Product and Software: This article applies to all Aruba Mobility Controller 3000 Series (3200, 3400, and 3600) and M3 that runs all RN versions.
The certification-based authentication for IPsec of a RN-AP is implemented through a Trusted Platform Module (TPM) on the Aruba controller. The TPM is a hardware crypto engine that stores the certificate to validate the APs as valid Aruba RN-APs when they VPN dial to the Aruba controller.
If the TPM is corrupt or absent, IPsec authentication fails and the RN-AP does not come up on the controller. The TPM can be confirmed to be working properly when the controller boots up while on restart (reload). A successful boot of a controller TPM is shown here.
If commands or errors indicate that the controller does not have the TPM or it is not installed properly, the controller may have to be RMAed. Depending on the status, the TAC may decide that the controller must be on the internet for advanced troubleshooting.
The commands for checking the same are 'show log error log all' and 'show log security'. The AP-Debug can also be enabled for that AP and the output of the 'show log ap-debug' command would have additional information.