Controller Based WLANs

What is the minimum firewall configuration to allow my AP to connect to the controller?

Aruba Employee

Product and Software: This article applies to all Aruba controllers and ArubaOS versions.


When there is a firewall in the path, the following protocols and ports should be opened up between the AP and the Aruba WLAN Switch:


  •  DHCP (UDP 67 & 68)
  •  FTP(TCP 21 & 22)
  •  TFTP (UDP port 69)
  •  NTP (UDP port 123)
  •  SYSLOG (UDP port 514)
  •  PAPI (UDP port 8211)
  •  GRE (protocol 47)

For Remote AP, the following are required:

  •  TFTP (UDP 69) - when the AP has corrupted image
  •  NATT (UDP 4500)

After the RAP IPSec connection is formed, all PAPI/GRE are tunneled through this IPSec nat-t session.

The following ports are optional for AP to a specific application server or network management station:

  •  Remote packet capture with Ethereal/WireShark (UDP 5555-5560)
  •  Remote packet capture with AiroPeek (UDP 5000)
  •  AirMagnet Enterprise analyzer (UDP 2500-2501)
  •  SNMP (UDP 161 & 162)

If there are firewalls between the controllers, the following ports should be opened between the controllers:

  •  IKE (UDP 500) - 3.x and later
  •  ESP (protocol 50) - 3.x and later
  •  NATT (UDP 4500) - 3.x and later
  •  PAPI (UDP & TCP port 8211)
  •  IP-IP (protocol 94) - For IP mobility between master-local and local-local

The following ports are for communication between MMS and controllers:

  •  SNMP (UDP 161 and 162)
  •  PAPI (TCP 8211)
  •  HTTPS (TCP 443) - For controller to pull configuration from MMS
Version history
Revision #:
1 of 1
Last update:
‎07-01-2014 04:51 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.