Controller Based WLANs

How does AP's respond to ICMP traffic when CPSEC is enabled?
Requirement:

How does AP's respond to ICMP traffic when CPSEC is enabled?



Solution:
  1. Ping Request

 

PC(subnet B) ---ping req---> AP(subnet A) ===>Does not go through Controller

 

  1. Ping Reply

 

AP(subnet A) ---ping reply---> tun0(default route) ---ESP(ipsec)---> Controller ---ping reply---> PC(subnet B)

 

 

When we have CPSEC enabled, AP add a default route on themselves (tun 0). This default route points to the IP address of the controller.

 

Hence, the ping reply goes via the controller. Hence, we should have routing enabled between controller & wired client which is trying to ping CPSEC based AP.

 

 



Configuration:

We should have routing enabled between controller & wired client which is trying to ping CPSEC based AP.

 

That will allow wired client present in a different subnet than the AP to receive the ICMP response.



Verification
  1. Case 1: Routing table for AP without CPSEC:

 

AP’s Default gateway : 30.1.1.2

Controller’s IP : 10.254.82.2

 

 

  1. Case 2: Routing table for AP with CPSEC:

 

Ap’s default Gateway: 172.16.0.1

Controller’s IP:  10.254.80.100

 

We can see an addiitonal entry for tun0 interface for CPSEC enabled AP.

The tun entry is created prior to br0.  Hence, AP sends the ICMP response inside IPSEc tunnel created with the controller.

 

Version history
Revision #:
2 of 2
Last update:
‎11-25-2015 01:05 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.