ArubaOS and Controllers

Reply
New Contributor
Posts: 3
Registered: ‎11-13-2009

Mirror port shows unidirectional traffic

I need to monitor client traffic through a 6000 series controller with Snort.

From this link:

https://airheads.arubanetworks.com/article/leveraging-centralized-encryption-snort-part-3

firewall session-mirror-destination port 2/1

A tcpdump of the traffic shows traffic in one direction with the return traffic still NATed. I’m running OS 3.3. Is there any way around this? Am I neglecting some configuration?

Thanks much
Guru Elite
Posts: 20,558
Registered: ‎03-29-2007

Firewall Mirror


I need to monitor client traffic through a 6000 series controller with Snort.

From this link:

https://airheads.arubanetworks.com/article/leveraging-centralized-encryption-snort-part-3

firewall session-mirror-destination port 2/1

A tcpdump of the traffic shows traffic in one direction with the return traffic still NATed. I’m running OS 3.3. Is there any way around this? Am I neglecting some configuration?

Thanks much




Gaskinoh,

What is your firewall policy with the mirror setting?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 3
Registered: ‎11-13-2009

mirror port unidirectional traffic

Note I am not trying to stop unnecessary flows yet. I used what looked relevant from the reference. The following is the only additional configuration I added but my guess is that it is not necessary. What am I missing?


ip access-list session MIRROR-POL
any any any permit mirror

user-role MIRROR
session-acl MIRROR-POL


Thanks in advance.
New Contributor
Posts: 3
Registered: ‎11-13-2009

more detail

Here's what I see:

wireless client --> external host
external host reply --> Controller NAT

excerpts:

11:08:31.620322 IP 192.168.50.33.1304 > 208.80.53.144.80: . ack 10977 win 16560
11:08:31.675556 IP 208.80.53.144.80 > 10.4.159.253.1304: . 8232:9604(1372) ack 1 win 6432


So snort can't track the session and only alerts for non-established rules.
Search Airheads
Showing results for 
Search instead for 
Did you mean: