Hello everyone,
Today I will share with you the troubleshooting example for AP login failures due to source NAT enabled on the AC.
Problem Description:
In the tunnel forwarding scenario of the Layer 2 bypass network, the gateway of the wireless service is planned on the AC. AP has been unable to register and go online on AC.
Network topology:
Process:
1. Check the AP status and failure cause.
The preceding information shows that the network between the AP and AC is normal, but the CAPWAP tunnel negotiation fails.
2. Check the configurations of the AC source interface.
The preceding information shows that source NAT is enabled under the AC source interface. Check the configuration of the ACL rule referenced by source NAT, and find that NAT is performed based on the entire IP address.
3. It is suspected that the source NAT function translates the port number used for establishing the CAPWAP tunnel. Check sessions based on the source IP address of the CAPWAP tunnel and capture packets on the AP port for analysis.
According to the NAT session information, the source port 5246 of the control tunnel packets sent by the AC is translated into 1047.
Analyze the captured packets during the AP online process. The following figure shows the captured packets. (192.168.2.136 is the IP address obtained by the AP.)
From the packet capture information, it can be seen that starting from packet 7, AP sends a Join Request message to AC, and AC responds to it (packet 8), but it should have responded with port 5246, but it became 10247. The AP repeatedly sends two Join Request messages, and the reply is the same. Then the AP releases the IP address automatically obtained before, and then repeats the above process.
In conclusion, the AP fails to go online because the AP is stuck in the CAPWAP tunnel establishment phase. The fixed source port (5246) of the Join Response packet sent by the AC is translated. As a result, the AP cannot identify the packet and does not receive any response.
Solution:
After understanding, the purpose of configuring this source NAT is because the wireless service gateway is planned on the AC, and I want to enable the source NAT function under this layer 3 outbound interface to reduce the backhaul routing from other devices in the network to the wireless service network segment. Configuration.
After understanding the requirements and the root cause of the problem, the simplest solution is to add an ACL rule (such as the number 4) in front of the original rule number 5 in the ACL referenced by the source NAT to exclude the CAPWAP source port (UDP 5246):
[AC] acl 3999
[AC-acl-adv-3999] rule 4 deny udp source-port eq 5246
Summary:
1. The CAPWAP tunnel establishment involves two ports: UDP 5246 and UDP 5247.
Port 5246 is used as the CAPWAP control tunnel and must be excluded from the ACL referenced by local source NAT.
Port 5247 is used for the CAPWAP data tunnel and is not translated by local source NAT.
2. The same applies to destination NAT (nat server or nat static). Prevent UDP port 5246 from being translated.
That is all I want to share with you! Thank you!
