Wireless Access

We have an application that works on the wired network, but not on our controller based wireless network. It uses UDP port 7700. The wired and wireless networks are on two different VLANs. But, tagging through the wireless VLAN to a wired port gets the app working, indicating our egress firewall configuration is probably not the issue. Do you have any suggestions on how this might be debugged?

Thanks,
Robert

Looking at the wired packet capture shows unicast UDP. Looking at show datapath session seems to imply it is being denied. The device is in the right role and the IPv4 policy is any any any permit.

10.61.251.81 109.123.157.210 17 51995 7700 0/0 0 0 0 tunnel 1230 9 0 0 FDYC

Any ideas?

Thanks,

Robert

What role is the user in?  What is the output of "show rights <role>"?

show rights EmployeeComputer

Derived Role = 'EmployeeComputer'

Up BW:No Limit   Down BW:No Limit 

L2TP Pool = default-l2tp-pool

PPTP Pool = default-pptp-pool

Assigned VLAN = 250

Periodic reauthentication: Disabled

DPI Classification: Enabled

Web Content Classification: Enabled

ACL Number = 90/0

Max Sessions = 65535

Check CP Profile for Accounting = TRUE

Application Exception List

--------------------------

Name  Type

----  ----

Application BW-Contract List

----------------------------

Name  Type  BW Contract  Id  Direction

----  ----  -----------  --  ---------

access-list List

----------------

Position  Name                         Type     Location

--------  ----                         ----     --------

1         global-sacl                  session 

2         apprf-EmployeeComputer-sacl  session 

3         allowall                     session 

global-sacl

-----------

Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

apprf-EmployeeComputer-sacl

---------------------------

Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

allowall

--------

Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

1         any     any          any                   permit                           Low                                                           4        

2         any     any          any-v6                permit                           Low                                                           6        

Expired Policies (due to time constraints) = 0

You should open a TAC case in parallel.  You could have an ACL on a port or enabled filtering on the AppRF dashboard...

Opened ticket. 

I've been working with TAC and have made some progress. But, the engineer had to get on another call. What we were able to see is the device we are trying to connect with on UDP 7700 is behind an IAP and for whatever reason, the device's Internet facing IP address has the logon role on the contoller which is denying access. How could that be?

I worked with TAC a bit more today and have more info. I also found this page that explains the roles an IAP setup gets. http://community.arubanetworks.com/t5/Controller-less-WLANs/What-are-the-roles-that-IAP-gets-when-configured-as-IAP-VPN/ta-p/185738

We are trying to access a service behind the outer IP used to connect an IAP. I think because the outer IP entry has the logon role on the controller, traffic is being denied. TAC is looking into this more.

Does anyone have any suggestions based on this new info?

Thanks,
Robert

rwilsonblue,

There are so many ways to set it up, that I'm not sure anyone can guess what your situation is.  We didn't know you were doing IAP-VPN.  Please keep us up to date on how it is progressing with TAC.

When I started this thread, I didn't think about this device being on the same network as an IAP. As we worked with TAC on it, they were able to see the IAP configuration is causing the issue. We have it working by allowing UDP 7700 on the logon role, at least from a Windows laptop. IOS devices are not able to connect and I'm starting to debug that now. 

Running show datapath session table <clientip> on the mobile device's IP shows flags FDYC, just like we were seeing before, except the protocol was 6 instead of 17. Adding TCP/7700 to the logon role got the mobile devices working.

I'm going to consult with some folks to see if the way we are using the IAPs is the best scenario.

Thanks,
Robert

Adding a bit more info, another location has a RAP and it had the same issue.