Symptom
Larger packets, for example eap-tls certificate packets, may be dropped between WLCs and Access Points, in various network topologies.
Conditions
This has been seen in the following scenarios:
1. Network between APs and WLC clears the Dont-Fragment bit, and/or loses ICMP messages, causing normal ICMP-based Path MTU Discovery to fail
2. CAPWAP control packets, between APs and WLC, take a different network path than the CAPWAP data packets, and the CAPWAP data path has a lower actual path MTU than the CAPWAP control path. As CAPWAP PMTUD operates only on control not data packets, PMTUD will fail to sense the smaller PMTU for the data path, and so data packet transmissions may fail.
Workaround
First, set TCP MSS Adjust. This will take care of client TCP packets, but will not fix the problem for non-TCP
packets such as UDP or EAPOL.
Second, fix the network between the APs and WLC:
* don't clear the DF bit
* make sure that "DF needed" ICMP messages are generated and are transmitted to the APs/WLC
* if feasible, increase the path MTU
* do not have the CAPWAP data take a different network path than CAPWAP control.
Further Problem Description
This bug implements an option to configure static path MTU for IOS APs. To support static path MTU configuration for AP-COS, track CSCvt16235.
To configure static path MTU, in a deployment with IOS APs, configure the following commands on the WLC:
To set a global static path MTU across all IOS APs:
config ap pmtu disable all
where is a value from 576 to 1485 bytes.
To enable path MTU discovery across all IOS APs:
config ap pmtu enable all
To see the global PMTU setting:
show ap mtu
To set a static path MTU value on a single IOS AP:
config ap pmtu disable
To enable path MTU discovery on a single IOS AP:
config ap pmtu enable
There is no command to directly view the static path MTU value on an IOS AP; use the AP IOS command
show capwap client rcb
to view the current path MTU value.
