How to configure a tunnel group for redundancy of GRE tunnels on Aruba Controller?

Aruba Employee
Aruba Employee

Before ArubaOS 6.3, a single GRE  tunnel is only allowed to exist between Mobility Controllers  or GRE capable End point devices. This causes network outages as it goes down.
ArubaOS 6,3, brings in "Tunnel Group" feature where multiple GRE tunnels can be bundled between GRE capable end point devices to form a logical tunnel group.
Tunnel-group ensures that we have a redundant Tunnels to forward the traffic if  the active tunnel fails.


  • Automatic shift to the secondary GRE tunnel, when the primary tunnel goes down
  • Works on the keep alive mechanism between tunnel end points to sense the tunnel availability.

Environment : This article applies to all Aruba controller running ArubaOS version 6.3 and above.


Network Topology : 


L2 GRE:   Between Aruba Standalone Master Controllers  (OR) Aruba Master-Local Setups
L3 GRE:   Between any two GRE End Points


When it comes to configuration, we first configure GRE tunnels between end points and then map the tunnels into a logical tunnel group. Below screen shot from the command line, shows the configuration of individual tunnels and then the tunnel group:




Note: The first added tunnel in the tunnel group becomes active tunnel.

Once the tunnel group is setup, we need to configure an access list (ACL) to redirect all the traffic to tunnel group.
rtaImage (1).jpg
Below command line screenshot gives a glimpse of show commands for tunnels and tunnel groups:
rtaImage (2).jpg
The "Active tunnel ID" column in the "Show tunnel-group" shows the active tunnel in the group and also if the Preemption is enabled.
rtaImage (3).jpg
Note: One of the tunnel in the tunnel group should show as active.


Version history
Revision #:
1 of 1
Last update:
‎04-09-2015 03:52 AM
Updated by:
Labels (1)

Documentation states that tunnel groups are only applicable to L3 GRE tunnels.  However, in this example, L2 tunnels are used.  Did I miss something?


Under which situations, if any, will a client be sent down the inactive tunnel?  My primary tunnel is up and active, but I have some users that are being sent down the inactive tunnel and this is not expected behavior.



Search Airheads
Showing results for 
Search instead for 
Did you mean: