10-08-2014 06:14 AM
I am running on 126.96.36.199 and am experiencing the bug mentioned in the release notes for 188.8.131.52 which i have pasted below. The part in question is the bold part. I would like to change this setting on my current install but i cannot find this setting for the life of me. I have searched high and low and cannot find any reference to it.
Symptom: Controllers were unable to see ping requests, which resulted in ping responses being
dropped. This issue is resolved by disabling the firewall enable-stateful-icmp parameter by default.
Scenario: This issue was observed when the firewall checked for the unsolicited ICMP echo replies and
dropped them if there were no ICMP echo request sessions. This issue was observed in the 7200 Series
controllers and M3 controllers running ArubaOS 184.108.40.206 and above.
10-08-2014 06:20 AM
Thats what thought, and looked there but did not see it even in there. Then i run that it doesnt recognize the enable-stateful-icmp part.
(Aruba7210) (config) #no firewall enable-stateful-icmp
% Invalid input detected at '^' marker.
10-08-2014 07:12 AM - edited 10-08-2014 07:12 AM
That command worked for me, at AOS 220.127.116.11-FIPS. Not sure if maybe it's just not present in 18.104.22.168. If you run a "no firewall ?", what is the output?
(Aruba7010) (config) #no firewall enable-stateful-icmp
(Aruba7010) (config) #show image ver
Partition : 0:1 (/dev/usb/flash2) **Default boot**
Software Version : ArubaOS 22.214.171.124-FIPS (Digitally Signed - Production Build)
Build number : 46041
Label : 46041
Built on : Thu Sep 18 02:50:20 PDT 2014
Sr. Techical Marketing Engineer
10-08-2014 07:16 AM - edited 10-08-2014 07:19 AM
It does not appear that the command exists in 126.96.36.199 which is strange since its listed in the release notes. I was hoping to get this issue fixed without upgrading as i just had to downgrade from 188.8.131.52 due to an issue with ARM that i need to open with TAC. I think there is a bug that basically set ARM to its lowest values and ignored any settings i gave it. I can replicate it on my test controller, but i have not had a chance to see if 184.108.40.206 fixes it. I did not see it in the release notes, so i am guessing not.
(Aruba7210) (config) #no firewall ?
allow-stun Allow ICE-STUN based firewall traversal. Default
option is enabled
allow-tri-session Allow three way session when performing destination
amsdu Enable receiving AMSDUs
attack-rate Configure attack rates
bwcontracts-subnet-br.. Apply bw contracts to local subnet broadcast traffic
cp-bandwidth-contract Configure bandwidth contracts that protect CP
deny-inter-user-bridg.. Disallow forwarding non-IP frames between untrusted
deny-inter-user-traff.. Disallow forwarding any frames between untrusted
deny-source-routing Disallow forwarding of IP frames with source routing
disable-ftp-server Disable FTP server
disable-stateful-h323.. Disable stateful H.323 processing. Default option is
disable-stateful-sccp.. Disable stateful SCCP processing. Default option is
disable-stateful-sip-.. Disable stateful SIP processing. Default option is
disable-stateful-sips.. Disable stateful SIPS processing. Default option is
disabled. !! WARNING: Disable 'classify-media' CLI
in access-list for better performance !!
disable-stateful-ua-p.. Disable stateful UA processing. Default option is
disable-stateful-voce.. Disable stateful VOCERA processing. Default option
dpi Enable DPI Classification
drop-ip-fragments Drop all IP fragments
enable-per-packet-log.. Enable per-packet logging. Default is per-session
enforce-tcp-handshake Enforce TCP handshake before allowing data
enforce-tcp-sequence Enforce TCP sequence numbers for all packets
gre-call-id-processing Enable GRE call ID processing
imm-fb Triggers datapath immediate freeback of buffers.
Applicable to 72xx Platform only(Default disabled)
jumbo Enable Jumbo frames processing
local-valid-users Only allow IP addresses of local subnets in user
log-icmp-error Log all received ICMP errors
prevent-dhcp-exhausti.. Enable check for DHCP client-hw-address against
packet source mac
prohibit-arp-spoofing Prohibit ARP spoofing
prohibit-ip-spoofing Prohibit IP spoofing
prohibit-rst-replay Prohibit TCP RST replay attack
session-tunnel-fib Enable session,tunnel based forwarding. !!Warning!!
It is recommended to toggle this knob during
maintenance window or OFF peak production hours. On
M3 this knob will enable ONLY tunnel based
forwarding, session based does NOT apply to this
shape-mcast Automatically shape bursty multicast traffic
stall-crash Triggers datapath crash on stall detection.
Applicable to 72xx Platform only
voip-wmm-content-enfo.. Enforce WMM voice priority matches flow content
10-08-2014 08:26 AM
I could check that ARM thing out on 220.127.116.11, if you have a way to replicate/diagnose
the problem. We haven't had time to go proofreading what ARM is doing yet, so that
might be an opportune intro to ARM debugging for me.
10-08-2014 08:51 AM
Because i hate when i look for solution to things and see thread left unsolved: I loaded 18.104.22.168 on my test controller and it does appear that the command is missing from 22.214.171.124. It does exist in 126.96.36.199 and appears to do exactly what its supposed to. I will let TAC know but i would not expect a software update for the 188.8.131.52 version since newer tech releases are already out that address the problem.
As far as the ARM thing in my first quick test it may be fixed as well, because its actually respecting the parameters i assign it now where as before it would always broadcast at the same (very low) power regardless of what i told it to do.