Hi everyone,
I have a ticket open for this problem as well, but I thought, why not post it here as well because you might never know if someone has seen this problem before.
I have a setup with a captive portal vlan for my guest users.
Some specifics:
Captive portal on the Aruba 3200XM AOS version 6.1.3.4.
Routing on a external corporate router.
Both IPv4 and IPv6 active on the vlan.
Aruba has an IPv4 and an IPv6 address on the vlan and those addresses are used as the captive portal addresses.
When I have rebooted the controller everything works fine. The guests are presented with the captive portal page, are able to login and are able to use the wireless network This works for several weeks without problems.
After some time, without any changes in the configuration, everything stops working. What I then notice on a test client is the following:
The rules for the initial connectivity still work:
The client receives an IPv4 address from the DHCP server.
The client configures a SLAAC IPv6 address based on the received RA packets.
The client can do a DNS lookup for the site it want's to visit.
But when the client tries to connect to the site it wants to visit it sends out a SYN packet to setup the connection, but it never receives an ACK. To my understanding this ACK should come from the controller which should intercept the traffic so it can redirect the client to the captive portal. But this never happens because it never sends an ack back on the syn request.
When I reboot the controller again everything works again for some time but that doesn't fix the problem in the long run.
At the moment the controller is in this defective state, so we can't use the guest access at all at the moment and my management is not really happy with this so one of these days I have to reboot the controller to have a working situation again. But that stops the debugging dead in it's tracks.
I also have a different SSID that I use with 802.1x to authenticate users. This keeps working just fine. So the problem is definetly with the guest vlan.
Some information:
(aruba01) #show aaa profile TC3GUEST-aaa_prof
AAA Profile "TC3GUEST-aaa_prof"
-------------------------------
Parameter Value
--------- -----
Initial role guest-logon
MAC Authentication Profile N/A
MAC Authentication Default Role guest
MAC Authentication Server Group default
802.1X Authentication Profile N/A
802.1X Authentication Default Role guest
802.1X Authentication Server Group N/A
L2 Authentication Fail Through Disabled
RADIUS Accounting Server Group N/A
RADIUS Interim Accounting Disabled
XML API server N/A
RFC 3576 server N/A
User derivation rules N/A
Wired to Wireless Roaming Enabled
SIP authentication role N/A
Device Type Classification Enabled
Enforce DHCP Disabled
(aruba01) #show aaa authentication captive-portal TC3-Guest-cp_prof
Captive Portal Authentication Profile "TC3-Guest-cp_prof"
---------------------------------------------------------
Parameter Value
--------- -----
Default Role authenticated
Default Guest Role guest
Server Group CaptivePortal_srvgrp
Redirect Pause 10 sec
User Login Enabled
Guest Login Enabled
Logout popup window Enabled
Use HTTP for authentication Disabled
Logon wait minimum wait 5 sec
Logon wait maximum wait 10 sec
logon wait CPU utilization threshold 60 %
Show FQDN Disabled
Use CHAP (non-standard) Disabled
Login page /upload/custom/TC3-Guest-cp_prof/index.html
Welcome page /auth/welcome.html
Show Welcome Page Yes
Add switch IP address in the redirection URL Disabled
Allow only one active user session Disabled
White List walled-garden-access
White List walled-garden-access-ipv6
Black List N/A
Show the acceptable use policy page Disabled
When my test client is connected to the SSID and is trying to connect to a website I see the following in the controller for this client:
(aruba01) #show user | include 10.22.61.147
10.22.61.147 18:f4:6a:98:9f:e8 guest-logon 00:00:07 d8:c7:c
8:cb:5f:5c Wireless TC3GUEST/d8:c7:c8:35:f5:c0/g-HT TC3GUEST-aaa_prof tunnel Linux
(aruba01) #show datapath session table 10.22.61.147
Datapath Session Table Entries
------------------------------
Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal
u - User Index
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge UsrIdx UsrVer Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- ------ ------ -----
If someone knows why this is happening, I would be very happy.
Jan Hugo Prins
#3200