Wireless Access

Regular Contributor I

Firewall between AP and controller.



From user-guide

Between an AP and the controller:

1 FTP (TCP port 21).

2. TFTP (UDP port 69) 
3. NTP (UDP port 123).
4. SYSLOG (UDP port 514).
5. PAPI (UDP port 8211).
6. GRE (protocol 47).


what ports to be opened from controller subnet to the AP subnet?

If CPSEC is enabled, NAT-T port UDP 4500 has to be open on either direction, between AP and controller, right?


would all the above 6 traffic flows, gets inside the ipsec, when CPSEC is enabled? i can just allow the NAT-T port udp 4500 alone on the firewall bidirectional between AP and controller?



Re: Firewall between AP and controller.

** Read Giles Post - He fixed my answer - With the right answer and the current info **


The port list staying the same for RemoteAP or CampusAP:

Between Campus AP (GRE) and LMS Controller
FTP (tcp/20 and tcp/21)
TFTP (udp 69) – (for AP-52; for all other AP’s, if there is no local image on the AP, e.g. a brand new AP, the
AP will use TFTP to retrieve initial image)
NTP (udp/123)
SYSLOG (udp/514)
PAPI (udp/8211)
GRE (protocol 47)
Between Remote AP (IPSec) and Controller
NAT-T (udp/4500)
TFTP (UDP/69) - note: Not needed for normal operation. If the RAP looses the local image for whatever
reason, TFTP is used to download the latest image.



Thanks Giles. :smileywink: ( A day that you dont learn something new - it's a wasted day)

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Aruba Employee

Re: Firewall between AP and controller.



I know how this stuff works and you really confused me!


"When CPSEC enabled - each whitelisted or allowed AP get certiface from the controller itself."


This is not true, all 'new' AP's have a TPM module which stores a factory certificate, so it does not need to get a certificate from the controller, old AP's which don't support TPM modules can be downloaded from the controller.



The idea behind CPsec - Control Plane security is to protect the control plane so that we can support bridge mode PSK etc.

i.e. when we send a key to the AP we don't send it in clear text but inside IPSec to the AP.


So the only thing which is inside CPSec (which is IPSec or NAT-T - UDP 4500) is our propitiatory protocol PAPI (UDP port 8211).


I would leave the ports listed open if possible as any new AP coming up will have to use these before it can become a CPSec AP.




Re: Firewall between AP and controller.

We have a stateful firewall and find that the list you have is correct for AP to Controller, and the stateful firewall allows responses.

From the controller to the AP you'll need 8211 open.


The GRE tunnel we pass in both direction stateless to reduce overhead.




if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Regular Contributor I

Re: Firewall between AP and controller.

Thank you all. I got the idea. 


Stateful firewall, does open the reverse traffic from controller to AP automatically, for the communication initiated from AP to the controller.



New Contributor

Re: Firewall between AP and controller.

So the user guide is wrong, it has to add a new entry on the bullet point list with IPSEC (ESP -  ip 50)?

Guru Elite

Re: Firewall between AP and controller.

The user guide entry here:  http://www.arubanetworks.com/techdocs/ArubaOS_65x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/Firewall_Port_Info/Communication_Between__D.htm has the correct information.


Screenshot 2017-07-27 at 04.37.32.png

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Search Airheads
Showing results for 
Search instead for 
Did you mean: