06-08-2012 11:42 AM
Ok, here is my scenario.
I guess you can say I am fairly new with Aruba and its abilities, but I am stuck at an impass here. I have a 135AP at one of our remote locations. It is behind a Juniper SSG5 firewall. Now from what I understand in my readings, NAT-T needs to be enabled on that firewall for the AP to be able to see the controller. (correct me if I am wrong)
This has been enabled in my policy but I am still unbale to see this AP from my main controller. I can also see where the Juniper device is issuing the AP a DHCP ip address so I know it is being recognized.
Like I said I am a novice at all of this, but is there a way I can allow the AP to see my controller so that I can provision it?
Thanks for any and all responses.........
Solved! Go to Solution.
06-08-2012 11:47 AM
The AP will draw a DHCP address and the try to resolve "aruba-master" to contact the controller (assuming you are talking about a standard Campus AP (CAP)). You could also send DHCP option 43 & 60 from the Juniper FW to the AP. That would cause the AP to look for the controller at the IP address specified by option 43. Option 60 should be "aruba-ap". Another way to "fix" this is to hard set the controllers IP address from the console of the AP (using a setenv command).
If this AP has already been provisioned as a Remote AP (RAP), you should see it on the controller. NAT-T is all that is needed.
06-08-2012 01:41 PM
Olino.... thank you very much for your response.
I have tried DHCP option 43 & 60 from the Juniper FW to the AP but I am still unable to see the AP from the controller. Keeping in mind this AP has never been provisioned before. I need to find a way around this issue or a way to work with it because most of our remote locations come back through Juniper FW's back to our corporate LAN.
I am attempting this fix remotely but I will have access the physical AP sometime this weekend so I will attempt to hard set the configurations into the AP and see where things go from there.
Any advice for me before I try this option?
06-08-2012 02:49 PM
Are the APs on your private WAN?
If the Juniper Firewall is standing between your APs and the controller, these ports need to be permitted:
Product and Software: This article applies to all Aruba controllers and ArubaOS versions.
When there is a firewall in the path, the following protocols and ports should be opened up between the AP and the Aruba WLAN Switch:
- DHCP (UDP 67 & 68)
- FTP(TCP 21 & 22)
- TFTP (UDP port 69)
- NTP (UDP port 123)
- SYSLOG (UDP port 514)
- PAPI (UDP port 8211)
- GRE (protocol 47)
For Remote AP, the following are required:
- TFTP (UDP 69) - when the AP has corrupted image
- NATT (UDP 4500)
After the RAP IPSec connection is formed, all PAPI/GRE are tunneled through this IPSec nat-t session.
The following ports are optional for AP to a specific application server or network management station:
- Remote packet capture with Ethereal/WireShark (UDP 5555-5560)
- Remote packet capture with AiroPeek (UDP 5000)
- AirMagnet Enterprise analyzer (UDP 2500-2501)
- SNMP (UDP 161 & 162)
If there are firewalls between the controllers, the following ports should be opened between the controllers:
- IKE (UDP 500) - 3.x and later
- ESP (protocol 50) - 3.x and later
- NATT (UDP 4500) - 3.x and later
- PAPI (UDP & TCP port 8211)
- IP-IP (protocol 94) - For IP mobility between master-local and local-local
The following ports are for communication between MMS and controllers:
- SNMP (UDP 161 and 162)
- PAPI (TCP 8211)
- HTTPS (TCP 443) - For controller to pull configuration from MMS
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
06-08-2012 03:47 PM
As Colin said, you have to have those ports open between the AP and the controller.
When the AP gets the IP address of your controller, can the Juniper FW reach that IP? Is it a public address that lives on your DMZ or a private address? Does your FW have a tunnel back to your corprate network or is this all connected via a WAN (not the Internet)?
If this is over the Internet, you should provision the AP as a RAP.
06-12-2012 02:13 PM
Olino & CJoseph
Thank you both very much for the information sent. I mimicked the setup in my home lab and found that the configurations to allow traffic to see my controller were not taking the FW back at the office. So in essence, both your inputs really paid off here. Now I know I can go ahead with deployment accross the company without major issues stopping me from configuring my Wifi.
Once again, thank you both. You have saved me some major headache.