Yes, there is firewall between AP and Controller ( I updated subject of this post , sorry for confusion;). Basically AP is at my home office connected to DC thru VPN (two firewall in between: home and DC firewall). But no issue with GRE, there is active session between AP and Controller
see on DC firewall
15:28:27.663722 IP 10.199.107.10 > 10.29.1.202: GREv0, length 68: gre-proto-0x9000
15:28:27.663771 IP 10.29.1.202 > 10.199.107.10: GREv0, length 68: gre-proto-0x9000
also on controller
(Aruba-7210) #show datapath session table 10.199.107.10 | begin Source
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
--------------- --------------- ---- ----- ----- ----- ---- --- --- ----------- ---- --------- --------- ---------------
10.29.1.202 10.199.107.10 47 0 0 0/0 0 0 0 0/0/0 8fe 1111 104828 F
10.199.107.10 10.29.1.202 17 8211 8222 0/0 0 0 1 0/0/0 1a 0 0 FYCI
10.29.1.202 10.199.107.10 17 8222 8211 0/0 0 0 1 0/0/0 1a 3 312 FI
10.29.1.202 10.199.107.10 17 514 50354 0/0 0 0 0 0/0/0 2 0 0 FY
10.199.107.10 10.29.1.202 17 50354 514 0/0 0 0 1 0/0/0 2 1 81 FC
10.199.107.10 10.29.1.202 47 0 0 0/0 0 40 0 0/0/0 8fe 1124 105972 FC