Symptoms : For Remote AP to work we need below ports to be allowed.
1. TFTP udp port 69 (when the AP has corrupted image or we do "Clear OS" under RAP console)
2. NAT-T udp port 4500. (After the RAP IPSsec connection is formed, all PAPI/GRE are tunneled through this IPsec nat-t session.)
NOTE: If we disable TFTP after RAP is UP then we might face issues if RAP image gets corrupted and it will not come up because its unable to download new image from controller.
As above we can see from RAP boot process.
1. RAP is checking it's Image file.
which is invalid image format
2. Eth0 "Uplink" port comes UP
3. RAP gets IP address and discover controller IP address.
4. initiate TFTP to server address.
5. Boot from correct image.
We can confirm same from Controller CLI
Above are three different ways to checking "show datapath session table" command output to check if AP is doing TFTP (Port 69)
Also we can check same with RAP uplink or controller uplink packet captures.
Above screen shot we can see RAP is sending TFTP traffic first before initiating ISAKMPD/ESP traffic as it's doesn't have image.
Resolution : If we have allowed only port 4500 between RAP and Controller then RAP might not come up after "Image corrupted" or "clear OS" as tftp is not inside IPSec.
Answer : If APs doesn't have image file/ correct image file; it will first try tftp to download image from controller before any other traffic i.e. ISAKMPD/ESP to form IPSec.