Wireless Access

Reply
Frequent Contributor II

Aruba VIA woes

I have a test Verizon Fios account that consistently gets me 25mbps up and down, however with VIA connected (no split tunnel) I am getting 2mbps and some occasional drops and reconnects. I also notice that even though I can get to ports 4500 and 500 Nmap,  I am still being put on ssl-fallback.  My MTU seems to be 1200 once connected, on a pcap I don't see a ton or resends.. if anything I see PUSH which seems to indicate that the application is just not ready to receive the packet.  Anyone have VIA up that has some ideas?   

Guru Elite

Re: Aruba VIA woes

Are you on the latest release? There were some issues with dropping in
performance in some early 2.x releases.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II

Re: Aruba VIA woes

6.4.3.1_49733 is the version for the Controller and 2.04.74088  for the client (osx)

Guru Elite

Re: Aruba VIA woes


mattjhughes wrote:

I have a test Verizon Fios account that consistently gets me 25mbps up and down, however with VIA connected (no split tunnel) I am getting 2mbps and some occasional drops and reconnects. I also notice that even though I can get to ports 4500 and 500 Nmap,  I am still being put on ssl-fallback.  My MTU seems to be 1200 once connected, on a pcap I don't see a ton or resends.. if anything I see PUSH which seems to indicate that the application is just not ready to receive the packet.  Anyone have VIA up that has some ideas?   


Matthughes,

 

If SSL failback is triggered, the client cannot get through on port UDP 4500 and that needs to be investigated.  SSL failback is not triggered by user authentication, but failure to reach the controller period on port UDP 4500.  NMAP is not a reliable method of understanding if traffic makes it through on port 4500; you need to do "show datapath session table <external ip address of VIA client>" when it is attempting to connect to see if  UDP 4500 is working.  SSL failback does not perform as well as ipsec.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: Aruba VIA woes

Source IP       Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags           

--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- --------------- 

xxx.170.47.149  10.30.42.17     17   2331  4500   0/0     0    0   1   pc3         15   2          125        FC              

10.30.42.17     xxx.170.47.149  17   4500  2331   0/0     0    0   1   pc3         15   0          0          FY 

Guru Elite

Re: Aruba VIA woes

No bytes or packets going in one direction.  Check routing.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: Aruba VIA woes

I will look into that,  this would be a routing issue somewhere upstream from the controller?   Also how am I successfully getting traffic with it showing no packets being received?

 

Thanks for the help

Guru Elite

Re: Aruba VIA woes

Please try the ike tool jgoff recommended.

Your routing could be asymmetric, is my comment.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: Aruba VIA woes

I setup a profile and connected to VIA using the internal network to make sure there was no firewall in the way.  These are the results, we are using 4500 now, but it still appears traffic is only going one way? Or maybe I am reading the output wrong

 

 

 

 

 

Source IP       Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
10.30.42.17     10.31.38.40     17   4500  56319  0/0     0    0   4   pc3         af   8          1268       F
10.31.38.40     10.30.42.17     17   56319 4500   0/0     0    0   0   pc3         af   16625      2635078    FC

 

 ike-scan --nat-t --dport=4500 --verbose hostname

DEBUG: pkt len=336 bytes, bandwidth=56000 bps, int=52000 us

Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

10.30.42.17    Main Mode Handshake returned HDR=(CKY-R=114c5f1e619f2049) SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080) VID=4485152d18b6bbcd0be8a8469579ddcc (draft-ietf-ipsec-nat-t-ike-00) VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

Ending ike-scan 1.9: 1 hosts scanned in 1.061 seconds (0.94 hosts/sec).  1 returned handshake; 0 returned notify

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: