ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 10
Registered: ‎12-18-2008

Captive portal issue with 3400 and 6.1.2

Hi all,

my custumer was running a 650 master + a 3200 local, both running 6.1.2 and everything was fine.

Today I swapped the two controllers with a couple of 3400 in Master-Master VRRP redundancy, still with 6.1.2.
I copied the old configuration and everything works well except the Captive Portal.

The behaviour is very weird and I cannot think of an explanation:

-The initial role contains policies "logon_control", "captive_portal" and the CP profile associated.
-Clients associate the guest WLAN and get the initial role
-Clients gets an IP address via DHCP
-Clients can resolve URLs via DNS
-Clients can ping fine any IP
but as soon as they try to browse there's no redirection to the CP page and they get stuck in the initial role.

do you have any clue or hints for me??

thanks a lot
massimo
Aruba
Posts: 760
Registered: ‎05-31-2007

Captive portal issue with 3400 and 6.1.2

Do you see evidence that the redirection is 'trying' to happen if you do a 'show user ip x.x.x.x' when a user is trying to open a web browser ?

Do you have the ip cp-redirect command in the configuration, and if so, is it pointing to the desired IP address for the source of the captive portal ?
Occasional Contributor II
Posts: 10
Registered: ‎12-18-2008

Re: Captive portal issue with 3400 and 6.1.2


Do you see evidence that the redirection is 'trying' to happen if you do a 'show user ip x.x.x.x' when a user is trying to open a web browser ?

Do you have the ip cp-redirect command in the configuration, and if so, is it pointing to the desired IP address for the source of the captive portal ?




thanks,

I had feeling no redirection was attempted, but being in a rush I didnt analyze what was happening during an attempt to browse, i will check that.

The cp-redirect is not used, it's a flat network, no VLAN if that is what you mean, and the clients are on the same VLAN of the controller CP interface... I hope that was what you asked
Aruba
Posts: 760
Registered: ‎05-31-2007

Captive portal issue with 3400 and 6.1.2

Thanks for the reply.

Ok, let's see what the output of 'show user ip x.x.x.x' ends up being. What you are looking for is port 8080 and 8081 traffic (which indicates redirection attempts)
Super Contributor II
Posts: 349
Registered: ‎02-22-2011

Re: Captive portal issue with 3400 and 6.1.2

Hi,

I have a client experiencing exactly the same thing.

The client is 10.21.180.60 and the controller is 10.21.183.100
The output of the show user ip is :


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- -----
10.21.180.60 118.215.37.15 6 49997 80 0/0 0 96 1 tunnel 42 d FNC
10.21.183.100 10.21.180.60 6 8081 49998 0/0 0 96 1 tunnel 42 d FSI
10.21.183.100 10.21.180.60 6 8080 49997 0/0 0 96 1 tunnel 42 d FS
10.21.180.12 10.21.180.60 17 53 50783 0/0 0 96 1 tunnel 42 d FI
10.21.180.12 10.21.180.60 17 53 62807 0/0 0 96 1 tunnel 42 d FI
10.21.180.60 224.0.0.251 17 5353 5353 0/0 0 96 0 tunnel 42 d FDC
10.21.180.60 224.0.0.22 2 2 2 0/0 0 224 0 tunnel 42 d FDC
10.21.180.60 10.21.183.100 6 49998 443 0/0 0 96 0 tunnel 42 d FNCI
10.21.180.60 10.21.180.12 17 50783 53 0/0 0 96 1 tunnel 42 d FCI
10.21.180.60 10.21.180.12 17 62807 53 0/0 0 96 1 tunnel 42 d FCI
MVP
Posts: 747
Registered: ‎04-13-2009

Re: Captive portal issue with 3400 and 6.1.2

This looks OK to me.

10.21.180.60 118.215.37.15 6 49997 80 0/0 0 96 1 tunnel 42 d FNC Client requesting a web page that resolves to IP 118.215.37.15.
10.21.183.100 10.21.180.60 6 8081 49998 0/0 0 96 1 tunnel 42 d FSI Controller redirection.
10.21.183.100 10.21.180.60 6 8080 49997 0/0 0 96 1 tunnel 42 d FS Controller redirection.
10.21.180.12 10.21.180.60 17 53 50783 0/0 0 96 1 tunnel 42 d FI
10.21.180.12 10.21.180.60 17 53 62807 0/0 0 96 1 tunnel 42 d FI
10.21.180.60 224.0.0.251 17 5353 5353 0/0 0 96 0 tunnel 42 d FDC
10.21.180.60 224.0.0.22 2 2 2 0/0 0 224 0 tunnel 42 d FDC
10.21.180.60 10.21.183.100 6 49998 443 0/0 0 96 0 tunnel 42 d FNCI Client attempting to access captive portal on the controller on HTTPS
Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Guru Elite
Posts: 19,982
Registered: ‎03-29-2007

Re: Captive portal issue with 3400 and 6.1.2


Hi,

I have a client experiencing exactly the same thing.

