Wireless Access

Occasional Contributor II

ACL to actively send a deny or reject on a controller



i currently try to implement a session ACL that actively sends a reject to a TCP-Connection instead of just dropping the traffic so that the user's trying to access this service out of a wrong network have long timeouts and get a reject instantly.

And i didn't get it working. So i implemented a test-acl in my lab looking:

ip access-list session my-test-acl
  any user svc-icmp  permit
  any any svc-icmp  permit
  any any svc-https  deny send-deny-response

To reject all traffic to port 443. A web browser shows the same behaviour (it takes a very long time until a error is shown up) than the other app. So i started wireshark to examine it a bit and wireshark shows this:



Initially i expected some ICMP packet to be sent from the aruba controller stating that the services is not reachable, but instead it seems that the controller answers with a TCP RST packet - but this packet seems to be malformed and so the client just drops it instead of processing it.


Did i miss something or is this the wrong way to 'reject' a TCP connection? Tried this with and


Thanks & Bye,



Search Airheads
Showing results for 
Search instead for 
Did you mean: