IP addresses to be allowed / permitted in the firewall when we have VRRP enabled on the Aruba controllers.
Environment : This Article applies to all Aruba controllers and Software versions.
We are able to Ping to VRRP IP address but the AP doesn't come up / goes down regularly.
VRRP is an IETF standard for default gateway redundancy.
Two or more devices can take part in VRRP and only one device is responsible at a time. When that device dies / priority becomes low ( given other device has preempt enabled AND higher priority) the new device becomes responsible for VRRP ip address.
But a device can only respond to a request on VRRP ip address.
For example, If we ping to VRRP, the controller will send back ICMP echo reply with VRRP ip address as the source IP. However, if we ping a device from the controller, it will NEVER use the VRRP ip address as the source ip for communication. It will use its outgoing interface's vlan IP address as the source IP.
In case we have we have a firewall b/w the controllers or controller and the AP, we must make sure that all the ip addresses which na controller can use as source IP are allowed and not just the VRRP IP address.
Permit VRRP and the outgoing IP addresses in firewall when the APs have to cross a firewall to come up on the controller.
Traffic that must be allowed for Aruba setup to function properly: