Wireless Access

Super Contributor II

Local controller to master over internet



I´m setting up a lab scenario with a central controller with UDP 4500 only port forwarded to it from the public facing firewall and a branch office controller with internet only access that should connect as a local to the central master. I think I´m missing something simple so please help me take an extra look :)


Configuration on master:

local-factory-cert local-mac "00:0b:86:xx:xx:xx"

controller-ip (this one has UDP 4500 port forwarded to it from

crypto isakmp udpencap-behind-natdevice enable


Configuration on brach local: 

masterip ipsec-factory-cert master-mac-1 00:0b:86:yy:yy:yy


interface vlan 4094 (internetfacing accessport)
ip address dhcp-client
ip nat outside

interface vlan 5
ip address
ip nat inside

controller-ip vlan 5


I can see successful isapmp SA and ipsec SA on both controllers and the routes are successfully implemented in the IPSEC maps.


On Master:

C is an ipsec map default-local-master-ipsecmap-00:0b:86:xx:xx:xx


On Local:

C is an ipsec map default-local-master-ipsecmap


If I ping from the master to I can see this in the datapath session table of the local: 1 55 2048 0/0 0 0 1 tunnel 10 8 1 120 FSCI 1 58 0 0/0 0 0 1 tunnel 10 6 1 120 FNI

(Also in the datapath I see the local trying to answer PAPI traffic back to the public IP of instead of the masters controller-ip which I think it should be)


If I ping from the local to the address I see nothing in the datapath of the master.


In the logs of the local I just see that it tries to send things directly to the public IP of the master, shouldn´t it understand that it needs to communicate through the tunnel?


Jul 14 15:33:21 cfgm[3468]: <307025> <DBUG> |cfgm| local:Sending heartbeat message to MMS
Jul 14 15:33:21 cfgm[3468]: <307103> <INFO> |cfgm| send_tcp_hb_master 196 Connection to the master failed, Will retry socket ID 20 state CONFIG_SOCKET_NOTCONNECTED
Jul 14 15:33:21 cfgm[3468]: <307240> <DBUG> |cfgm| Connecting the Local CFGM socket, state 1
Jul 14 15:33:21 cfgm[3468]: <307242> <INFO> |cfgm| Failed to connect to the Master (,Configuration socket will try again: Connection timed out
Jul 14 15:33:21 cfgm[3468]: <399814> <DBUG> |cfgm| Checking if the regulatory file is modified
Jul 14 15:33:21 cfgm[3468]: <399814> <DBUG> |cfgm| Sending the heartbeat message. Not Responding counter=7
Jul 14 15:33:21 cfgm[3468]: <399815> <INFO> |cfgm| Cannot connect to the master error Connection timed out errno 145 socket id 20


I´ve also put up a local using certificate based authentication on the same subnet as the master and it works like a charm. I´d like this to work with only the UDP4500 port forward.


Please help me put some extra eyes on this dear Airheaders :) I´m running ArubaOS



Christoffer Jacobsson | Aranya AB
Aruba Partner Ambassador
Aruba: ACMX #537 ACCP ACDP | CWNP: CWNE #306
Search Airheads
Showing results for 
Search instead for 
Did you mean: