Let me clarify one point:
MC = Mobility Conductor
MD = Managed Device/Controller/Branch Gateway
The RAP will connect using IPSEC over port 4500 to the MD, it requires no direct communication to the MC.
If the firewall allows the RAPs to reach the MD over port 4500, and the MD shows this traffic arriving and being answered, the RAP should connect and work.
Perhaps you can elaborate on the "policy RAP AP can't join" - where exactly is this policy configured ?
Basic RAP configuration steps:
- PEFNG license installed as necessary.
- If Control-plane security will be used - allowlist entry for RAP MAC address present and correct ?
- If PSK to be used, appropriately configured on MD and MC ?
- MD configured with IPSEC inner IP DHCP pool ? (if an MC is deployed - lc-rap-pool configured on the MC ?)
- ap-group with correct provisioning profile to configure Remote AP and direct the RAPs to the correct MD public IP address ?
A few very useful public sources, in addition to the AOS User Guide:
https://community.arubanetworks.com/discussion/arubaos-8-setting-up-remote-access-point-rap
https://higherlogicdownload.s3-external-1.amazonaws.com/HPE/102f4c22-7f93-44cf-b5a2-400828ccd32e_file.pdf?AWSAccessKeyId=AKIAVRDO7IEREB57R7MT&Expires=1691403496&Signature=19KRnrD3q6EDATGg0FP5oZCiS3I%3D
https://www.flomain.de/2019/05/basic-rap-setup-with-arubaos-8/
------------------------------
Shawn Adams
------------------------------
Original Message:
Sent: Aug 07, 2023 04:50 AM
From: mohamed
Subject: RAP AP Ports
Thanks for your feedback.
when I allowed port 4500 only in the policy RAP AP can't join connect to MC throgh MC public IP but when I make the policy on firewall (PALO-ALTO) any to any RAP join to MC.should i check FW policy?
Original Message:
Sent: Aug 07, 2023 04:22 AM
From: sadams
Subject: RAP AP Ports
RAP operations are covered in the AOS User Guide chapter "Remote AP support".
The list of firewall ports required between a RAP and an MD are covered under "Communication Between Remote APs and the Managed Device", around page 876
NAT-T (UDP port 4500)
TFTP (UDP port 69)
"TFTP is not needed for normal operation. If the remote AP loses its local image for any reason, it will use TFTP to download the latest image."
The best diagnostic information from the MD (If a Mobility Conductor is used, the allowlist authorization occurs between the MD and the MC).
show ap database long
show allowlist rap | inc < AP MAC>
show log all | inc <AP MAC>
show user all | inc <AP MAC>
show datapath session | inc <AP public IP>
show user-table verbose | inc <AP MAC> (or AP public ip>
------------------------------
Shawn Adams
Original Message:
Sent: Aug 06, 2023 11:02 AM
From: mohamed
Subject: RAP AP Ports
Please I need support as RAP AP working will and joined to MC if I configured the policy any to any in MC publishing policy on FW (Palo-Alto) but when I opened only 4500 port, AP dropped and can't join to MC.so is there any other ports must be opened from FW side or any configuration from MC side related to 4500 port?