Security

Reply
Regular Contributor I
Posts: 236
Registered: ‎04-03-2007

No L3 connectivity within same subnet

I have a situation I'm trying to troubleshoot for a temporary project and wonder if you anyone can help.

I created a new wireless network and new SSID, etc.  I put a single client vlan in that SSID (pool of one). This vlan was one of the existing active client vlans on the controller. Clients are successfully connecting onto the new network and receiving a lease from the appropriate vlan. We then configured a wireless web server with a static IP address in that same vlan (making sure the IP was not in that subnet's dhcp pool). The web server connects to the network with the static and has inbound and outbound network connectivity.

We can browse to the IP address of the web server (port 80) from wireless clients on our existing open and .1x  wireless networks, as well as from clients on wired connections. We cannot, however, browse to that IP address from wireless clients connected within the same wireless network on the same subnet.

 

I tried changing to authenticated role to a simplke allow-all role in case there was a policy block but this had no effect.

 

'Deny inter user traffic' is disabled both globally an in the VAP. 'Deny inter user bridging' is enabled globally (no VAP setting) but I thought that only pertained to L2 connectivity. We are trying to connect via L3 (IP of web server). Is this the issue? Can anyone think of anything else that might prevent wireless clients from connecting to a web server on the same wireless subnet?

 

Thanks in advance.

 

Mike

 

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: No L3 connectivity within same subnet

What does the ACL read for devices on that network; more specifically the wireless web server (if it is different)?

 

Maybe unrelated, but I ran into a similiar siutaiton with a customer where they had a wireless web srever like you.  In their case it was a minor change to the ACL.   Is the source "user" or "any"?    In their case we needed to change the source to be "any" for any http/https traffic rules that may reach that wireless webserver.   The user was permitted to hit the webserver, but because the webserver is also a wireless client, the rules did not permit http inbound.

 

Chris

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Retired Employee
Posts: 234
Registered: ‎04-19-2011

Re: No L3 connectivity within same subnet

Run the command "show datapath session table <ip-address>" where
<ip-addr> is the address of the client that is not able to browse the server IP. If you see a "D" flag on the session it means that the session is being blocked by an ACL.
Find out more by running "show acl hits" command repeatedly and seeing which particular deny rule is being hit.
--
HT
Search Airheads
Showing results for 
Search instead for 
Did you mean: