Wireless Access

Reply
Occasional Contributor II
Posts: 19
Registered: ‎09-19-2014

Master and Local controllers handle firewall traffic differently

We have a par of 7210s running 6.3.1.10, set as master and local.  We have user VLAN pools trunked to both controllers with no differences in switch port configuration.  There are no firewall policies applied to the interfaces, and we make use of role-based firewall policies.  The config is synced nicely between controllers. 

 

However, a user associated with an AP on our local controller hits a phantom firewall deny rule that doesn't appear on the master controller, and doesn't show up in the config.  When we view the client status, the User Firewall State lists the denied access, but doesn't indicate what rule it's using.

 

So strange!

Aruba
Posts: 1,642
Registered: ‎04-13-2009

Re: Master and Local controllers handle firewall traffic differently

[ Edited ]

Check under monitoring/firewall hits to see if you can decipher what role and policy is denying the action.  

It may help if you explain what the user is trying to do when denied.

 

You can click the "refresh now" button when you see the deny to see what "deny" actions have new hits.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Guru Elite
Posts: 8,320
Registered: ‎09-08-2010

Re: Master and Local controllers handle firewall traffic differently

[ Edited ]

Can you please do a forced configuration push?

 

From the master:

(config) #cfgm set sync-type complete
(config) #write mem

 Wait about a minute or so and then change the cfgm setting back:

(config) #cfgm set sync-type snapshot

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 19
Registered: ‎09-19-2014

Re: Master and Local controllers handle firewall traffic differently

The firewall hit does not appear in the Monitoring/firewall hits page.

 

The user is trying to access an internal web service.

Occasional Contributor II
Posts: 19
Registered: ‎09-19-2014

Re: Master and Local controllers handle firewall traffic differently

I changed the config push setting as you suggested, and it didn't change the behaviour.

Occasional Contributor II
Posts: 19
Registered: ‎09-19-2014

Re: Master and Local controllers handle firewall traffic differently

Here's what I see in the User Status:

 

Source IP Source Port Destination IP Destination Port Protocol Status

[client IP]45650[server IP]80TCPdeny
Aruba
Posts: 1,642
Registered: ‎04-13-2009

Re: Master and Local controllers handle firewall traffic differently

Can you please verify whether the destination server IP shows up in the user table on the controller?

 

show user

show user | include <ip-of-destination>

 

If it does, it it a wireless client?

If it does, what role is it in?

If it does, run:

 

show rights <name-of-role>

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor II
Posts: 19
Registered: ‎09-19-2014

Re: Master and Local controllers handle firewall traffic differently

The destination server IP is not in the user table.  It's not a wireless client.

Occasional Contributor II
Posts: 19
Registered: ‎09-19-2014

Re: Master and Local controllers handle firewall traffic differently

OK, today, after no further interventions, the phenomenon has disppeared.  Perhaps it just took a while for the config to sync?  Thanks to those who offered suggestions!

Occasional Contributor II
Posts: 19
Registered: ‎09-19-2014

Re: Master and Local controllers handle firewall traffic differently

OK, for the benefit of anyone reading this, I have discovered that the problem was misidentified.  The solution appeared to work after a delay, but it was just happenstance.   The problem cropped up again yesterday, and we were able to figure it out with the help of Aruba support.

 

What really happened was a client joined our guest network with a static IP that was the same as the IP of our server.  There appears to be an implicit rule that denies traffic to an invalid wireless client IP.  The problem is, as long as the client exists in the controller, that IP is blocked.  If you kick the client off, the server is suddenly accessible again. 

 

Anyone else experience something like this?  Any thoughts about how to fix this other than kicking that client off (or blacklisting it)? 

Search Airheads
Showing results for 
Search instead for 
Did you mean: