How can I prevent WMS traffic from traversing the IPsec tunnel between the master and local controller?

Aruba Employee
Aruba Employee

Product and Software: This article applies to ArubaOS 3.3.x and 3.4.x.


The original purpose of the IPsec tunnel between the Aruba controllers is to secure the communication between controllers. The best practice is to limit the IPsec tunnel to only management traffic and configuration updates.


Sometimes in certain Layer 2 AP deployments, the WMS traffic uses the IPsec tunnel to update the WMS database. This extra traffic causes the STM module to be busy, which delays configuration updates and AP bootstraps.


This sample topology has WMS traffic traversing the IPsec tunnel:



VLAN 1 (management VLAN / default gateway is core router) VLAN 2 (AP VLAN) Local 1 forms an IPsec tunnel to the master controller.

Master: VLAN 1: VLAN 2:

Local 1 : VLAN 1: VLAN 2: (default gateway for VLAN 2)


In the system profile, the customer has defined only the LMS IP address of Local 1 ( The APs terminate on Local 1. The master IP was not configured, so the AP sends the WMS updates to If you traceroute from an AP, the traffic goes to Local 1 and then across the IPsec tunnel to the master controller.

To eliminate the extra WMS traffic, define the master IP address as This configuration forces the APs to bridge the WMS traffic to the master controller and not route the traffic across the IPsec tunnel.


This is just one example and solution to eliminate the WMS traffic on an IPsec tunnel between a master and local controller.

Version history
Revision #:
1 of 1
Last update:
‎07-02-2014 06:53 AM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: