AP通过ipsec隧道注册不上经验案例

某局点AP在分支机构，AC在总部，分支之间建立ipsec隧道，AP通过隧道注册不上AC。AP能获取地址也能正常ping通AC。在AC上dis wlan ap all查看AP的状态，一直在“I”和“C”之间切换。

在AC上debugging wlan lwapp all收集debug信息调试信息分析AP注册失败原因。AP地址172.22.32.230 AC地址192.168.251.234。

*Dec 29 13:17:34:882 2016 ac LWPS/7/Event:  Discovery request message received from AP with WA4320i-ACN Model and Serial-ID 210235A1GPC16A001203 and IP [172.22.32.230] and SoftVer [279073920].//收到AP发送的发现请求报文
*Dec 29 13:17:34:882 2016 ac LWPS/7/Event:  Success get software version [279073920].
*Dec 29 13:17:34:882 2016 ac LWPS/7/Event:  Get software version extend info [0].
*Dec 29 13:17:34:882 2016 ac LWPS/7/Event:  [APID: 156] LWAPP to WMAC : Check radio configuration compatibility
*Dec 29 13:17:34:883 2016 ac LWPS/7/Event:  [APID: 156] Radio configuration with WMAC successful
*Dec 29 13:17:34:883 2016 ac LWPS/7/Event:  LWAPP to WMAC : Get radio capability
*Dec 29 13:17:34:883 2016 ac LWPS/7/Event:  LWAPP to WMAC : Get station capability
*Dec 29 13:17:34:883 2016 ac LWPS/7/Event:  Select Source IP From Pack:0xc0a8fbea
*Dec 29 13:17:34:883 2016 ac LWPS/7/Pkt_Send:  
 Sent Discovery Response to 172.22.32.230 (Length: 74)(from 192.168.251.234)//回复发现请求报文
 04 00 00 44 00 00 02 01 00 3c 00 00 00 00 02 00
 07 00 70 f9 6d a7 77 2a 06 00 12 00 00 00 00 43
 10 a2 54 80 02 51 50 00 01 10 20 00 02 1f 00 03
 48 33 43 68 00 07 00 00 63 a2 00 d3 07 68 00 0a
 00 00 63 a2 00 cf 58 65 0c ee

*Dec 29 13:17:37:365 2016 ac LWPS/7/Pkt_Rcvd:  
 Received Join Request from 172.22.32.230 (Length: 167)(to 192.168.251.234)//收到加入请求报文

Sent Join Response to 172.22.32.230 (Length: 71)(from 192.168.251.234)//回复加入请求报文
 04 00 00 41 00 00 04 02 00 39 00 00 00 00 02 00
 04 00 00 00 00 2d 00 04 1a 35 80 98 6c 00 10 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6d
 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00

*Dec 29 13:17:37:386 2016 ac LWPS/7/Pkt_Rcvd:  
 Received Join ACK from 172.22.32.230 (Length: 64)(to 192.168.251.234)//收到AP回复的加入确认报文

*Dec 29 13:17:37:413 2016 ac LWPS/7/Pkt_Rcvd:  
 Received Configuration Request from 172.22.32.230 (Length: 1440)(to 192.168.251.234)//收到AP发送的配置请求报文。

*Dec 29 13:17:37:415 2016 ac LWPS/7/Event:  [APID: 156 State: JoinAck] Configuration Request received
*Dec 29 13:17:37:415 2016 ac LWPS/7/FSM  :  [APID: 156] JoinAck -> Config//AP进入配置加载状态

Sent Configuration Response to 172.22.32.230 (Length: 1495)(from 192.168.251.234)//AC向AP回复Configuration Response报文

AP上收集debug信息

*Dec 29 13:21:13:038 2016 WA4320i-ACN LWPC/7/Pkt_Send:  
 Sent Configuration Request to 192.168.251.235 (Length: 1440)

*Dec 29 13:21:13:038 2016 WA4320i-ACN LWPC/7/Timer:  
 [TUNNEL:0] Created DataChannelKeepAlive Timer, Time long:3(s), LoopType:Loop.
*Dec 29 13:21:16:467 2016 WA4320i-ACN LWPC/7/Timer:  
 [TUNNEL:0] handle DataChannelKeepAlive Timer.
*Dec 29 13:21:16:468 2016 WA4320i-ACN LWPC/7/Error:  
  Retransmit failed, count reach max [1], MsgType:10, TunnelStrongFlag:0.//传输失败
*Dec 29 13:21:16:468 2016 WA4320i-ACN LWPC/7/Event:  
 [Tunnel : Master State : Config] 14 Timer expired
*Dec 29 13:21:16:468 2016 WA4320i-ACN LWPC/7/FSM  :  
 [Tunnel : Master State : Config] AP LWAPP FSM machine TimeOut, result Timed out
*Dec 29 13:21:16:468 2016 WA4320i-ACN LWPC/7/Timer:  
 [TUNNEL:0] Not delete Idle-TO Timer, already delete.
*Dec 29 13:21:16:469 2016 WA4320i-ACN LWPC/7/Event:  
 [State : Config] Clear Context
*Dec 29 13:21:16:469 2016 WA4320i-ACN LWPC/7/Timer:  
 [TUNNEL:0] Not delete Inter-Disc Timer, already delete.
*Dec 29 13:21:16:469 2016 WA4320i-ACN LWPC/7/Timer:  
 [TUNNEL:0] Not delete Rdm-Disc Timer, already delete.
*Dec 29 13:21:16:469 2016 WA4320i-ACN LWPC/7/Timer:  
 [TUNNEL:0] Not delete Silent Timer, already delete.
*Dec 29 13:21:16:469 2016 WA4320i-ACN LWPC/7/Timer:  
 [TUNNEL:0] Not delete Nbr-Dead Timer, already delete.
*Dec 29 13:21:16:470 2016 WA4320i-ACN LWPC/7/Timer:  
 [TUNNEL:0] Not delete Echo-Req Timer, already delete.
*Dec 29 13:21:16:470 2016 WA4320i-ACN LWPC/7/Timer:  
 [TUNNEL:0] Not delete Statistics Timer, already delete.
*Dec 29 13:21:16:470 2016 WA4320i-ACN LWPC/7/Timer:  
 [TUNNEL:0] Deleted DataChannelKeepAlive Timer
*Dec 29 13:21:16:470 2016 WA4320i-ACN LWPC/7/Timer:  
 [TUNNEL:0] Not delete Key-Life Timer, already delete.
*Dec 29 13:21:16:470 2016 WA4320i-ACN LWPC/7/Timer:  
 [TUNNEL:0] Not delete Image-Wait Timer, already delete.
*Dec 29 13:21:16:471 2016 WA4320i-ACN LWPC/7/Timer:  
 [TUNNEL:0] Not delete OldKey-Life Timer, already delete.
*Dec 29 13:21:16:471 2016 WA4320i-ACN LWPC/7/Timer:  
 [TUNNEL:0] Deleted Response-TO Timer
*Dec 29 13:21:16:471 2016 WA4320i-ACN LWPC/7/FSM  :  
 Change State  : Config to Idle//状态改变为idle

分析AP未收到AC的Configuration Response的原因，AP发给AC的Configuration Request报文的长度为1440，而AC给AP的Configuration Response报文长度是1495。因为AP从AC下载配置的时候交互报文比较大，接近1500byte。经过隧道封装之后要超过1500，而接口设备的MTU默认是1500。可能是中间链路报文分片重组异常导致。

将总部和分支的MTU改小1200或者在AC的vlan虚接口下修改mtu