Security

Reply
Aruba Employee

6.1.3.1 upgrade, captive portal now broken. Broswers report redirect loop

Hi everyone.  I recently upgraded my lab (just my lab, thank god) guest controllers from 5.0.4.4 to 6.1.3.1 and now users don't get redirected to the controller internal captive portals.  All the browsers on the clients I try all (except for IE, which just shows a blank page) report a redirect problem.  Chrome says there's a redirect loop, Firefox says the page isn't redirecting properly, and Android reports too many redirects.

 

Downgrading back to 5.04.4 resolves the issue.

 

I do have a TAC case open and over an hour of troubleshooting hasn't helped.  Anyone else seen anything like this?

Re: 6.1.3.1 upgrade, captive portal now broken. Broswers report redirect loop

I did see this myself once. To fix it, I did an intermediate upgrade to 6.0.1.something (can't remember exactly which), then on to 6.1.3.1. The release notes don't say this is required, but some debugging I did when it was broken seemed to indicate the controller wasn't looking for the files in the flash properly (looking in wrong paths). After I did the two step upgrade it was fine. As it's only a lab, maybe try it?

Kudos appreciated, but I'm not hunting! (ACMX 104)
Guru Elite

Re: 6.1.3.1 upgrade, captive portal now broken. Broswers report redirect loop


mike.j.gallagher wrote:

Hi everyone.  I recently upgraded my lab (just my lab, thank god) guest controllers from 5.0.4.4 to 6.1.3.1 and now users don't get redirected to the controller internal captive portals.  All the browsers on the clients I try all (except for IE, which just shows a blank page) report a redirect problem.  Chrome says there's a redirect loop, Firefox says the page isn't redirecting properly, and Android reports too many redirects.

 

Downgrading back to 5.04.4 resolves the issue.

 

I do have a TAC case open and over an hour of troubleshooting hasn't helped.  Anyone else seen anything like this?


Have heard a couple unreproducible cases about this.  Installing wireshark on the client and doing a packet capture is a good way to possibly get to the bottom of this.  Does the ip cp-redirect remain unchanged?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: 6.1.3.1 upgrade, captive portal now broken. Broswers report redirect loop

I think I might still have a controller somewhere still in the broken state (as well as the fixed one). From what I recall, the redirect on the client constantly loops to the original client page. The controller debugs show the redirect generated internally pointing at "null" locations (i.e. nothing in the path). Something like that.

Kudos appreciated, but I'm not hunting! (ACMX 104)
Aruba Employee

Re: 6.1.3.1 upgrade, captive portal now broken. Broswers report redirect loop

@Colin - I do have Wireshark on the client and what it shows is the client trying to access google.com then the reply back, which is shown as the IP address of google but I'm certain it's the controller, is an HTTP 302, Moved Temporarily.  Then the controller initiates a normal FIN sequence with the client and the connection is closed.  Then that entire cycle repeats four or five times and the client gives up.

 

Yes, the ip cp-redirect stays the same throughout software upgrades/downgrades.

 

@Racking - I'll start looking at controller debugs as well.  I'm going to try your two-step upgrade path as well to see what happens when I do that.

 

Thanks guys!

 

 

Aruba Employee

Re: 6.1.3.1 upgrade, captive portal now broken. Broswers report redirect loop

Mike,

 

Can you please provide the ticket #?

Aruba Employee

Re: 6.1.3.1 upgrade, captive portal now broken. Broswers report redirect loop

Ticket #1293081.

 

I've run through a lot on my own because TAC has been no help whatsoever.  They're just fixated on my config, which I told them I've been using just fine for four years now.  They won't do any debugging.

 

Last Friday, I blew away both guest controllers completely (wr erase all) and started out with 5.0.4.5, licensed the controllers and did a flash restore.  That was a nightmare.  Restoring flash doesn't give you your exact configuration back, it appends custom session ACL and role entries onto the default entries and really makes a mess of things.  I got the config back to where it was orginally, but the CP wasn't functioning.  No redirect loop, but not functioning.  I figured the flash restore wasn't a good idea at this point.

 

I decided to start from scratch again.  This time after licensing the controllers, I just went ahead and copied and pasted my config in, making sure I pulled all the default stuff out of the default policies and roles that I use.  It finally started working properly again on 5.0.4.5 and upgraded to 6.0.2.1 and everything worked.  However, as soon as I upgrade to 6.1.3.1, all browsers report some kind of redirect loop.  I'm going to try 6.1.2.8, but I don't think that's going to make a difference.

Aruba Employee

Re: 6.1.3.1 upgrade, captive portal now broken. Broswers report redirect loop

I assume that you are using the captive portal page uploaded on the controller and not the external captive portal. Correct?

 

Just checked the packet-captures uploaded on the ticket notes. It looks that the location in the redirection URL (HTTP 302) is not correct.

 

In non working scenario:

  Location: http://utk.edu/\r\n

 

In my setup, for working scenario, the redirect locartion is:

  Location: https://securelogin.arubanetworks.com/cgi-bin/login?    cmd=login&mac=00:1c:26:89:af:78&ip=10.0.32.22&essid=PCC_Student&url=http%3A%2F%2Fpac%2Ezscaler%2Enet%2Fpcci%2Eedu%2Fproxy%2Epac\r\n

 

Can you please take client side packet-capture for working and non-working scenario to compare the difference? 

 

I will go through the config to understand the setup. As of now, I understasnd that you are using L2 GRE tunnel to redirect the guest traffic to the central guest controller and trying to show the captive-portal from there.


Aruba Employee

Re: 6.1.3.1 upgrade, captive portal now broken. Broswers report redirect loop

Hi Alap - Yes, I am using L2 GRE tunnels from my local controllers to redirect traffic up to central guest controllers.  I'll go ahead and get fresh sniffer traces for working and non-working scenerios and post them to the case.

 

Thanks for the reply!

Aruba Employee

Re: 6.1.3.1 upgrade, captive portal now broken. Broswers report redirect loop

Hi Alap - I went ahead and uploaded two fresh sniffer traces to the case.  One from AOS 6.0.2.1 that shows a correct redirect and one from 6.1.3.1 that shows the incorrect redirect.  What you saw in my original sniffer trace looks to be the problem.  AOS 6.1.3.1 (and 6.1.2.8) puts the original URL requested in the HTTP 302 temporarily moved redirect, which causes a loop.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: