Guest

Preview Tool

Cisco Bug: CSCvt29373 - 9800-40/80 UDP Port 5246 based ACL filter fails to select DTLS encrypted CAPWAP control packets

Last Modified

Aug 29, 2020

Products (6)

  • Cisco Catalyst 9800 Series Wireless Controllers
  • Cisco Catalyst 9800-40 Wireless Controller
  • Cisco Catalyst 9800-L-C Wireless Controller
  • Cisco Catalyst 9800-L-F Wireless Controller
  • Cisco Catalyst 9800-80 Wireless Controller
  • Cisco Catalyst 9800-CL Wireless Controller for Cloud

Known Affected Releases

16.12.2s

Description (partial)

Symptom:
The features such as Output QoS, AutoQoS, Embedded Packet Capture, etc. do not function correctly on the DTLS encrypted CAPWAP control packets transmitted by the Cisco Catalyst 9800-40 and 9800-80 controllers when these packets are selected using UDP Port 5246 based ACL.

Conditions:
This problem happens only when UDP Port 5246 based ACL filter is used to select the DTLS encrypted CAPWAP control packets transmitted by the controller.

Here is an example configuration of Embedded Packet Capture  using UDP port 5246 based ACL filter.

ip access-list extended capwap-control-acl
 10 permit udp any eq 5246 16666 any
monitor capture test access-list capwap-control-acl
monitor capture test interface te0/0/7 both

Here is an example configuration of Output QoS using UDP port 5246 based ACL filter.

ip access-list extended capwap-control-acl
 10 permit udp any eq 5246 16666 any

class-map match-any capwap-control-class
 match access-group name capwap-control-acl
policy-map capwap-control-policy
 class capwap-control-class
  set dscp cs3
 class class-default

interface TenGigabitEthernet0/0/7
 switchport trunk allowed vlan 10,20
 switchport mode trunk
 no negotiation auto
 service-policy output capwap-control-policy
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.