The client is 10.21.180.60 and the controller is 10.21.183.100
The output of the show user ip is :


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- -----
10.21.180.60 118.215.37.15 6 49997 80 0/0 0 96 1 tunnel 42 d FNC
10.21.183.100 10.21.180.60 6 8081 49998 0/0 0 96 1 tunnel 42 d FSI
10.21.183.100 10.21.180.60 6 8080 49997 0/0 0 96 1 tunnel 42 d FS
10.21.180.12 10.21.180.60 17 53 50783 0/0 0 96 1 tunnel 42 d FI
10.21.180.12 10.21.180.60 17 53 62807 0/0 0 96 1 tunnel 42 d FI
10.21.180.60 224.0.0.251 17 5353 5353 0/0 0 96 0 tunnel 42 d FDC
10.21.180.60 224.0.0.22 2 2 2 0/0 0 224 0 tunnel 42 d FDC
10.21.180.60 10.21.183.100 6 49998 443 0/0 0 96 0 tunnel 42 d FNCI
10.21.180.60 10.21.180.12 17 50783 53 0/0 0 96 1 tunnel 42 d FCI
10.21.180.60 10.21.180.12 17 62807 53 0/0 0 96 1 tunnel 42 d FCI




Is the client using Firefox? http://airheads.arubanetworks.com/vBulletin/showthread.php?t=3468
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Super Contributor II
Posts: 349
Registered: ‎02-22-2011

Re: Captive portal issue with 3400 and 6.1.2

Hi Colin,

The users were all iPhones. What seemed to be happening was the user was not progressing from the pre-authentication role to the post authentication role.

Users advised that they were able to login to the captive portal page, then successfull authentication banner then came up and said it would redirect in 10 seconds and then it would just hang.

Here is a capture of the user log when this was occuring:

Jul 29 14:40:20 :522026: |authmgr| MAC=e0:f8:47:86:2c:f7 IP=10.21.180.99 User miss: ingress=0x108b, VLAN=1
Jul 29 14:40:20 :522004: |authmgr| {L3} Update role from liverpool-p_guest-guest-logon to liverpool-p_guest-guest-logon for IP=0.0.0.0
Jul 29 14:40:20 :522004: |authmgr| Reset BWM contract: IP=0.0.0.0 role=liverpool-p_guest-guest-logon, contract= (0/0), type=Per role
Jul 29 14:40:20 :522006: |authmgr| MAC=e0:f8:47:86:2c:f7 IP=10.21.180.99 User entry added: reason=Sibtye
Jul 29 14:40:20 :522004: |authmgr| Station inherit: IP=10.21.180.99 start bssid:d8:c7:c8:bb:05:01 essid: liverpool-p_guest port:0x108b (0x108b)
Jul 29 14:40:20 :522004: |authmgr| {L3} Update role from liverpool-p_guest-guest-logon to liverpool-p_guest-guest-logon for IP=10.21.180.99
Jul 29 14:40:20 :522004: |authmgr| Reset BWM contract: IP=10.21.180.99 role=liverpool-p_guest-guest-logon, contract= (0/0), type=Per role
Jul 29 14:40:20 :522004: |authmgr| station inherit IP=10.21.180.99 bssid:d8:c7:c8:bb:05:01 essid: liverpool-p_guest auth:0 type: role:liverpool-p_guest-guest-logon port:0x108b
Jul 29 14:40:20 :522004: |authmgr| download: acl=51/0 role=liverpool-p_guest-guest-logon, tunl=0x108b, PA=0, HA=1, RO=0, VPN=0
Jul 29 14:40:20 :522004: |authmgr| download: ip=10.21.180.99 acl=51/0 role=liverpool-p_guest-guest-logon, Ubwm=0, Dbwm=0 tunl=0x108b, PA=0, HA=1, RO=0, VPN=0
Super Contributor II
Posts: 349
Registered: ‎02-22-2011

Re: Captive portal issue with 3400 and 6.1.2

As a further update to this, i rolled my customers controller back to 5.0.3.3 and all functionality was restored.
Frequent Contributor I
Posts: 108
Registered: ‎09-26-2008

Re: Captive portal issue with 3400 and 6.1.2

Perhaps you can do a comparison on the logs on 6.1.x and 5.0.x...
Hopefully you can find the root cause of the issue...

Cheers
Michael
Search Airheads
Showing results for 
Search instead for 
Did you mean: