Wireless Access

last person joined: 21 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Large number of errors on firewall's interface due to WiFi Clients Traffic

This thread has been viewed 0 times

  • 1.  Large number of errors on firewall's interface due to WiFi Clients Traffic

    Posted Jun 05, 2015 11:53 AM

    Hi,
    I have configured two 7005 controllers in VRRP with 10 AP215.
    All works fine, clients passes the authentication (if credential are correct) and has access to WiFi.
    I have configured 2 SSID: Internal and Guest.

    The default gateway for clients isn't the controller but the internal Firewall, in this case a Palo Alto PA-500.

     

    The controller and the Palo Alto are linked to the switch through a trunk,This trunk contains the SSID's VLAN.

     

    I verified that the interface of the firewall receiver a large number of error, that continue to increase.

    With a packet capture and wireshark I discovered that this traffic is produced by WiFi client.
    In the capture I can see a very high number of retransmit packet for Wifi Client traffic.

    Have you any idea about the cause of this issue??

     

    initially i supposed hat can be the MTU and i verified that is the same on all infrastructure, so i have exclude it by possible root cause.

     

    Thanks in advance.

     



  • 2.  RE: Large number of errors on firewall's interface due to WiFi Clients Traffic

    EMPLOYEE
    Posted Jun 05, 2015 12:21 PM

    What kind of errors?

     



  • 3.  RE: Large number of errors on firewall's interface due to WiFi Clients Traffic

    Posted Jun 08, 2015 03:25 AM

    Hi,

    if you use the command "Show interface <interface name>" of the PaloAlto, you can see this output:

     

    Hardware interface counters read from CPU:

    --------------------------------------------------------------------------------
    bytes received 16124834033
    bytes transmitted 121738489678
    packets received 84736569
    packets transmitted 110269171
    receive errors 24481870
    packets dropped 0

    --------------------------------------------------------------------------------

     

    With wireshark you can see that there are a very large number of retransimt packet.

     

    Kind regards

    Andrea



  • 4.  RE: Large number of errors on firewall's interface due to WiFi Clients Traffic

    EMPLOYEE
    Posted Jun 08, 2015 07:41 AM

    Andrea,

     

    If the firewall does not tell us what kind of errors, we do not know why it is having a problem with transmitted packets/frames  We need to know that first.

     



  • 5.  RE: Large number of errors on firewall's interface due to WiFi Clients Traffic

    Posted Jun 09, 2015 04:16 AM

    Hi,

    By Wireshark i can see thate there are duplicated packets but unfortunatelly i cannot have the confirmation that the issue is related to it.

    I think that the issue may due to STP or LLDP protocol, today I'll try to disable it and verify the situation.

    in the while can you indicate to me some best practice to increase the quality of comunication between APs and the Controller and avoid problem with traffic, for example recomended MTU.

    Best regards
    Andrea



  • 6.  RE: Large number of errors on firewall's interface due to WiFi Clients Traffic

    EMPLOYEE
    Posted Jun 09, 2015 07:09 AM

    I would inspect the cabling between the controller and the infrastructure.



  • 7.  RE: Large number of errors on firewall's interface due to WiFi Clients Traffic

    Posted Jun 09, 2015 08:35 AM

    Hi,

    i have tryed to change and verify the cabling and it is ok

     

     



  • 8.  RE: Large number of errors on firewall's interface due to WiFi Clients Traffic

    EMPLOYEE
    Posted Jun 09, 2015 08:47 AM
    The firewall vendor needs to advise you about why there are errors on their product.


  • 9.  RE: Large number of errors on firewall's interface due to WiFi Clients Traffic

    Posted Jun 10, 2015 11:47 AM

    HI,
    after some investigation i discovere what can be the cause of the issue.

    i see that the counter of palo alto are incremented by this type of issue.

    - Packets dropped: 802.1q tag not configured

    On the firewall seems to be correct and on the controller also.

    idea?

     

    thanks 

    Andrea



  • 10.  RE: Large number of errors on firewall's interface due to WiFi Clients Traffic

    EMPLOYEE
    Posted Jun 10, 2015 11:50 AM
    Do you have the connection to the Palo Alto configured as a trunk?


  • 11.  RE: Large number of errors on firewall's interface due to WiFi Clients Traffic

    Posted Jun 10, 2015 11:53 AM

    Hi,

    yes is configured as a trunk, infact all works.

     

    i see that there are error also for this reasons:

    - Packets dropped: no route for IP multicast

    -  TCP sessions closed via injecting RST

     



  • 12.  RE: Large number of errors on firewall's interface due to WiFi Clients Traffic

    EMPLOYEE
    Posted Jun 10, 2015 11:55 AM
    Do you have vlans configured on the Aruba side that do not exist on the Palo Alto side?


  • 13.  RE: Large number of errors on firewall's interface due to WiFi Clients Traffic

    Posted Jun 11, 2015 04:23 AM

    Hi,

    i have checked and there are the same VLAN for Aruba controller and PaloAlto firewall.

    i have to verify on the switch.

     

    Thanks again

    Andrea



  • 14.  RE: Large number of errors on firewall's interface due to WiFi Clients Traffic

    EMPLOYEE
    Posted Jun 11, 2015 04:36 AM

    "- TCP sessions closed via injecting RST" - isn't this how the Palo Alto stops undesired traffic, by sending RST?