12-01-2012 01:59 PM - edited 12-01-2012 02:08 PM
I have a ticket open for this problem as well, but I thought, why not post it here as well because you might never know if someone has seen this problem before.
I have a setup with a captive portal vlan for my guest users.
Captive portal on the Aruba 3200XM AOS version 184.108.40.206.
Routing on a external corporate router.
Both IPv4 and IPv6 active on the vlan.
Aruba has an IPv4 and an IPv6 address on the vlan and those addresses are used as the captive portal addresses.
When I have rebooted the controller everything works fine. The guests are presented with the captive portal page, are able to login and are able to use the wireless network This works for several weeks without problems.
After some time, without any changes in the configuration, everything stops working. What I then notice on a test client is the following:
The rules for the initial connectivity still work:
The client receives an IPv4 address from the DHCP server.
The client configures a SLAAC IPv6 address based on the received RA packets.
The client can do a DNS lookup for the site it want's to visit.
But when the client tries to connect to the site it wants to visit it sends out a SYN packet to setup the connection, but it never receives an ACK. To my understanding this ACK should come from the controller which should intercept the traffic so it can redirect the client to the captive portal. But this never happens because it never sends an ack back on the syn request.
When I reboot the controller again everything works again for some time but that doesn't fix the problem in the long run.
At the moment the controller is in this defective state, so we can't use the guest access at all at the moment and my management is not really happy with this so one of these days I have to reboot the controller to have a working situation again. But that stops the debugging dead in it's tracks.
I also have a different SSID that I use with 802.1x to authenticate users. This keeps working just fine. So the problem is definetly with the guest vlan.
(aruba01) #show aaa profile TC3GUEST-aaa_prof
AAA Profile "TC3GUEST-aaa_prof"
Initial role guest-logon
MAC Authentication Profile N/A
MAC Authentication Default Role guest
MAC Authentication Server Group default
802.1X Authentication Profile N/A
802.1X Authentication Default Role guest
802.1X Authentication Server Group N/A
L2 Authentication Fail Through Disabled
RADIUS Accounting Server Group N/A
RADIUS Interim Accounting Disabled
XML API server N/A
RFC 3576 server N/A
User derivation rules N/A
Wired to Wireless Roaming Enabled
SIP authentication role N/A
Device Type Classification Enabled
Enforce DHCP Disabled
(aruba01) #show aaa authentication captive-portal TC3-Guest-cp_prof
Captive Portal Authentication Profile "TC3-Guest-cp_prof"
Default Role authenticated
Default Guest Role guest
Server Group CaptivePortal_srvgrp
Redirect Pause 10 sec
User Login Enabled
Guest Login Enabled
Logout popup window Enabled
Use HTTP for authentication Disabled
Logon wait minimum wait 5 sec
Logon wait maximum wait 10 sec
logon wait CPU utilization threshold 60 %
Show FQDN Disabled
Use CHAP (non-standard) Disabled
Login page /upload/custom/TC3-Guest-cp_prof/index.html
Welcome page /auth/welcome.html
Show Welcome Page Yes
Add switch IP address in the redirection URL Disabled
Allow only one active user session Disabled
White List walled-garden-access
White List walled-garden-access-ipv6
Black List N/A
Show the acceptable use policy page Disabled
When my test client is connected to the SSID and is trying to connect to a website I see the following in the controller for this client:
(aruba01) #show user | include 10.22.61.147
10.22.61.147 18:f4:6a:98:9f:e8 guest-logon 00:00:07 d8:c7:c
8:cb:5f:5c Wireless TC3GUEST/d8:c7:c8:35:f5:c0/g-HT TC3GUEST-aaa_prof tunnel Linux
(aruba01) #show datapath session table 10.22.61.147
Datapath Session Table Entries
Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal
u - User Index
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge UsrIdx UsrVer Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- ------ ------ -----
If someone knows why this is happening, I would be very happy.
Jan Hugo Prins
Solved! Go to Solution.
12-02-2012 12:39 AM
Howlong does this take to happen again?
Have you tried to capture packets from the controller port ?
Have you tried to shutdown the port only and then no shut instead of rebooting the controller ?
When the clients access controller and after sending SYN he needs to receive a redirect to the controller IP/captive portal page.
12-02-2012 01:47 PM
I did some extra debugging today and I have found the cause of my problem. I also found that the thing I thought to be true about DNS resolving were not completly true after all.
In my configuration I had limited the number of sessions for the Guest role and the Guest-Logon role. But the problem was that my limit was to tight which resulted for all clients in a working configuration at start but very soon after that a failing configuration. I misinterpreted this due to the moments I tested and the fact that the test client I used was allready connected when I tested again and noticed everything was broken.
Everything works perfectly again.
Jan Hugo Prins
12-02-2012 10:50 PM - edited 12-02-2012 10:51 PM
So you enabled ( Allow only one active user session) in CP authentication ?And by disabling it you solved your issue.
Or something else that caused it?
12-03-2012 12:15 AM
I think he is referring to the "sessions" parameter in the user role.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
12-03-2012 12:36 AM