Wireless Access

Frequent Contributor I

AP-105 behind Checkpoint vpn appliance



we're having issues trying to enable an AP-105 in a Checkpoint (CP) vpn configuration.  Config :


AP-105 <-> CP vpn appliance remote site <-> CP vpn firewall HeadQuarters <-> Aruba cntrl


The AP comes up (it's been originally provisioned at HQ).  But when it tries to open an encrypted tunnel to the controller, that's it.  We never see it in the controllers list.  In the logs we see :


Apr 16 15:06:23sapd[579]: <311020> <ERRS> |AP AP-BE-DI-TEST1@ sapd| An internal system error has occurred at file sapd_redun.c function sapd_proc_redun_msg line 4314 error Error: Received RC_OPCODE_ERROR lms tunnel RC_ERROR_RETRYIKEV1.


We believe this is because the CP vpn actually forwards the encrypted packet on UDP port 4500, unencrypted.  That basically is what is defined in the CP STAR network settings.  So basically the packet gets redirected, as it is unencrypted, to the internet.  And never reaches the Aruba controller.


Is there some way to change that port?  We can't change it on the CP configuration.  Any other solution?

Guru Elite

Re: AP-105 behind Checkpoint vpn appliance

Hold on.


The CP devices are just providing site to site VPN service, right?  So the subnet with the AP is pretty much just another routed subnet within your environment?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos

Re: AP-105 behind Checkpoint vpn appliance

We've had no trouble passing the standard GRE tunnel through our (Cisco) VPN. We did have to specifically include the GRE and UDP 8211 traffic in our ACL of "interesting" traffic.


I would expect using AP to Controller VPN inside your Checkpoint to Checkpoint VPN to work badly.


Is the remote site not a trunsted site?
 (Or am I totally confused?)


if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Frequent Contributor I

Re: AP-105 behind Checkpoint vpn appliance

Yes, the 'remote' subnet is a different vlan.  But i have no problem accessing anything else in that subnet.  Has been working perfectly for years.  So it's not a routing issue.  Interesting is we also tried a commbox, and this one does not exhibit the issue.

Search Airheads
Showing results for 
Search instead for 
Did you mean: