Wireless Access

Hi all,

Firstly I am using a Juniper SRX firewall but wanted to make this my first port of call before I contact Juniper.

I have configured two interfaces on my firewall that are in the trust zone. The network on one interface, ge-0/0/0, has the wireless controller (7205 model) along with Aruba APs (various models). I am attempting to add/move APs to the network on the other firewall interface, ge-0/0/1, but am having trouble getting the APs on this network to talk to the controller on ge-0/0/0.

A separate Microsoft DHCP server is also on network ge-0/0/0 and it is successfully providing IP addresses to APs on both networks, which indicates routing and IP helpers are working fine. However, although the controller sees the APs on interface ge-0/0/1 in the AP database it registers it with the IP address of the SRX firewall instead of the IPs assigned to them by the DHCP server and has the Inactive and Dirty flags set to it.

I figured that I may need to enable/create GRE tunnel on the firewall which I attempted to do but it didn't make any difference am not sure if i did it correctly... is this the correct approach anyway?

If enabling GRE tunnel on the firewall isn't the correct approach any other suggestions on how to get this working?

Happy to provide any further details if required

A access point initiates the following tunnels to a controller with CPSEC enabled:

• A PAPI tunnel that is based on IPSEC when CPSEC (Control Plane Security) is enabled. This is UDP port 4500.
• A GRE datatunnel for each SSID/RADIO. This is IP Protocol 47.

Without CPSEC enabled (not recommended) the following port are needed: UDP 8211 (PAPI), IP protocol47 (GRE), UDP 69 (TFTP), TCP20/21 (FTP), and optional UDP123 (NTP) and UDP514 (Syslog).

Hi Marcel,

Our firewall is configured so that all IPs and TCP/UDP ports are permitted within the trust zone, so I don't think it's a policy that's preventing the APs talking to the controller.

Or are you indeed suggesting I should create some kind of IPsec/GRE tunnel through the firewall?

GRE is protocol 47, which is not TCP or UDP.  That must be permitted as well.  The big question is, why do you have a firewall separating your access points and controller?  That is considered "the hard way".  Nobody should do that unless there is no other way, quite frankly....

Collin is right! Normally i would  recommend to create one wlan management vlan and place all AP and Controller management in it, that is what i do at every customer site and never have the need to do it else.

As part of my ACMX course i learned it "the hard way" ; )  below an example of my firewall rule (with cpsec on the controller enabled).

When PAPI is established the management tunnel you can see the AP in the controller by type "show ap active". But there is no client data when the GRE tunnels are not passing your firewall.

Thanks guys for the advice and guidance. The fact that you mentioned that I'm doing it the hard way made me start to rethink my approach.

The reason, for doing it this way is because i am replacing the LAN switches for our whole campus, including the core switch. And hence to avoid IP conflicts I had to route with different IP subnets and vlans across via the firewall.

Now I tried a different approach, by creating a new AP system profile and new AP group and reprovisioning the AP with these. I also created a new physical link to the new core switch from the WLC. this seems to have done the trick.