My AP CAPWAP intermittently disconnects from HMOL form behind Sonicwall Firewall, what could be the cause?

  • 1
  • Question
  • Updated 3 years ago
  • Answered
Q.My AP CAPWAP intermittently disconnects from HMOL form behind Sonicwall Firewall, what could be the cause?

A.If persistent NAT is not enabled, the Sonicwall FW is allowed to change the NATted (source) port address, which intermittently breaks CAPWAP connection. There is a quick fix which is not obvious in the Sonicwall GUI. It’s under VoIP ->Settings -> General Settings -> “Enable consistent NAT”.
Photo of FAQ poster

FAQ poster, Official Rep

  • 177 Posts
  • 0 Reply Likes

Posted 6 years ago

  • 1
Photo of Chip Andrews

Chip Andrews

  • 12 Posts
  • 0 Reply Likes
We had this same issue but are still having problems with the "Content Filter" enabled. Once we disable the content filter everything works fine. What do we need to do to allow the Aerohives to communicate with the Content Filter on? We have whitelisted the CAPWAP servers but nothing seems to help.
Photo of Bryan Tetlow

Bryan Tetlow

  • 78 Posts
  • 2 Reply Likes
Been down that road...    I've excluded the subnet the any filtration.... they pass unchallenged via their own subnet on their own vlan.

This is actually a new issue that just started out of the blue -- and we've not taken any new updates on HMOL or the filter.
Also, we do not use auto-blacklisting....that would be a disaster in this environment.

On the other hand, our AP230's which according to....everything.... only support bright LED or no LED are now... DIM!       So, something's changed and we're letting them see what's going on.   None of these are fatal per say, but since I can no longer trust the alarms, I have to turn that option off which leaves at least a small level of exposure to outage with no notice.

Not going to say the root of the CAPWAP isn't within filter, but certainly given the back information and the other "oddities" it sure seems to be elsewhere.
(I learned long ago -- never say never)
Photo of Arison Mercado

Arison Mercado

  • 113 Posts
  • 8 Reply Likes
I'm currently at a lost with this issue :(
Photo of Chip Andrews

Chip Andrews

  • 12 Posts
  • 0 Reply Likes
Have you tried doing a trace on your firewall to see what is happening during the CAPWAP communication?  Most enterprise-grade firewalls should have this capability and if it is dropping or rejecting packets it should show the error codes you need to determine why.
Photo of Arison Mercado

Arison Mercado

  • 113 Posts
  • 8 Reply Likes
my Sonicwall should certainly have the capabilities to do it but I wouldn't know how to do it on my packet capture settings.
Photo of Chip Andrews

Chip Andrews

  • 12 Posts
  • 0 Reply Likes
This article shows the TCP ports you need to monitor:
https://community.aerohive.com/aerohive/topics/capwap_connectivity_question_what_tcp_port_does_the_c...

You should know the local IP addresses of your Aerohive APs so simply choose one to monitor and see what you find.