Product and Software: This article applies to all Aruba controllers and ArubaOS versions.
After a remote access point (RAP) has successfully built its IPsec tunnel to the controller and has acquired an L2TP IP address as a VPN user, the RAP is assigned a role. This role can be either the VPN default role or a role derived from the VPN authentication server. If the authentication server is "local db", make sure that the desired role is configured here. The VPN default role in this example is named "RemoteAP". The RAP remains in this role until it finishes bootstrapping, and then it automatically transitions into the system role named "ap-role".
The following traffic must be permitted from the Mobility Controller to the AP and back to facilitate the bootstrap process:
1. AP control traffic via the Aruba PAPI protocol: Port # 8211
2. GRE tunnel traffic: Protocol Number # 47
3. TFTP traffic from the RAP to the controller: Port # 69
4. FTP traffic from the RAP to the controller: Port # 21 UDP
To verify that the VPN role has the correctly configured policies, issue the following command:
#show rights RemoteAP
The command output should be similar to this output (not all fields shown):
Position Name Location
-------- ---- --------
Priority Source Destination Service Action . . . . Queue . . . .
-------- ------ ----------- ------- ------ . . . . ------- . . .
1 any any svc-papi permit Low . . . .
2 any any svc-ntp permit Low . . .
3 any any svc-syslog permit Low . . .
4 any any svc-tftp permit Low . . .
5 any any svc-ftp permit Low . . .
6 any any svc-gre permit Low . . .
Expired Policies (due to time constraints) = 0
If the VPN role is missing any of the required policies, add the necessary policies to the role.
For more information, see the "Troubleshooting Remote Access Points" chapter in the Virtual Branch Networks Validated Reference Design document.