Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Case Study: APs on Different Network Segments Fail to Go Online Because the UDP Port of the CAPWAP Tunnel Is Restricted on the Intermediate Network
Symptom
As shown in the following figure, the AC is connected in off-path mode, and a firewall is deployed on the intermediate network. The AP fails to go online across network segments.
Relevant Alarms and Logs
None
Cause Analysis
The intermediate network restricts UDP ports 5246 and 5247 in the direction from the CAPWAP tunnel to the AC.
- The AP and AC exchange Keepalive packets (through the UDP port 5247) to detect the data tunnel connectivity.
- The AP and AC exchange Echo packets (through the UDP port 5246) to detect the control tunnel connectivity.
Procedure
- Check the AP status on the AC.
- Run the display ap all command on the AC. The status of offline APs is displayed as idle.
- Run the display ap online-fail-record all command. The command output shows that no AP going-online failure record exists.
- Run the ping -s 9600 -a capwap-source-ip ap-ip command on the AC to ping the AP carrying the IP address of the CAPWAP's source interface. The ping operation succeeds.
- Run the trace command to check the AP online process. No command output is displayed.
[AC] trace object mac-address ap-mac [AC] trace enable
Disable the trace function.
[s7706] undo trace object all [s7706] undo trace enable
- Log in to the AP and check the AP status.
- Run the display ap-address-info command to check that the AC list on the AP is correctly configured.
- Run the display system-information command to check that the AP version and ESN are correct.
- Run the display capwap link all command in the diagnostic view. The command output shows that the AP does not receive any Discovery Response packet from the AC, and the CAPWAP tunnel is in DISY state.
[AP-diagnose] display capwap link all Process 0 ------------------------------------------------------------------------------------------------- ID Client MAC CPort DPort Type State Role VPN DstAddr SrcAddr ------------------------------------------------------------------------------------------------- 0 z-z-z-z 5246 5247 AP DISY Client - x.x.x.x y.y.y.y ......
- Check the CAPWAP link status through debugging.
<AP> debugging capwap all <AP> terminal monitor <AP> terminal debugging
The key information is as follows:
The AC does not receive the Discovery Request packet sent by the AP.
- Check the intermediate network. It is found that the UDP port of the CAPWAP tunnel is restricted. After the restriction is removed, the problem is solved.
