Product and Software: This article applies to all Aruba controllers and ArubaOS versions.
It is very common for Aruba customers to provision and test a RAP on their network prior to its deployment in the field. For simplicity, the RAP would typically be tested while on the same subnet as the controller.
In such cases, the customer should be aware that the RAP may possibly fail to set up an IPSEC connection to the controller and come up.
The cause of this issue is due to the RAP design and how it attempts an IP connection to the controller:
Because the controller is on the same subnet as the RAP, it is assumed that the RAP would ARP for the controller MAC address, but that is not the case. The RAP attempts to connect to the provisioned master IP through its default gateway. The RAP works if the default gateway routes the RAP IP packet to the controller. But if the default gateway sends the RAP an ICMP redirect or does not forward the RAP IP packet to the controller on the same subnet, then the RAP will fail to come up.
A temporary workaround to bring the RAP up and complete the test is to statically set the RAP default gateway as the master IP and ensure that the RAP does communicate with the controller directly.
Note: After the test is done and before deploying the RAP in the field, the static default gateway should be removed to allow for full DHCP operation.