ArubaOS and Controllers

Reply
Regular Contributor I

No DNS On RAP

Hello All,

I am currently trying to setup a RAP5wn network over 3G(split tunnel(just for captive portal and rest to internet)) which will be on a remote site that will provide guest access. We would like to do a Captive portal via Amigopod. We have the network setup(and working) in house and I am currently testing via the RAP.

I have configured the RAP to the point where it comes up and the 2.4 GHz light it lit, but when I connect, I do not get a captive portal page.

One of the first rules in my Amigopod Logon role is
# IPv4 any any svc-dns permit

When I connect my device, nothing happens when I browse by hostname. Nslookup fails (logs in the firewall shows only DNS traffic)
If I browse via IP, I get intercepted and sent to a captive portal. I am able to authenticate, and then I get redirect to an external site, and DNS fails again.

post auth rules is:
ipv4 user any route,source nat, log

Sometimes it will start to work after I'm authenticated. On two occasions, when I Started a tcpdump on the laptop, it started to work out of the blue(Very odd??). But it is not stable enough to release to the end user.

Has anyone had any weird DNS resolution issues like this? I would say its slow 3G, except for the fact that on FW logs it shows the return traffic from DNS.

Any help on this issue would be greatly appreciated as I've work on it for almost 2 weeks with no luck.

-ELiasz
-------------------
ACDX, ACCP, CISSP, CWNA
Guru Elite

Re: No DNS On RAP

If you permit DNS, the DNS traffic will be tunneled back to the headend controller and to the client's default gateway. Is the DNS server supplied to the client via DHCP internal or external? Does the client have access to it?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee

Re: No DNS On RAP

Yes! I have this exact problem in 6.1.1.0 and just found it last week. I have a ticket open but I haven't spoken to TAC yet about it, but it's a bug with the DNS ALG in AOS.

What I found is that when the DNS ALG is on, you are in split-tunnel, and you have permit on your ACL, the RAP intercepts DNS requests and forwards them to whatever DNS server it got from its upsteam DHCP server instead of tunneling it back to the controller like it is supposed to.

What I did to work around this was change the svc-dns netservice entry to:

netservice svc-dns udp 53 alg tftp

...and save the config.

It's too much of a pain to remove the netservice itself because you have to remove all references to svc-dns in your config. Changing the ALG to tftp makes it so AOS can't understand what is going on with DNS and you should immediately see your DNS traffic come back to the controller, as it should.


EDIT: FYI, I have not seen this issue when I change my ACL to route src-nat for DNS, even with the DNS ALG enabled.
Guru Elite

Re: No DNS On RAP

Mike.j.gallagher

Thanks for the info. We do have quite a few sites (ours and others) that are just permitting DNS on a split tunneled SSID and they work without changing the netservice from the defaults on various flavors of 6.x. We need to rule out basic DNS server connectivity for the person who started this thread before they make such a big change. The AP does not inspect any DNS in a split tunneled LAN/WLAN unless you add the "Corporate DNS Domain" parameter in the AP system profile.

Even if the user does not have any connectivity issues, we still need to look into why yours works that way.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee

Re: No DNS On RAP

So actually, I most likely don't have a bug. I have to check to see if I have a domain listed in Corporate DNS servers, which I bet I do. Looks like the RAP will proxy DNS except for all domains except those listed in that field if you're split tunnel.
Regular Contributor I

Re: No DNS On RAP

Hi Guys,

Thanks for the responses.

I have changed my ACL as follows:
IPv4 any any svc-dns src-nat pool dynamic-srcnat Yes

the issue still remains. I am unable to resolve DNS still. Using public DNS of 4.2.2.2

When i browse by IP i get the captive portal. Once i am authenticated i was able to browse the internet ok.

I show to be in the Amigopod-remote-logon role, but when i connect and try to browse my "firewall hits" sections only shows:

"logon logon-control any any svc-icmp permit 0 99 8578
logon logon-control any any svc-dhcp permit 0 1 8580
logon logon-control any any svc-natt permit 0 15 8581
logon any any 0 deny 0 731 8603
ap-role control any any svc-dns permit 0 3 8681
ap-role control any any svc-sec-papi permit 16 59862 8683
ap-role ap-acl any any svc-gre permit 0 20 8689
ap-role ap-acl any any svc-syslog permit 2 5386 8690
ap-role ap-acl user controller svc-ftp permit 0 3 8698
ap-role any any 0 deny 0 3 8699
authenticated allow * * any permit 3 26370 8251 "

Thanks for all your help thus far.
-------------------
ACDX, ACCP, CISSP, CWNA
Aruba Employee

Re: No DNS On RAP

Colin led me to my problem. It wasn't the DNS ALG, it was the Corporate DNS Domain setting in my AP System Profile. Make sure that is empty or your RAP will proxy all DNS requests for domains that aren't in that list.
Guru Elite

Re: No DNS On RAP


Hi Guys,

Thanks for the responses.

I have changed my ACL as follows:
IPv4 any any svc-dns src-nat pool dynamic-srcnat Yes

the issue still remains. I am unable to resolve DNS still. Using public DNS of 4.2.2.2

When i browse by IP i get the captive portal. Once i am authenticated i was able to browse the internet ok.

I show to be in the Amigopod-remote-logon role, but when i connect and try to browse my "firewall hits" sections only shows:

"logon logon-control any any svc-icmp permit 0 99 8578
logon logon-control any any svc-dhcp permit 0 1 8580
logon logon-control any any svc-natt permit 0 15 8581
logon any any 0 deny 0 731 8603
ap-role control any any svc-dns permit 0 3 8681
ap-role control any any svc-sec-papi permit 16 59862 8683
ap-role ap-acl any any svc-gre permit 0 20 8689
ap-role ap-acl any any svc-syslog permit 2 5386 8690
ap-role ap-acl user controller svc-ftp permit 0 3 8698
ap-role any any 0 deny 0 3 8699
authenticated allow * * any permit 3 26370 8251 "

Thanks for all your help thus far.




Can you ping the 4.2.2.2 DNS server? If not, you have a different issue.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I

Re: No DNS On RAP




I cannot ping 4.2.2.2. I tried with both the defaults svc-icmp permit and also changing it to src-nat
Both times it failed during the logon role. Once i authenticate all looks to be good. I am able to ping 4.2.2.2 as well as browse the internet. Any idea why things dont work in the Initial role, but once im authenticated all is good.

Browsing to 4.2.2.2 causes a redirect to the captive portal, browing by host makes it time out due to DNS failure.

My post auth role is basically:
ipv4 user any any src-nat

The first policy in my Initial role is:
#IPv4 any any udp 68 deny Low
#IPv4 any any svc-dns src-nat pool dynamic-srcnat Yes Low
#IPv4 any any svc-icmp src-nat pool dynamic-srcnat Low
#IPv4 any any svc-dhcp permit Yes Low

Followed by the Amigopod role to redirect.

-ELiasz

-------------------
ACDX, ACCP, CISSP, CWNA
Guru Elite

Re: No DNS On RAP

Instead of just src-nat, use "route, src-nat"


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: