This post will give you a little bit insight of the packet flow when an Office Extend Access Point (OEAP) register to a WLC & strat to work. I have disabled encryption which will allow me to see CAPWAP control headers.
Even if AP is in local mode, DTLS control traffic should flow like this (unable see this in local mode as AP will not registered to WLC when encryption disabled)
As Office Extend AP is configured with wireless controller IP, hence it will send “CAPWAP-Control – Discovery Request” to controller management IP address. This is with UDP 5246 (CAPWAP-Control) & having DSCP-CS6 (or 48).
Then Controller will respond with “CAPWAP-Control Discovery Response” with source port UDP 5246, DSCP-CS6.
Next step is to start DTLS (Datagram Transport Layer Security) process.
In DTLS handsake , client (AP) will send “Client Hello” to WLC in order to establish DTLS handshake-Phase1. It is expecting to see “Hello Verify Request” from server (WLC) in order to manage packet loss issue. If client cannot see this “hello verify request” it will retransmit “Client Hello” msg again.
Client will send another “Client Hello” msg with cookie in order to counter measure DoS attack. Then server(WLC) reply with “Server Hello” with its cookie. This followed by Certificate, Server Key Exchange, Certificate request (from client) & “Server Hello Done” messages. Usually these DTLS msg are large & therefore it will be fragmented into several datagram. You can see the packet capture output show these. Then client (AP) will send Certificate, Client Key Exchange,Certificate Verify, Change Cipher Spec messages back to Server (WLC). Below shows the packet capture of these messages.
This point onwards all application data between client & server will be encrypted. (see below capture)