What are the timeout mechanism of CAPWAP links and timeout period calculation

13

Timeout mechanism of CAPWAP links:
1. The timeout of CAPWAP links is detected by using keepalive (UDP port 5247) and echo (UDP port 5246) packets.
- The keepalive packets detect the status of Link Layer Protocols.
- The echo packets detect the status of Link Control Protocols (LCPs).
2. The AP sends the keepalive and echo packets. The AC sends response packets when receiving the keepalive and echo packets.
3. After the CAPWAP enters the Run state, the AP periodically sends the keepalive and echo packets at almost the same time. This interval is configured on the AC.
4. If the AP does not receive response packets from the AC during a certain period of time, the CAPWAP link is considered faulty and enters the Down state. This interval is the timeout period.
5. If the AC does not receive the keepalive or echo packets from the AP during the timeout period, the CAPWAP link is considered faulty and enters the Down state.
Timeout period calculation:

The timeout of CAPWAP link mechanism uses a timer to calculate the timeout period. A timer in the system is a countdown tool. For example, the AP sends the keepalive packets every 30s. When the CAPWAP link enters Run state, the AP immediately sends a keepalive packet and repeatedly sends keepalive packets at an interval of 30s.

The timeout of CAPWAP link period is also calculated using a timer. For example, when the CAPWAP link enters the Run state, the AP immediately sends a keepalive packet, and the timer starts a countdown of 120s. When the AC sends a response packet, the timer restarts the countdown of 120s. If the timer restarts the countdown and the AP does not receive any response packet from the AC, the CAPWAP link is faulty.

The timeout period of echo packets is calculated in the same way as the timeout period of keepalive packets. The timer is updated immediately when an echo packet is received from the AP.

Other related questions:
How to calculate the timeout period of packets on the STP interface
The timeout period of packets on the STP interface can be calculated based on the following formula: hello timer out = hello time * 3 * timer factor By default, the value of hello time is 2s and the value of timer factor is 3s.

What is the timeout period for LACPDUs
You can configure a switch to send an LACPDU every 1 or 30 seconds. The two sending intervals are defined in IEEE 802.3ad. You can run the lacp timeout { fast | slow } command to set the timeout period for receiving LACPDUs on an interface. After this command is used, the local end informs the peer end of the timeout period through LACPDUs. If fast is configured, the peer end sends LACPDUs every one second. If slow is configured, the peer end sends LACPDUs every 30 seconds. The timeout period of LACPDUs is three times the interval for sending LACPDUs. That is, if fast is configured, the timeout period for receiving LACPDUs is 3 seconds. If slow is configured, the timeout period for receiving LACPDUs is 90 seconds. You can configure different timeout periods on the two ends. To facilitate maintenance, however, you are advised to configure the same timeout period on both ends.

IPSec VPN lifetime on the firewall
Interfaces supported by IPSec VPN reference on the USG IPSec can be applied to Layer 3 physical interfaces, VLANIF interfaces, Layer 2 interfaces, tunnel interfaces, subinterfaces, and dialer interfaces. 1. Apply an IPSec policy on a Layer 3 physical interface. system-view //Access the system view. interface interface-type interface-number //Access the physical interface. ipsec policy policy-name [ auto-neg ] //Apply the IPSec policy. 2. Apply an IPSec policy on a Layer 2 physical interface. system-view //Access the system view. interface interface-type interface-number //Access the physical interface. ipsec policy policy-name [ auto-neg ] //Apply the IPSec policy. Note: Before you establish an IPSec tunnel on a Layer 2 interface, you must first configure the IP address of the VLAN on which the Layer 2 interface resides. 3. Apply an IPSec policy group to a tunnel interface. system-view interface tunnel tunnel-number //Access the tunnel interface view. tunnel-protocol ipsec //Set the encapsulation type on the tunnel interface to IPSec. ipsec policy policy-name //Apply the IPSec policy group to the tunnel interface.

Method used to change the maximum number of allowed login failures for the USG6000 series
—For a VTY or console administrator, the maximum number of allowed authentication failures can be set in the lock authentication-count command. The default value is 3. # Set the threshold for authentication attempts to 5 on the console port. system-view [sysname] user-interface console 0 [sysname-ui-console0] lock authentication-count 5 —For users who log in through Telnet, SSH, web UI, FTP, SFTP, or SNMP, run the firewall blacklist authentication-count login-failed command to set the threshold for authentication attempts. By default, the value is 3 for Telnet, SSH, web, FTP, and SFTP users or 6 for SNMP users. # Set the threshold for authentication attempts to 5 for administrators who log in through the web UI. system-view [sysname] firewall blacklist authentication-count login-failed 5 If the number of consecutive wrong passwords exceeds the specified threshold, the client IP address is blacklisted to prevent more login attempts. By default, the blacklist entry will be time out in 10 minutes. That is, the user can try to log in again using the same IP address 10 minutes later.

Method used to change the maximum number of allowed login failures for the USG2000&5000 series
—For a VTY or console administrator, the maximum number of allowed authentication failures can be set in the lock authentication-count command. The default value is 3. # Set the threshold for authentication attempts to 5 on the console port. system-view [sysname] user-interface console 0 [sysname-ui-console0] lock authentication-count 5 —For users who log in through Telnet, SSH, web UI, FTP, SFTP, or SNMP, run the firewall blacklist authentication-count login-failed command to set the threshold for authentication attempts. By default, the value is 3 for Telnet, SSH, web, FTP, and SFTP users or 6 for SNMP users. # Set the threshold for authentication attempts to 5 for administrators who log in through the web UI. system-view [sysname] firewall blacklist authentication-count login-failed 5 If the number of consecutive wrong passwords exceeds the specified threshold, the client IP address is blacklisted to prevent more login attempts. By default, the blacklist entry will be time out in 10 minutes. That is, the user can try to log in again using the same IP address 10 minutes later.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top