Product and Software: This article applies to ArubaOS 5.0 Beta version.
In ArubaOS 5.0, to support CPSec, the "cert_cap" flag is introduced in APboot configuration.
apboot> print
cert_cap=1
When you disable the CPSec on ArubaOS 5.0, this flag is not removed automatically. The AP initiates the "setup_ipsec" message to the controller and gets "the RC_ERROR_CPSEC_DENIED" message from controller. The AP switches to clear mode.
[295]1999-12-31 16:01:45 setup_ipsec: sapd_num_lms=1 sapd_cur_lms=0 ip=192.168.110.3, client=0
[295]1999-12-31 16:01:45 Starting rapper 0 to 192.168.110.3:8423
[295]1999-12-31 16:01:45 start_tunnel_up_timer: sapd_cur_lms=0
[295]1999-12-31 16:01:45 Error: Received RC_OPCODE_ERROR lms 192.168.110.3 tunnel 0.0.0.0 RC_ERROR_CPSEC_DENIED
[295]1999-12-31 16:01:45 sapd_proc_redun_msg:2970
[295]1999-12-31 16:01:45 State REDUN_STATE_TUNNEL_MASTER Event REDUN_EVENT_TUNNEL_DOWN Next state REDUN_STATE_TUNNEL_MASTER
[295]1999-12-31 16:01:45 Tunnel 0 down. data(0|Port)=8423
[295]1999-12-31 16:01:45 State REDUN_STATE_TUNNEL_MASTER Event REDUN_EVENT_RETRY Next state REDUN_STATE_TUNNEL_MASTER
[295]1999-12-31 16:01:45 redun_retry_tunnel: setting up tunnel to 0, retry=62
[295]1999-12-31 16:01:45 redun_retry_tunnel: Switching to clear. Ipsec not successful after reboot
You have a choice to unset that flag manually on the AP, which forces the AP to go back to the legacy clear mode without doing any IPsec attempts.
apboot> set cert_cap