Wireless Access

Reply
Frequent Contributor I

AP Firewall Question

I am running on 6.4.1.0 and am experiencing the bug mentioned in the release notes for 6.4.2.1 which i have pasted below.  The part in question is the bold part.  I would like to change this setting on my current install but i cannot find this setting for the life of me.  I have searched high and low and cannot find any reference to it.  

 

 

Symptom: Controllers were unable to see ping requests, which resulted in ping responses being
dropped. This issue is resolved by disabling the firewall enable-stateful-icmp parameter by default.
Scenario: This issue was observed when the firewall checked for the unsolicited ICMP echo replies and
dropped them if there were no ICMP echo request sessions. This issue was observed in the 7200 Series
controllers and M3 controllers running ArubaOS 6.4.1.0 and above.

Guru Elite

Re: AP Firewall Question

You need to do it from the CLI.

 

(config) #no firewall enable-stateful-icmp

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: AP Firewall Question

Thats what thought, and looked there but did not see it even in there.  Then i run that it doesnt recognize the enable-stateful-icmp part.  

 

(Aruba7210) (config) #no firewall enable-stateful-icmp
^
% Invalid input detected at '^' marker.

Guru Elite

Re: AP Firewall Question

Does it accept the command without the "no"?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: AP Firewall Question

Nope, same behavior.  Hence why i've been so confused.....

Re: AP Firewall Question

That command worked for me, at AOS 6.4.2.1-FIPS. Not sure if maybe it's just not present in 6.4.1.0. If you run a "no firewall ?", what is the output?

 

(Aruba7010) (config) #no firewall enable-stateful-icmp

 

 

(Aruba7010) (config) #show image ver                   

----------------------------------

Partition       : 0:1 (/dev/usb/flash2) **Default boot**

Software Version : ArubaOS 6.4.2.1-FIPS (Digitally Signed - Production Build)

Build number    : 46041

Label           : 46041

Built on        : Thu Sep 18 02:50:20 PDT 2014

 

Jerrod Howard
Sr. Technical Marketing Engineer
Frequent Contributor I

Re: AP Firewall Question

It does not appear that the command exists in 6.4.1.0 which is strange since its listed in the release notes.  I was hoping to get this issue fixed without upgrading as i just had to downgrade from 6.4.2.0 due to an issue with ARM that i need to open with TAC. I think there is a bug that basically set ARM to its lowest values and ignored any settings i gave it.  I can replicate it on my test controller, but i have not had a chance to see if 6.4.2.2 fixes it.  I did not see it in the release notes, so i am guessing not.

 

 

(Aruba7210) (config) #no firewall ?
allow-stun              Allow ICE-STUN based firewall traversal. Default
                        option is enabled
allow-tri-session       Allow three way session when performing destination
                        NAT
amsdu                   Enable receiving AMSDUs
attack-rate             Configure attack rates
bwcontracts-subnet-br.. Apply bw contracts to local subnet broadcast traffic
cp-bandwidth-contract   Configure bandwidth contracts that protect CP
deny-inter-user-bridg.. Disallow forwarding non-IP frames between untrusted
                        users
deny-inter-user-traff.. Disallow forwarding any frames between untrusted
                        users
deny-source-routing     Disallow forwarding of IP frames with source routing
                        options set
disable-ftp-server      Disable FTP server
disable-stateful-h323.. Disable stateful H.323 processing. Default option is
                        disabled.
disable-stateful-sccp.. Disable stateful SCCP processing. Default option is
                        disabled.
disable-stateful-sip-.. Disable stateful SIP processing. Default option is
                        disabled.
disable-stateful-sips.. Disable stateful SIPS processing. Default option is
                        disabled. !! WARNING: Disable 'classify-media' CLI
                        in access-list for better performance !!
disable-stateful-ua-p.. Disable stateful UA processing. Default option is
                        disabled.
disable-stateful-voce.. Disable stateful VOCERA processing. Default option
                        is disabled.
dpi                     Enable DPI Classification
drop-ip-fragments       Drop all IP fragments
enable-per-packet-log.. Enable per-packet logging. Default is per-session
                        logging.
enforce-tcp-handshake   Enforce TCP handshake before allowing data
enforce-tcp-sequence    Enforce TCP sequence numbers for all packets
gre-call-id-processing  Enable GRE call ID processing
imm-fb                  Triggers datapath immediate freeback of buffers.
                        Applicable to 72xx Platform only(Default disabled)
jumbo                   Enable Jumbo frames processing
local-valid-users       Only allow IP addresses of local subnets in user
                        table
log-icmp-error          Log all received ICMP errors
prevent-dhcp-exhausti.. Enable check for DHCP client-hw-address against
                        packet source mac
prohibit-arp-spoofing   Prohibit ARP spoofing
prohibit-ip-spoofing    Prohibit IP spoofing
prohibit-rst-replay     Prohibit TCP RST replay attack
session-tunnel-fib      Enable session,tunnel based forwarding. !!Warning!!
                        It is recommended to toggle this knob during
                        maintenance window or OFF peak production hours. On
                        M3 this knob will enable ONLY tunnel based
                        forwarding, session based does NOT apply to this
                        platform.
shape-mcast             Automatically shape bursty multicast traffic
stall-crash             Triggers datapath crash on stall detection.
                        Applicable to 72xx Platform only
voip-wmm-content-enfo.. Enforce WMM voice priority matches flow content

Re: AP Firewall Question

I would open a TAC case to file a defect or bug as to why that command is not present (it's not in the CLI guide either). 

Jerrod Howard
Sr. Technical Marketing Engineer
Super Contributor I

Re: AP Firewall Question

 

I could check that ARM thing out on 6.4.2.2, if you have a way to replicate/diagnose

the problem.  We haven't had time to go proofreading what ARM is doing yet, so that

might be an opportune intro to ARM debugging for me.

 

Frequent Contributor I

Re: AP Firewall Question

Because i hate when i look for solution to things and see thread left unsolved: I loaded 6.4.2.2 on my test controller and it does appear that the command is missing from 6.4.1.0.  It does exist in 6.4.2.2 and appears to do exactly what its supposed to.  I will let TAC know but i would not expect a software update for the 6.4.1.0 version since newer tech releases are already out that address the problem. 

 

As far as the ARM thing in my first quick test it may be fixed as well, because its actually respecting the parameters i assign it now where as before it would always broadcast at the same (very low) power regardless of what i told it to do. 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: