Wireless Access

Hi, I'm having issues with one of my clients pulling up an academic database(Gale group).  The problem only happens on one of my wireless networks.  The other network is fine.  The one having issues has ACLs applied to it.  

 

How can I see what ACL a test client may be smaking it's head on, specifically what port is being blocked?  It looks like it's getting grabbed up into a broad deny acl so there's not much to go on based on the show acl hits command.  

 

Help!

Have you tried running the show datapath session table <user IP address> ?

 

You will be able see what’s getting denied when a “D” flag is presented  next to it

The only thing I see is some port 53 traffic, which is odd because I'm not blocking that:

 

192.168.23.81   192.168.12.61   6    42218 53     0/0  0    0   0   tunnel 125  5    2          120        FDYC

Can you run a show rights <USER-ROLE>

(Aruba-3600-Master) #show rights chromebook

Derived Role = 'chromebook'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Web Content Classification: Enabled
 ACL Number = 62/0
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                      Type     Location
--------  ----                      ----     --------
1         global-sacl               session
2         apprf-chromebook-sacl     session
3         cplogout                  session
4         guest-logon-acl           session
5         guest-allow-internal-acl  session
6         guest-deny-internal-acl   session
7         guest-authenticated-acl   session
8         dhcp-acl                  session
9         drop-and-log-acl          session

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
apprf-chromebook-sacl
---------------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
cplogout
--------
Priority  Source  Destination  Service    Application  Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------    -----------  ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    controller   svc-https               dst-nat 8081                           Low                                                           4
guest-logon-acl
---------------
Priority  Source  Destination  Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any          svc-dhcp               permit                           Low                                                           4
2         user    any          svc-dns                permit                           Low                                                           4
3         any     any          svc-icmp               permit                           Low                                                           4
guest-allow-internal-acl
------------------------
Priority  Source  Destination    Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------    -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    Webmail        tcp 80                 permit                           Low                                                           4
2         user    Webmail        tcp 443                permit                           Low                                                           4
3         user    Library        tcp 80                 permit                           Low                                                           4
4         user    Library        tcp 443                permit                           Low                                                           4
5         user    PAN-FW         svc-http               permit                           Low                                                           4
6         user    www2           svc-http               permit                           Low                                                           4
7         any     tsm02          tcp 8443               permit                           Low                                                           4
8         any     tsm04          tcp 8443               permit                           Low                                                           4
9         any     192.168.12.61  svc-dns                permit                           Low                                                           4
10        any     192.168.12.62  svc-dns                permit                           Low                                                           4
guest-deny-internal-acl
-----------------------
Priority  Source  Destination       Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------       -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    Internal-Network  any                   deny                             Low                                                           4
guest-authenticated-acl
-----------------------
Priority  Source  Destination  Service    Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------    -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any          svc-dhcp                permit                           Low                                                           4
2         user    any          svc-dns                 permit                           Low                                                           4
3         user    any          svc-http                permit                           Low                                                           4
4         user    any          svc-https               permit                           Low                                                           4
5         user    any          tcp 1935                permit                           Low                                                           4
dhcp-acl
--------
Priority  Source  Destination  Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any          svc-dhcp               permit                           Low                                                           4
drop-and-log-acl
----------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any          any                   deny               Yes           Low                                                           4

Expired Policies (due to time constraints) = 0

Hopefully the formating doesn't get butchered too badly.  Thanks for the feedback.

In one of those ACLs rules are you allowing access to the resources that is getting denied ?

It looks like you are specifically allowing certain ports and destinations .

Do you know the destination subnet and ports you want to allow ?

You have a deny on 'guest-deny-internal-acl', could that be it? I don't know what the alias 'Internal-Network' is though, you would have to check dst on your 'D' flag against the 'Internal-Network'

 

guest-deny-internal-acl
-----------------------
Priority  Source  Destination       Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------       -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    Internal-Network  any                   deny                             Low                                                           4

 

I ended up opening a case since nothing was jumping out.  It turned out that some of my devices were doing a mix of DNS(53) traffic over UDP and TCP.  We were only allowing DNS over UDP.  I have no idea why it's use different protocols and the engineer wasn't sure either.  We ended up allowing dns over TCP and life was good.  I didn't notice this issue with any other web browsing but it could have been happening across the board.  Strange.  Thanks for the responses.  

DNS will move to TCP is the request is large, but usually you don't see that except when DNS servers are doing zone updates. It would be smart to find out which requests were made over tcp, what those devices are, and what the requests were for. I can think of a few scenarios where that shouldn't be seen over a wireless network.

That makes sense why it's shifting protocols.  The only real pain point I noticed about this network was with Gale database pages, specifically certain elements of the actual page loading up in the browser.  So, the borders might load up but the actual content frame in the middle of the page would stall up on the request.  Our internal DNS just forwards any external requests out to Google's DNS servers so I'm not sure zone updates would apply(I'm not a DNS expert by any stretch, so I could be wrong).