This is from what I currently know so it is far from official:
Communication Between Aruba Devices
This section describes the network ports that need to be configured on the firewall to allow proper operation of the Aruba network.
Between any two controllers (all of these should be bidirectional, because they could be initiated by either controller):
IPsec (UDP ports 500 and 4500) and ESP (protocol 50). PAPI between a master and a local controlleris encapsulated in IPsec .
IP-IP (protocol 94) and UDP port 443 if Layer-3 mobility is enabled.
GRE (protocol 47) if tunneling guest traffic over GRE to DMZ controller.
IKE (UDP 500).
ESP (protocol 50).
NAT-T (UDP 4500).
Between an AP and the master controller (all of these are from the AP to the controller except PAPI which is bidirectional):
PAPI (UDP port 8211).If the AP uses DNS to discover the LMS controller, the AP first attempts to connect to the master controller. (Also allow DNS (UDP port 53) traffic from the AP to the DNS server.)
PAPI (UDP port 8211). All APs running as Air Monitors (AMs) require a permanent PAPI connection to the master controller.
From an AP to the LMS controller:
FTP (TCP port 21).
TFTP (UDP port 69) for AP-52. For all other APs, if there is no local image on the AP (for example, a brand new AP) the AP will use TFTP to retrieve the initial image.
NTP (UDP port 123).
SYSLOG (UDP port 514).
PAPI (UDP port 8211).
GRE (protocol 47).
Between a Remote AP (IPsec) and a controller:
NAT-T (UDP port 4500). - Bidirectional
TFTP (UDP port 69) - AP To Controller