Why should we have the Default Gateway of the Controller as the firewall for a controller which hosts RAPs across the internet.
1. AP doesn't come up at all.
2. No IKE / IPSEC SA.
3. Incoming / outgoing session in datapath session on the controller.
RAP use ipsec tunnel communicate to the controller. This is transported over udp 4500.
An Aruba controller is usually behind a firewall which protects the networks inside. To bring up a RAP from outside, we must make sure that firewall / routers forwards 4500 traffic to the Aruba controller.
The return traffic will go out as per the routing table on the Controller. If the outgoing device is not the same i.e. the return traffic goes out of a different device / interface, it will be Natted by that device on its way out. This would mean it has a different source IP.
When this return traffic reaches the firewall / modem outside the RAP, it will be dropped. This is because the modem / firewall at the RAP site does not have the session created for firewall-2 ip address as the source IP. Thus it will be dropped.
Hence, the RAP never comes up on the controller even though traffic is coming / leaving the controller successfully.
Configure routing so that the return traffic for the RAPs hits the same firewall / router which forwarded the traffic to the controller.