There are 4 key elements that need to be configured, sized and put in place properly to allow APs to register to Extreme Wireless or Extreme Cloud Appliance controllers over WAN/VPN/Low-bandwidth links1. MTU Sizing. Getting the MTU sized properly over your WAN/VPN links to avoid packet fragmentation of controller <> AP traffic over those links.
Follow the steps below until you identify an MTU size that lets packets get through from remote locations back to where the controller is located, without requiring fragmentation and you then adjust the MTU for APs on a location specific basis as needed, down from the default of 1500 as may be required: Find out what the MTU size is you need to statically set
Ping from a DOS prompt on the local/controller side to the AP in the remote on the remote side: ping x.x.x.x -f -l 1500 (where x.x.x.x is the IP address of the AP being pinged and -f indicates not to fragment the packet being sent and -l indicates the size packet to use when pinging)
If you ping first with a packet size of 1500 the ping will most likely fail in this scenario with error messages resulting indicating the the packet would need to have been fragmented in order to be sent successfully but the do not fragment bit has been set
Continue to ping with various lower sizes (1400, etc ) until packets get through without having to be fragmented (1450 is a very common packet size that works but we have had customers that had to drop the MTU down as low as sub 1000 to avoid packet fragmentation on occasion). Once you have determined a packet size that should get through then,Apply the correct adjusted MTU to the APs in the branch locations for which you tested
Click AP tab > APs dropdown list > select the AP in question
Click Static Configuration tab
Change Tunnel MTU setting from value found in your ping test. Example: 1500 to 1400
Click Save Perform separate tests and make MTU adjustments accordingly, for each separate location in question
You should be sure to perform this process for each individual link you may have to different locations as potentially different WAN/VPN hardware and/or software may be in place to various links and what may work between NYC and Chicago may not work between NYC and Dallas for instance, as a result
The following KCS article touches on how to properly size the MTU but in regard to another aspect of our solutions but the technique is the same: https://gtacknowledge.extremenetworks.com/articles/Solution/IdentiFi-Wireless-AP-s-do-not-have-backup-data-tunnels-and-uptime-is-not-displaying-in-AP-Availability-report 2. Required Ports. Be sure you are allowing all required ports to be open through any firewalls and/or content filters that may sit between the controller(s) and AP(s).
Those ports are identified in the following KCS article: https://gtacknowledge.extremenetworks.com/articles/Q_A/What-are-the-tcp-udp-ports-used-between-IdentiFi-Wireless-Controller-and-AP-s 3. AP Discovery. If the APs in your remote locations will end up in a different subnet or subnets, than what the controller is in, as with all APs that "live" in a different VLAN from the controller LAN or VPN based, you will need an AP discovery strategy in place that "points" the APs to the IP address of the controller ... either via the addition of a DHCP Option 78 or a DNS A record that can be added.
The following KCS links provide more detail on that: https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Configure-an-AP-to-find-the-IdentiFi-Wireless-Controller-from-a-DNS-server-entry https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Configure-an-AP-to-Find-the-IdentiFi-Wireless-Controller-with-DHCP-Option-78-on-a-Linux-Server https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Configure-an-AP-to-Find-the-IdentiFi-Wireless-Controller https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-DHCP-option-78-on-EXOS-switch-for-Identifi-Wireless-AP-discovery-to-locate-controller https://gtacknowledge.extremenetworks.com/articles/Solution/Using-H3C-switch-as-dhcp-server-for-Identifi-wireless-AP https://gtacknowledge.extremenetworks.com/articles/Q_A/Can-the-IdentiFi-wireless-appliances-DHPC-server-support-advance-DHCP-options https://gtacknowledge.extremenetworks.com/articles/Solution/Access-points-failing-the-IdentiFi-Controller-discovery-process https://gtacknowledge.extremenetworks.com/articles/Solution/AP-will-not-connect-to-the-controller-after-power-loss 4. Controller Default Gateway. Lastly, it will be critical if you your APs are in a different subnet from the controller, that you have a default gateway defined for your controller to the router that is the next hop away from whatever the Physical port you have defined in ExtremeWireless or XCA, for both Management and AP registration.
The following KCS article links provides more detail about that: https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-the-default-route-gateway-for-an-Extreme-Cloud-Appliance-XCA-controller-through-the-XCA-GUIhttps://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-the-default-route-on-the-IdentiFi-Wireless-Appliance