Controller Based WLANs

How to determine ip fragmentation issue which leads to 'D' flag for Aruba AP's?

Aruba Employee

Environment         Product & Software : This article applies to Aruba OS 3.4 and above.

 

When the Aruba AP's get stuck in the dirty 'D' flag which means configuration is getting pushed to the AP. It could be related to IP fragmentation and reassembly problems in the network.

This can be verified by enabling log-icmp-error on the stateful firewall and check for ICMP errors in “show log security”

Execute the below command to enable log-icmp-error from cli:

(Aruba) (config) #firewall log-icmp-error

To enable log-icmp-error from webui:

Navigate to Configuration> Advanced Services> Stateful Firewall> Global Settings

 

1.jpg

 

An ICMP error from the AP with code 11 would mean that the AP is missing IP fragments and it cannot re-construct the config message.

Here is the sample from show log security.

(Aruba) #show log security 50 | include "type=11"
Aug 27 18:53:28 :124006:  <WARN> |authmgr|  {167} ICMP srcip=10.13.32.11 dstip=119.82.106.146, type=11, code=1, action=deny
Aug 27 18:53:44 :124006:  <WARN> |authmgr|  {168} ICMP srcip=10.13.32.11 dstip=119.82.106.146, type=11, code=1, action=deny
Aug 27 18:54:53 :124006:  <WARN> |authmgr|  {169} ICMP srcip=10.13.32.11 dstip=119.82.106.146, type=11, code=1, action=deny
Aug 27 19:12:46 :124006:  <WARN> |authmgr|  {170} ICMP srcip=10.13.32.11 dstip=101.222.228.207, type=11, code=1, action=deny
Aug 27 19:13:17 :124006:  <WARN> |authmgr|  {171} ICMP srcip=10.13.32.11 dstip=101.222.228.207, type=11, code=1, action=deny
Aug 27 19:13:41 :124006:  <WARN> |authmgr|  {172} ICMP srcip=10.13.32.11 dstip=101.222.228.207, type=11, code=1, action=deny
Aug 27 19:13:45 :124006:  <WARN> |authmgr|  {173} ICMP srcip=10.13.32.11 dstip=101.222.228.207, type=11, code=1, action=deny
Aug 27 19:13:57 :124006:  <WARN> |authmgr|  {174} ICMP srcip=10.13.32.11 dstip=101.222.228.207, type=11, code=1, action=deny
Aug 27 19:14:05 :124006:  <WARN> |authmgr|  {175} ICMP srcip=10.13.32.11 dstip=101.222.228.207, type=11, code=1, action=deny
Aug 27 19:14:08 :124006:  <WARN> |authmgr|  {176} ICMP srcip=10.13.32.11 dstip=101.222.228.207, type=11, code=1, action=deny
Aug 27 19:14:14 :124006:  <WARN> |authmgr|  {177} ICMP srcip=10.13.32.11 dstip=101.222.228.207, type=11, code=1, action=deny
Aug 27 19:14:28 :124006:  <WARN> |authmgr|  {178} ICMP srcip=10.13.32.11 dstip=101.222.228.207, type=11, code=1, action=deny

Version history
Revision #:
1 of 1
Last update:
‎11-12-2014 10:07 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.