组网及说明
AC+Fit AP组网,二层自动注册,集中转发。AC型号WX3520H,AP型号WA5320-SI。
问题描述
项目新增五十台WA5320-SI的ap,测试时发现无法上线。 相同型号的几百台旧ap之前都是正常上线的。
过程分析
1、查看ap能获取到地址,并且AP可以ping通AC,说明连通性没问题
<H3C>dis ip int br
Interface Physical Protocol IP Address Description
Vlan1 up up 10.7.1.64 --
<H3C>ping 10.7.1.1
Ping 10.7.1.1 (10.7.1.1): 56 data bytes, press CTRL_C to break
56 bytes from 10.7.1.1: icmp_seq=0 ttl=255 time=1.154 ms
56 bytes from 10.7.1.1: icmp_seq=1 ttl=255 time=0.388 ms
56 bytes from 10.7.1.1: icmp_seq=2 ttl=255 time=0.385 ms
56 bytes from 10.7.1.1: icmp_seq=3 ttl=255 time=0.394 ms
56 bytes from 10.7.1.1: icmp_seq=4 ttl=255 time=0.404 ms
--- Ping statistics for 10.7.1.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.385/0.545/1.154/0.305 ms
2、
<SDTYG_WIFI_AC>display wlan ap all
Total number of APs: 214
Total number of connected APs: 214
Total number of connected manual APs: 0
Total number of connected auto APs: 214
Total number of connected common APs: 214
Total number of connected WTUs: 0
Total number of inside APs: 0
Maximum supported APs: 512
Remaining APs: 298
Total AP licenses: 512
Local AP licenses: 512
Server AP licenses: 0
Remaining Local AP lic
3
、AC的版本是R5433P03,支持WA5320-SI这款AP型号
4、由于是自动注册,display wlan ap all查看不到未上线ap的状态。将测试ap配置手动注册,再次查看状态发现一直处于I
5、AC的apimge文件夹下有wa5300.ipe文件,且AC上已经关闭了firmware-update版本校验功能。也并没有配置APDB特殊命令
<AC>dir
Directory of cfa0:/apimge
6 -rw- 21411840 Jul 28 2020 19:48:14 wa5300.ipe
<AC>display cu
wlan ap-group default-group
ap-model WA5530-SI
radio 1
radio enable
service-template zhxlg vlan 12
radio 2
radio enable
service-template zhxlg vlan 12
radio 3
radio enable
service-template zhxlg vlan 12
gigabitethernet 1
gigabitethernet 2
6、在AC上debugging wlan capwap error与debugging wlan capwap event发现有DTLS握手错误的报错
<H3C>debugging wlan capwap error
*Jan 1 00:06:52:989 2016 H3C CWC/7/EVENT: Start ipv4 dhcp opt43 discover.
*Jan 1 00:06:52:989 2016 H3C CWC/7/EVENT: Start ipv4 broadcast discover.
*Jan 1 00:06:52:989 2016 H3C CWC/7/EVENT: Open capwap client udp port:13172
*Jan 1 00:06:52:991 2016 H3C CWC/7/EVENT: Fill discover req.wtu=1.model=WA5530-SI.wt drv info:[].subslot=0.licensetype=1.ret=0x40010001.
*Jan 1 00:06:52:991 2016 H3C CWC/7/EVENT: Fill discover req.ap=1.model=WA5530-SI.licensetype=1.carry wt info is unnecessary.
t m*Jan 1 00:06:54:995 2016 H3C CWC/7/EVENT: Discovered AC by method of IPv4 broadcast successfully.
*Jan 1 00:06:54:995 2016 H3C CWC/7/EVENT: AP selected AC IP 10.7.1.1 Priority 4 successfully.
*Jan 1 00:06:54:999 2016 H3C CWC/7/EVENT: DTLS start hand shark. ulErrCode:0.
*Jan 1 00:06:55:005 2016 H3C CWC/7/ERROR: Failed to handshake, ErrCode:9
*Jan 1 00:06:59:996 2016 H3C CWC/7/EVENT: Close capwap client udp port:13172
*Jan 1 00:06:59:996 2016 H3C CWC/7/EVENT: CAPWAP tunnel to AC 10.7.1.1 went down. Reason: Handshake failed
DTLS握手失败的原因,组网内有具有AC功能的路由器或者配置了隧道加密。
现场的确有一个带有AC功能的路由器,路由器的WAN口连接到核心交换机,从交换机上把连接路由器的端口down掉发现故障依旧。
然后再次查看所有配置,发现有一个ap组内配置了 if-match ip 10.7.1.0 255.255.255.0,且ap获取的地址就是这个网段的。所以会最优先匹配这个组进行注册上线,此视图下配置了隧道加密,导致一直注册失败。
wlan ap-group sdtyg_zhxlg
firmware-upgrade enable
tunnel encryption enable
vlan 1
if-match ip 10.7.1.0 255.255.255.0
ap-model WA5530-SI
radio 1
radio enable
service-template sdtyg_zhxlg vlan 12
radio 2
radio enable
service-template sdtyg_zhxlg vlan 12
radio 3
radio enable
service-template sdtyg_zhxlg vlan 12
gigabitethernet 1
gigabitethernet 2
这里补充一点,ap注册和服务模板是否开启是没有关系的。也就是说sdtyg_zhxlg服务模板未启用,ap的地址匹配到10.7.1.0/24这个网段,也会优先以这个组为主。如果这个组下面没有配置if-match ip 10.7.1.0,会去匹配默认的组去注册。
解决方法
将wlan ap-group sdtyg_zhxlg视图下的隧道加密功能关闭,即tunnel encryption disable
✖
案例意见反馈
➤
✖
亲~登录后才可以操作哦!
确定
✖
✖
你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
✖