Question: Why is the RAP unable to come up when it is in the same subnet as the controller?
Product and Software This article applies to all Aruba controller and ArubaOS versions.
It is common for Aruba customers to provision and test a remote access point (RAP) on their network before it is deployed in the field. For simplicity, the RAP is typically tested while on the same subnet as the controller. In such case, the customer should be aware that the RAP may fail to set up an IPsec connection to the controller and fail to come up.
The cause is due to the RAP design and how it attempts an IP connection to the controller.
The controller is on the same subnet as the RAP, so we would think that the RAP would ARP for the controller MAC address. However, that is not what happens. The RAP attempts to connect to the provisioned master IP through its default gateway. The RAP works if the default gateway routes the RAP IP packet to the controller. But if the default gateway sends the RAP an ICMP redirect or does not forward the RAP IP packet to the controller on the same subnet, then the RAP will fail to come up.
A temporary workaround to bring the RAP up and complete the test is to statically set the RAP default gateway as the master IP, and ensure that the RAP does communicate with the controller directly.
Note: After the test is done and before the RAP is deployed in the field, remove the static default gateway to allow for full DHCP operation.