Product and Software: This article applies to all Aruba controllers and ArubaOS versions.
A broken tunnel means that the AP has received an ICMP unreachable message for the GRE keepalives.
Possible reasons are:
- VRRP failover to new controller, which does not have the GRE registered for this AP or VRRP, is flapping between controllers.
- A routing issue in the network or the AP is losing the ARP of the default gateway or controller, which causes an intermediate router to return the "ICMP unreachable" message.
- Network reconvergence causes the controller to go unreachable for a brief period of time.
All devices maintain an ARP cache. When the cache ages out, it sends an ARP request. If no ARP reply is received from the default gateway (Layer 3 AP deployment) or the controller (Layer 2 AP deployment), the AP generates an ICMP unreachable message internally.
When routing convergence is happening within the network, the routers may not have full routing information for the controller subnet. This router can also generate an ICMP unreachable message back to the AP.
Similar to VRRP flapping, if the controller has aged out the AP's GRE, then it can also generate an ICMP unreachable message.
Note: A port monitoring on the uplink port of the AP can help identify which device is sending the ICMP unreachable packets.
A missing heartbeat means that the AP does not receive any GRE keepalives from the controller nor and "ICMP unreachable" messages from the network.
Two types of heartbeat track the health of the AP:
- GRE heartbeat (Protocol 47), which is sent every second using each AP BSSID GRE tunnel by the AP
- PAPI heartbeat (UDP 8211), which is sent every 60 seconds by default, and is adjustable under the AP system profile
Note: If a certain amount of either type of heartbeat is missing, an AP bootstraps or reboots.