A Microbranch group has APs online in Aruba Central but no VPN tunnels form. The most likely cause is a firewall issue blocking GRE tunneling between the AP and gateway. Which option confirms this?

• A. There is a time difference between the AP and the gateways. The gateways should have NTP added
• B. The SSL certificate on the gateway used to encrypt the connection has not been added to the APs trust list
• C. There may be a firewall blocking GRE tunneling between the AP and the gateway
• D. The gateway group is running in automatic cluster mode and should be in manual cluster mode

Answer: (C)

The thing being tested is how GRE tunneling is established for the AP-to-gateway VPN in a Microbranch setup. GRE (protocol 47) is used to carry the VPN traffic between the APs and the gateway, so if a firewall blocks GRE, the tunnel cannot form even though the APs appear online in Aruba Central. That’s why confirming a GRE block is the most direct explanation for no VPN tunnels.

To confirm this, check firewall logs or rules for drops or refusals of GRE traffic between the APs and the gateway, and/or temporarily allow GRE (protocol 47) between those endpoints to see if the tunnels come up. If tunnels form after allowing GRE, the firewall blockage is the root cause.

The other options don’t directly explain why tunnels wouldn’t form: time differences or NTP issues affect timing-related features but not the actual GRE tunnel negotiation; SSL certificate trust relates to TLS on the management path rather than the GRE VPN tunnel; and cluster mode settings don’t impact GRE tunnel establishment.