Controllerless Networks

Reply
New Contributor

Access rule to allow application "ipsec" results in almost full access

Hi,

 

I've Instant environment (11APs) with "production" and "guest" SSIDs.

"produciton" is 802.1x with external radius and is not limited on Instant level but further on the firewall.

Guest has some Access rules defined in SSID confioiguration ("Access" tab) denying access to all private IP subnets.

After adding new rul allowing for ipsec application it turned out that Guest users are able to access some private IPs (for example 10.22.0.103 over HTTP). When ipsec access rule is deleted, again all works as expected - 10.22.0.103 over HTTP times out etc.

I've noticed that ipsec has no defaults ports defined - is it possible that because of thsis it allows all traffic?:

 

show dpi app ipsec

Pre-defined Application
-----------------------
Name   App ID  App Category  Default Ports
----   ------  ------------  -------------
ipsec  85      encrypted     

 

Please see Access rules (with ipsec included):

 

Access Rules
------------
Dest IP     Dest Mask        Dest Match  Protocol (id:sport:eport)  Application  Action  Log  TOS  802.1P  Blacklist  App Throttle (Up:Down)  Mirror  DisScan  ClassifyMedia
-------     ---------        ----------  -------------------------  -----------  ------  ---  ---  ------  ---------  ----------------------  ------  -------  -------------
any         any              match                                  app ipsec    permit                                                                        
172.16.0.0  255.240.0.0      match       any                                     deny    Yes                                                                   
10.0.0.0    255.0.0.0        match       any                                     deny    Yes                                                                   
10.22.0.1   255.255.255.255  match       any                                     deny    Yes                                                                   
any         any              match       any                                     permit                                                                        

 

 

The InstantOS version is 6.4.2.6-4.1.1.6_50009

 

Kind Regards,

Jakub

 

 

Aruba Employee

Re: Access rule to allow application "ipsec" results in almost full access

Hi Jakub,

 

Please try collecting the following outputs at time of issue:

 

show  datapath session | include <private IP>

show  datapath session dpi | include <private IP>

Re: Access rule to allow application "ipsec" results in almost full access

Do you have the datapath session table during the time the user is accessing that address?

 

As an aside, you need to add 'any any match dhcp permit' at the top of your policy.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
New Contributor

Re: Access rule to allow application "ipsec" results in almost full access

Hello,

 

both commands had not given any output.

 

After repeating them many times I only saw some multicasts or bradcast, for example:

 

show datapath session dpi | include 172.22.60.10
172.22.60.10      239.255.255.250 17   63238 1900  App-Not-Class       [0   ] Web-Not-Class       [0  ] 0      0       0     0       FC

 

I've managed to block traffic to private IPs by mobing the "application" ipsec rule donw on hte list, below all the "deny" rules.

 

During the troubleshooting it turned out that application "dns" was resulting in the same behavior when being placed before deny rules.

 

Using Service/Network/dns instead of Service./Application/dns gives expected reults - any DNS traffic is allowed and deny rules block all other traffic to private IPs.

 

 

When executing "show datapath session dpi" so without any filtering I can see that for all entries App and Webcat have values of App-Not-Class and Web-Not-Class accordingly. Does it looks good to you? I would expect to see categories here at least for known traffic (ssh sessions and others on the list). in WebGUI AppRF for "guest" network shows few categories so it looks like application recognition is enabled and works.

 

Regards,

Jakub

 

New Contributor

Re: Access rule to allow application "ipsec" results in almost full access

Hi,

 

please see my other answer re session list.

 

Thanks for the DHCP tip - in fact DHCP was working fine in terms of clients aquiring IPs, but indeed some DHCP was blocked - I guess that initial DHCP communication is unaffected by deny rules but then  packets related to refreshing IP/extending lease  might be blocked.

 

I've added dhcl allow at the top - thanks

 

Regards,

Jakub

Re: Access rule to allow application "ipsec" results in almost full access

Yes, that's correct, the dhcp renew which is unicast would be dropped.  This is particularly true of mobile devices that go to sleep.  They tend to 'remember' their ip address and renew when they wake up or roam rather than send a discover.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: