Product and Software: This article applies to ArubaOS 3.3.x and 3.4.x.
The original purpose of the IPsec tunnel between the Aruba controllers is to secure the communication between controllers. The best practice is to limit the IPsec tunnel to only management traffic and configuration updates.
Sometimes in certain Layer 2 AP deployments, the WMS traffic uses the IPsec tunnel to update the WMS database. This extra traffic causes the STM module to be busy, which delays configuration updates and AP bootstraps.
This sample topology has WMS traffic traversing the IPsec tunnel:
Topology:
VLAN 1 (management VLAN / default gateway is core router) VLAN 2 (AP VLAN) Local 1 forms an IPsec tunnel to the master controller.
Master: VLAN 1: 10.10.1.1 VLAN 2: 10.10.2.1
Local 1 : VLAN 1: 10.10.1.2 VLAN 2: 10.10.2.2 (default gateway for VLAN 2)
In the system profile, the customer has defined only the LMS IP address of Local 1 (10.10.1.2). The APs terminate on Local 1. The master IP was not configured, so the AP sends the WMS updates to 10.10.1.1. If you traceroute from an AP, the traffic goes to Local 1 and then across the IPsec tunnel to the master controller.
To eliminate the extra WMS traffic, define the master IP address as 10.10.2.1. This configuration forces the APs to bridge the WMS traffic to the master controller and not route the traffic across the IPsec tunnel.
This is just one example and solution to eliminate the WMS traffic on an IPsec tunnel between a master and local controller.