I have not yet seen an Aruba Guide that states that CAPs over IPSec tunnel link are not supported.
Maybe @Carson can share a link?
Also from a technical point of view the following happens:
You write that your router uses MTU 1472. The AP uses MTU Size 1500, the packets must be fragmented, data loss occurs
The AP looks into the AP system profile and searches for the MTU size. By default, the values look like this:
A CAP uses the SAP MTU value, which is empty by default. The CAP tests which MTU size it can use (some switches log the behavior, then you can see jumbo frames in the log) and uses the switch MTU, usually 1500 bytes. A RAP uses the RAP MTU value and sends immediately with MTU 1300 bytes, the traffic is not fragmented. This is the reason why a RAP works by default without configuration settings over an IPSec link.
Reduce the CAP MTU size to 1300, then the packets do not have to be fragmented and the CAP will also work.
I have already written the instructions for this in this article.
The WAN line must fulfill requirements for latency and bandwidth, details can be found here.
If the WAN line has enough bandwidth, the WLAN can be operated in tunneld mode, which is what we do for several customers. Otherwise use bridge mode, then only CAP management traffic is transported via the WAN line.
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: Oct 11, 2024 09:54 AM
From: chulcher
Subject: AP not forming GRE tunnel over WAN to controller
That is not a supported architecture.
APs configured for campus usage (i.e., controller based) MUST be LAN connected. The only supported architecture in AOS 8 for a WAN connected AP is RAP.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Oct 11, 2024 08:39 AM
From: Ronin101
Subject: AP not forming GRE tunnel over WAN to controller
Dear Experts,
Running 8.12.0.2, Controller 7280 (HO) and AP 615 (Branch). The link between branch and ho is L3 VPN. Connectivity is through cisco routers, MTU is checked (using df bit) and its 1472. APs are registering as CAP to controllers, broadcasting SSIDs, however client cannot connect to any SSID (tried PSK and open also). Client tries to connect and almost immediately disconnects. When wireshark was used on switch with ERSPAN, we could see that AP is not forming any GRE tunnel with controller although SSIDs are being broadcasted.
Anyone has any idea what could be the issue?
All this setup is provided as managed services by the ISP, they are managing the WAN link also and they have thoroughly tested it, no MTU issues. TAC was also opened and they were also not able to find any issue, so far escalations are being made but no response from TAC either.
There is no firewall in between AP and Controllers. This is the connection from ap to controller
AP------switch-------router----------WAN(MPLS)---------------router------------switch------------Controller