Remote Networking

Reply
Occasional Contributor II
Posts: 44
Registered: ‎05-25-2009

RemoteAP - AP125 through Juniper SSG5

This is more of a Juniper SSG5 question than Aruba, but I thought i'd ask anyways to see if anyone has come across this before.

I'm trying to run AP125's behind a Juniper SSG5 in RemoteAP mode.
The APs come up, seem to connect to the controller in our datacentre, but are not provisionable.

The AP will show up in the list of provisionable APs, but when you try to provision them, it fails with any number of errors (or silently).

My hunch is the Juniper SSG5 is interfering with the GRE tunnel between the AP and controller, but i'm having a bit of trouble tracking this down. The PPTP/GRE alg is enabled on the router.

Has anyone come across this before? And what was your solution?
Aruba Employee
Posts: 119
Registered: ‎05-16-2007

Re: RemoteAP - AP125 through Juniper SSG5

In RemoteAP mode, the transport is IPSEC and not GRE. But since RemoteAP requires pre-provisioning, are you trying to RE-provision them, or initially provision them to set them up as RemoteAP?

If you're trying to initially provision them, then yes, they will use GRE for SSID tunnels....however, provisioning and mgmt is done via PAPI which is UDP 8211. You might check the Juniper to see if 8211 is being dropped.

If these are already provisioned as RemoteAPs and thus using IPSEC (NAT-T really...UDP 4500), then you might check to see if PAPI UDP 8211 is allowed in the remoteAP role defined on the Aruba controller.
Occasional Contributor II
Posts: 44
Registered: ‎05-25-2009

Re: RemoteAP - AP125 through Juniper SSG5

I should've been a little clearer, but yes, the APs are not in full provisioned RemoteAP mode yet, they have just been told their master & serverip and are using GRE to connect.

Once they connect to the controller, I want to provision them with their IPSec details.

I have allowed everything outbound, so it shouldn't be blocked (firewall sessions should take care of the inbound as well).

What's strange about this, is this behaviour only happens with Juniper. No other router i'm using does this (with similar configurations).
Aruba Employee
Posts: 119
Registered: ‎05-16-2007

Re: RemoteAP - AP125 through Juniper SSG5

Is this Juniper box (or any box in-between) doing NAT?
Occasional Contributor II
Posts: 44
Registered: ‎05-25-2009

Re: RemoteAP - AP125 through Juniper SSG5

Yep, it is... but as mentioned, other routers don't seem to have an issue with this, as the APs can be provisioned through NAT.
New Contributor
Posts: 2
Registered: ‎12-15-2008

Re: RemoteAP - AP125 through Juniper SSG5

The Juniper wants to terminate the IPSEC tunnel itself (not pass through). This explains why GRE to the controller works, but IPSEC does not. The way I found to get around this was to get another public IP and using a MIP point it to the internal Aruba controller IP. This will ensure all ports (including IPSEC) are passed to the Aruba correctly. It burns a public IP, but it works.
New Contributor
Posts: 2
Registered: ‎12-15-2008

Re: RemoteAP - AP125 through Juniper SSG5

I forgot to say - will also work with a true routable address sitting in the DMZ zone (with relevant policies)
Search Airheads
Showing results for 
Search instead for 
Did you mean: