ArubaOS and Controllers

Reply
Occasional Contributor I
Posts: 6
Registered: ‎04-12-2011

Controller for Guest-WLAN hassles

I am currently trying to debug a guest WLAN at customers site.
Nothing fancy there, controller in dmz beeing natted to an official IP, some "normal" RAP2, which are woking fine.

Now adding a new AP Group (Guest-WLAN), which should only provide Internet access for guests. So i put a handful of raps into that group added captive portal and default rules (guest-logon and guest).

And.. of course it did not work.

Recreated everything in the lab, worked fine there.
Now i am trying to convince the customer that his firewall is the problem. He provided me with pcap traces of the firewall, that is showing dns replies. to the controller.

When issuing a ping from the controller, i can NOT ping google DNS (8.8.8.8, 8.8.4.4), but when i traceroute it works. - strange!


.....Sent 5, 100-byte ICMP Echos to 8.8.8.8, timeout 2 seconds:

Success rate is 0 percent (0/5)



Trace:

1 192.168.111.254 1.024 msec 0.665 msec 0.714 msec
2 212.185.**.** msec 1.047 msec 1.097 msec
3 212.185.**.** 8.137 msec 7.254 msec 5.232 msec
4 217.239.**.** 10.325 msec 9.697 msec 9.847 msec
5 80.150.170.42 10.948 msec 10.397 msec 10.383 msec
6 72.14.238.44 11.038 msec 10.649 msec 10.782 msec
7 72.14.236.20 12.374 msec 10.655 msec 10.636 msec
8 209.85.254.116 11.186 msec 11.004 msec 11.009 msec
9 209.85.249.162 11.42 msec 10.801 msec 47.426 msec
10 8.8.8.8 11.276 msec 10.908 msec 10.784 msec




used some stars on 2 - 4 to protect customers identity.

Now i am puzzeld how to remote debug this problem further.
Provisioned a RAP to the controller, received a IP from DHCP (192.168.162.X) with external DNS 8.8.8.8 and 85.88.19.10
I can not ping anything (while being allowed by policy)
User Firewall state


not receiving any answers.

any hints?

(tested OS: 5.0.2.0 upgraded to 5.0.4.0)

Guru Elite
Posts: 20,572
Registered: ‎03-29-2007

Re: Controller for Guest-WLAN hassles

Did you try to ping your default gateway? What about the next hop? What about the next hop? If the default gateway works, keep moving out further. The one that does not work is the problem. By the way, what is doing the routing for the 192.168.162.x network?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 930
Registered: ‎04-13-2009

Re: Controller for Guest-WLAN hassles

Are there any other SSIDs which are tunnelled back to the controller? If so, are clients connected to this other SSID able to access the internet?

Might be worth creating a test SSID (with a PSK) and allow all ACL and see if you can access the internet then.
Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Occasional Contributor I
Posts: 6
Registered: ‎04-12-2011

Re: Controller for Guest-WLAN hassles

There are other SSIDs (used in other AP-Groups), but none of them uses Internet, all only for access of internal ressources.

192.168.162 is only used on the controller (VLAN 13), not used anywhere else, not used on any switch/port.
Controller does Routing/Src-Natting.

Pinging Gateway (192.168.162.1) from WLAN Client works.
Pinging outside (DMZ of Controller) does work.
Pinging default GW in DMZ (Firewall) does NOT work.

Pinging 8.8.8.8 from Controller (Diagnostics -> ping) does NOT work. (Works from my office)
But tracert from controller works (see above)
Pinging 8.8.4.4 from Controller (Diagnostics -> ping) does NOT work. (Works from my office)
But tracert from controller works. (which is icmp as well.. strange)
Pinging 193.99.144.80 from Controller (Diagnostics -> ping) does work.
Pinging 50.17.248.237 from Controller (Diagnostics -> ping) does work.

But i'll try a test-ssid.
.. trying ..
.. trying ..

PSK WLAN with a random VLAN, dhcp, DGw is Controller, authenticated role, Src-NAT and Intervlan Routing.

Strange enough i can also not ping any internal hosts, seems like the controller does not handle the nat correct?
So pinging lan interface of controller works, pinging LAN hosts (pingable from controller) does not work.

Same as
Guru Elite
Posts: 20,572
Registered: ‎03-29-2007

Re: Controller for Guest-WLAN hassles

The person who has configured the firewall needs to show you all the traffic that you are initiating from the controller in his (or her) firewall to show that they are passing the traffic. Not al firewalls allow traceroute all the way through them, so that is somewhat reasonable. The firewall admin needs to show you that your traffic initiated is being passed.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎04-12-2011

Re: Controller for Guest-WLAN hassles

Found the error :-(
Someone (maybe me ?) disabled Inter-Vlan-Routing on the external (DMZ) Interface. checked that now everything is fine.

Lesson learned, now have to apologize to the customer. :-|
Search Airheads
Showing results for 
Search instead for 
Did you mean: