Wireless Access

This community is currently in a read-only state due to a maintenance window. For more info click here
Reply
Highlighted
Occasional Contributor II

AP fail to connect to LMS through IPsec

Hi all,

 

we have a active/standby cluster with two 7220 controllers without MM on 8.4.0.4. 

 

Currently we have a new site and want to connect two AP 305 through the IPsec site2site tunnel. 

I have adjusted the AP group profile to use a MTU of 1300 because of the tunnel.

 

Another site uses the same AP profile and works fine.

 

The problem is that the two APs are caught in a boot loop.
The APs discover the VRRP IP via DHCP in the local DHCP server.
The firewalls have no restrictions between the site and the controllers. 
I can sniffer in the FortiGate and see that the AP tries to connect to the VRRP address, but the answer is sent from the WLC1 IP. 

 

The WLC debug log shows the following after I restarted the AP manually:

 

 

 

Jul 28 13:30:11  KERNEL(00:11:22:33:44:55@<AP IP>): [    9.619216] There is no gpio reset info
Jul 28 13:30:11  KERNEL(00:11:22:33:44:55@<AP IP>): [   21.120006] uol_init_driver:261 HW offload not applicable, AP will use cutting through path!
Jul 28 13:30:14  nanny[3063]: <303022> <WARN> |AP 00:11:22:33:44:55@<AP IP> nanny|  Reboot Reason: AP rebooted caused by cold HW reset(power loss)
Jul 28 13:30:34  stm[3639]: <305007> <3639> <INFO> |stm|  AP 00:11:22:33:44:55 bootstrapped
Jul 28 13:30:34  stm[3639]: <305008> <3639> <INFO> |stm|  AP 00:11:22:33:44:55 redirected to <WLC1 IP>.
Jul 28 13:30:44  stm[3639]: <305007> <3639> <INFO> |stm|  AP 00:11:22:33:44:55 bootstrapped
Jul 28 13:30:44  stm[3639]: <305008> <3639> <INFO> |stm|  AP 00:11:22:33:44:55 redirected to <WLC1 IP>.
Jul 28 13:30:56  stm[3639]: <305007> <3639> <INFO> |stm|  AP 00:11:22:33:44:55 bootstrapped
Jul 28 13:30:56  stm[3639]: <305008> <3639> <INFO> |stm|  AP 00:11:22:33:44:55 redirected to <WLC1 IP>.
Jul 28 13:31:11  stm[3639]: <305007> <3639> <INFO> |stm|  AP 00:11:22:33:44:55 bootstrapped
Jul 28 13:31:11  stm[3639]: <305008> <3639> <INFO> |stm|  AP 00:11:22:33:44:55 redirected to <WLC1 IP>.
Jul 28 13:31:29  stm[3639]: <305007> <3639> <INFO> |stm|  AP 00:11:22:33:44:55 bootstrapped
Jul 28 13:31:29  stm[3639]: <305008> <3639> <INFO> |stm|  AP 00:11:22:33:44:55 redirected to <WLC1 IP>.
Jul 28 13:31:52  stm[3639]: <305007> <3639> <INFO> |stm|  AP 00:11:22:33:44:55 bootstrapped
Jul 28 13:31:52  stm[3639]: <305008> <3639> <INFO> |stm|  AP 00:11:22:33:44:55 redirected to <WLC1 IP>.
Jul 28 13:32:25  stm[3639]: <305007> <3639> <INFO> |stm|  AP 00:11:22:33:44:55 bootstrapped
Jul 28 13:32:25  stm[3639]: <305008> <3639> <INFO> |stm|  AP 00:11:22:33:44:55 redirected to <WLC1 IP>.
Jul 28 13:32:59  stm[3639]: <305007> <3639> <INFO> |stm|  AP 00:11:22:33:44:55 bootstrapped
Jul 28 13:32:59  stm[3639]: <305008> <3639> <INFO> |stm|  AP 00:11:22:33:44:55 redirected to <WLC1 IP>.
Jul 28 13:33:30  stm[3639]: <305007> <3639> <INFO> |stm|  AP 00:11:22:33:44:55 bootstrapped
Jul 28 13:33:30  stm[3639]: <305008> <3639> <INFO> |stm|  AP 00:11:22:33:44:55 redirected to <WLC1 IP>.
Jul 28 13:33:57  stm[3639]: <305007> <3639> <INFO> |stm|  AP 00:11:22:33:44:55 bootstrapped
Jul 28 13:33:57  stm[3639]: <305008> <3639> <INFO> |stm|  AP 00:11:22:33:44:55 redirected to <WLC1 IP>.

 

 

 

 

The LMS IPs in the AP profile are set WLC1 and Backup to WLC2. 

It is so strange for me because the other site is working fine with this configuration.

 

Do you have any ideas?

 

Edit:

The APs come up in the "show ap database" for 10-30 seconds and are in the CPsec whitelist.

 

Edit2:

What I can see in the sniffer is:

 

AP IP --> UDP 8211 --> VRRP IP (PAPI packet with serialnumber, AP-group, ...)

WLC1 IP --> UDP 8211 --> AP IP 

this repeats until reboot

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: