 record=Alert epoch=0 seq=2
    *spamApTask1: Jun 04 11:22:42.435: 64:a0:e7:5f:e5:70 SSL_do_handshake: SSL_ERROR_SSL while communicating with 172.37.251.71 : (null)
    *spamApTask1: Jun 04 11:22:42.435: 64:a0:e7:5f:e5:70  Requested by openssl_dtls_process_packet
    *spamApTask1: Jun 04 11:22:42.435: dtls_conn_hash_delete: Deleting hash for Local 172.18.3.2:5246  Peer 172.37.251.71:52258
    *spamApTask1: Jun 04 11:22:42.435: 64:a0:e7:5f:e5:70 DTLS Connection 0x145520d0 closed by controller
    *spamApTask1: Jun 04 11:22:42.436: dtls_conn_hash_search: Searching hash for Local 172.18.3.2:5247  Peer 172.37.251.71:52258
    Cordially,

    HI,
    - On the fw-
    a. Make sure the FW is open for udp 5246 and 5247 ports required for the capwap process.
    If this is a cisco ASA, you can set up ingress and egress packet captures to see what packets enter and leave the FW for this AP-
    cap capin interface match udp any
    cap capout interface match udp any
    **match captures bidirectional flow for the interesting traffic.
    b. Check the logs on the firewall for any drops.
    c. cap capdrop type asp-drop all
    This will tell you if the pkt was dropped and the reason for the drop
    d. You can run the packet-tracer command on the firewall tracking this udp flow-
    e.g. packet-tracer input inside udp 3.3.3.3 1212 2.2.2.3 5246 detailed
    - What AP model is this? Is it the same AP that connects to the controller if there is no fw in the path?
    - Does it use MIC or SSC cert? If SSC, make sure you have SSC checked and you will need to manually enter the hash for the AP on the controller under AP Authorization List -
    Security> AP Policies
    You can get the hash of the AP (f you dont have it) by enabling the following debug on the controller
    debug pm pki enable
    Other controller debugs for the AP-
    debug mac address
    debug capwap error enable
    debug capwap events enable
    - What about AP console log? Do you have access to that?

  • Trunk with WLC and 1400BR problem

    hi everybody,
    i have the next proble, i hope someone can help me
    Actually I wrok with a 1522 Mesh Network,1130 LWAPP and Bridge 1400 point to point. 1522 and 1130 are asociated with WLC.
    I have a WLC4402 (4.1.192.22M (Mesh)image) this wlc is conected via trunk to Sw3750 ex:
    interface GigabitEthernet1/0/1
    switchport trunk encapsulation dot1q
    switchport mode trunk
    RAP1 is connected to the sameSw3750 ex:
    interface FastEthernet1/0/23
    description RAP1
    switchport access vlan 10
    **(VLAN 10 is Mgmt)**
    AP1(1130) is connected to the same Sw3750 ex:
    interface FastEthernet1/0/1
    description AP1
    switchport access vlan 10
    The 1410BR Root is connected via trunk to same Sw3750 ex:
    interface FastEthernet1/0/19
    description BR-1400R
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 10
    switchport mode trunk
    In the other point is the Non-Root connected to a Sw2960 ex:
    interface GigabitEthernet1/0/1
    switchport trunk native vlan 10
    switchport mode trunk
    AP2(1130) connected to the same Sw2960 ex:
    interface fa0/23
    descriptipon AP2
    switchport access vlan 10
    The network is work fine, Mesh UP (RAP and MAPs), and 1130 too.I connected the 1400 Bridge point after the Mesh is up, and the link between Root and Non Root is UP
    Now, when the Sw3750 goes down or reboot,the RAP and AP1(1130) can't associated to WLC. The ports of RAP and 1130 are down and up many times, so can't associated to a WLC. Only the Bridge point 1400 Root and Non-root are UP, and the AP2(1130) in the other side can associated to the WLC.
    When shutdown the port of the Root Bridge, Now the RAP1 and AP1(1130) can associated to the WLC and the Mesh Net is UP. Then no shutdown the Root Bridge port and the link between Bridges are UP, AP2(1130) up to the controller too.
    But after several minutes the Bridge down, and the event log in the Root is:Interface Dot11Radio0 Radio transmit power out of range.
    So i have this problems
    1) Trunks between WLC and 1400 BR
    2) Bridge conectivity range.
    Regards
    Antonio

    The Outdoor Bridge Range Calculation Utility uses parameters that include regulatory domain, device type, data rate, antenna gain, and a few others as inputs.
    You can avoid connectivity problems with the Outdoor Bridge Calculation Utility, as this tool helps you to predict the distance between devices. In a wireless environment without a tool like this, you cannot predict the distance between the bridges, the height at which you must place the antennas for maximum throughput, and other variables. This utility also helps you decide on the type of antenna that you must use in order to cover the distance between the bridges.

Maybe you are looking for