Your replay and suggestions was just what i had hoped for. Many thansk for pointing me in the right direction
Br.
Original Message:
Sent: Aug 25, 2024 08:59 AM
From: lord
Subject: CAP´s randomly disconnects
It is already possible to operate CAPs over a WAN line, only certain requirements must be met. The AP behavior can also be optimized, it is documented here.
The AP goes online as soon as it has established an IPSec tunnel to the controller. If no tunnel has been established, the controller shows it as offline, even though the AP is reachable and you can ping it.
Use show crypto ipsec sa peer <CAP-IP>
to check the IPSec status.
I don't think you'll get anywhere with an SSH session on the AP, you won't find the familiar syntax there.
Troubleshoot IP-Sec behavior on the controller instead. Increase log level on mobility controller by using the following commands in MM:
1) Debugging IKE and ISAKMP
OS version dependent
(config)# logging level debugging security process crypto
(config)# logging level debugging security subcat ike
or
(config)# logging security process crypto level debugging
(config)# logging level debugging security subcat ike
2) Debugging L2TP and local-db authentication:
(config)# logging level debugging security process l2tp
(config)# logging level debugging security process localdb
Check log on the mobility controller useng commands:
show log system 300 | include <AP-Name>,<AP-IP>,<AP-Wired-MAC>
show log security 300 | include <AP-Name>,<AP-IP>,<AP-Wired-MAC>
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Aug 22, 2024 03:49 PM
From: Th3Plug
Subject: CAP´s randomly disconnects
Hi Airheads
I have a problem that iv tried to rap my head around for weeks, but I need you help
We randomly have access point disconnect from the controllers all over the globe, it can be at a site 800 meters away from the controller or in the US, 6400 KM away from the controller. It can be one access point or five access points.
Its random.
We tried different thing to resolve the issues and to get the AP´s to connect again, with mix results.
Clear session the palo alto, reset POE on the 2930F switch, disable/enable the port, clear gap-db on the MM…
Nothing really helps to force em back on the controller… they like live there own lives… and eventually when iv try different things without success, next day they maybe active on the controller or half of em, and the rest will connect over a day or two ☹
Iv notices that the AP get an IP from the DHCP server , and that the AP is pingable, even that's its not show up in LLDP on the switch, and the controller, and they draw PoE power
Iv tried to login to an AP the pingable but have joined the controller, but I cant, is there a way to enable ssh on the AP´s so I can see that's going on from the AP´s side when I doesn't join the Controller, but has an IP?
Any advice to proceed the troubleshooting?
Br. Th3Plug
Attach some screenshots