Controllerless Networks

Aruba Employee


Hi All,


I have been playing around with an IAP-VPN setup that i have simulated in my lab. 

Apparently i can see the output of "show vpn status" IAP as established to the controller.

Also i can see "show crypto isakmp sa" and "show crypto ipsec sa" on the controller as well. 


But i cannot see any output on the "show iap table" command on the controller. 


(POC-VPNC) [mynode] (config) #show crypto isakmp sa

ISAKMP SA Active Session Information
Initiator IP Responder IP Flags Start Time Private IP
------------ ------------ ----- --------------- ---------- r-v2-c-I Dec 21 08:38:19



(POC-VPNC) [mynode] (config) #show crypto ipsec sa

IPSEC SA (V2) Active Session Information
Initiator IP Responder IP SPI(IN/OUT) Flags Start Time Inner IP
------------ ------------ ---------------- ----- --------------- -------- 5d0d8c00/f6761a00 UT2 Dec 21 10:22:28



(POC-VPNC) [mynode] (config) #show iap table

Trusted Branch Validation: Disabled
IAP Branch Table
Name VC MAC Address Status Inner IP Assigned Subnet Assigned Vlan
---- -------------- ------ -------- --------------- -------------

Total No of UP Branches : 0
Total No of DOWN Branches : 0


What could i be missing ?




Re: IAP-VPN Issue

Two things spring to mind:

one: have you whitelisted the iAP?

two: are the iAP and controller versions the same? some version combinations aren't compatible.



if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Frequent Contributor I

Re: IAP-VPN Issue

There are four things I know of:

1. Add IAP to 'remote ap whitelist'

2. Add IAP to 'trusted branch db' (or 'iap trusted-branch-db allow-all')

3. Create 'controller cluster rap pool' on MM if using MM/AOS8

4. IAP-VPN compatibility changed in 8.4. You can't have an IAP on 8.4+ with a controller less than 8.4. And if you have a controller at 8.4+ and an IAP less than 8.4, you have to enable backwards compatibility on the controller. I'm not sure why the notes say 'controller clusters not supported,' I'm using them and they seem fine (so far?)

To seamlessly process the register requests without causing service disruption, ensure that the Instant AP
and managed device are both upgraded to the software version respectively. However, it is highly
important that you first upgrade the managed device to the software version, enable backward
compatibility on the managed device, and only then upgrade the Instant AP to the software version.
n Also, you must not upgrade the Instant AP to the software version first when the managed device,
terminating on the IAP-VPN is running an older software version.

IAP-VPN termination is not supported on ArubaOS Controller clusters.

Instant APs running Instant 8.3.x.x or earlier versions can terminate IAP-VPN connections with controllers
running ArubaOS or later versions only if the backward compatibility feature is enabled on the

Instant APs running Instant or later versions cannot terminate IAP-VPN connections with controllers
running ArubaOS 8.3.x.x or earlier versions.
Aruba Employee

Re: IAP-VPN Issue

Thanks both. 


I upgraded the IAP version. And it seems to solve the issue . 



Search Airheads
Showing results for 
Search instead for 
Did you mean: