Wireless Access

I am running Aruba OS 6.4.4.5 on the master controller w/ VRRP.

CPSec is enabled on the controller. I am not able to receive Clarity Data into Airwave via Port 8209. Firewall policy allows port 8209. The controller firewall-cp internal shows a 'Deny' action on end port 8209. 

CP firewall policies
--------------------
IP Version Source IP Source Mask Protocol Start Port End Port Action hits contract
---------- --------- ----------- -------- ---------- -------- -------------- ---- --------
ipv4 any 6 1723 1723 Permit 0
ipv4 any 17 1701 1701 Permit 0
ipv4 any 6 23 23 Deny 0 cpbwc-ipv4-telnet
ipv4 any 6 8084 8084 Deny 0
ipv4 any 6 3306 3306 Deny 0
ipv4 any 17 8209 8209 DenyNotSecure 1914458
ipv4 any 6 8211 8211 DenyNotMaster 983734

When I try to edit the Action for 8209 on the ACL Whitelist, the drop-down menu is disabled. Is there a way to enable/edit the Action? 

Controller Model - 7210.

AP Model - AP225

I did configure the Management-Server Profile 'default-amp' with all the options enabled execpt Airgroup:

Mgmt Config profile "default-amp" (Predefined (changed))
--------------------------------------------------------
Parameter Value
--------- -----
Stats Enabled
Tag Enabled
Sessions Enabled
Monitored Info Enabled
Misc Enabled
Location Enabled
UCC Monitoring Enabled
AirGroup Info Disabled
Inline DHCP stats Enabled
Inline AP stats Enabled
Inline Auth stats Enabled
Inline DNS stats Enabled 

On the local office firewall, I confirmed that the controller is sending packets to Airwave via port 8211. However, I am not seeing any traffic from the controller to airwave via port 8209 on the local office firewall. 

So, there is a firewall between the controller and Airwave?  The clarity data should be over UDP 8211 from the Controller to Airwave.

There are Firewalls between the Controller and Airwave. Both Firewalls are configured to allow application required for Airwave and Airwave Clarity Synthetic - UDP 8211, TCP 1723, TCP 60001, UDP 514, TCP 60000,http,https,snmp, UDP 8209, TCP 8209, TCP 22, TCP 5201 and UDP 5201. In addition, CPSec is enabled on the controller.

To my understanding, when CPSec is enabled on the Controller, the Controller sends Airwave Clarity data over port 8209, not 8211. I did confirm that there is packet flow on all firewalls from the controllers to Airwave via 8211.

Did you see the article here?  http://community.arubanetworks.com/t5/Network-Management/How-To-Getting-Clarity-Live-up-and-running-in-5-minutes/td-p/263716

Where are you getting all of those ports from?

Yes. I reviewed the following posting, along with additional postings on the community boards. In addition, I've exchanged several e-mails with multiple Aruba TAC Engineers and based on feedback/advice, I added the addition ports to the Firewall policy.

I noticed that there are some inconsistencies with respect to the firewall port requirements for both Airwave Clarity and Clarity Synthetic.

After reviewing multiple online posts and engaging Aruba TAC, I revised my firewall rules and added the addition ports.

https://community.arubanetworks.com/t5/Monitoring-Management-Location/Clarity-Synthetic-Firewall-requirements/ta-p/292041

I confirmed that Airwave receives data from the controller on port 8211, just not 8209. Unfortunately, the Clarity Dashboard remains unchanged.

For testing, I applied an any/any policy on the Firewall. What is interesting with the show firewall-cp internal is that it appears the controller's firewall, not the office firewall, is denying(initially) any packets from being sent out on port 8209, along with 8211. 

CP firewall policies

--------------------

IP Version Source IP Source Mask Protocol Start Port End Port Action hits contract

---------- --------- ----------- -------- ---------- -------- -------------- ---- --------

ipv4 any 6 1723 1723 Permit 280

ipv4 any 17 1701 1701 Permit 121

ipv4 any 6 23 23 Deny 245 cpbwc-ipv4-telnet

ipv4 any 6 8084 8084 Deny 0

ipv4 any 6 3306 3306 Deny 44

ipv4 any 17 8209 8209 DenyNotSecure 10578867

ipv4 any 6 8211 8211 DenyNotMaster 802379 

Later in the show firewall-cp internal results, it appears both ports 8211 and 8209 are then permitted.

.ipv4 any 17 161 161 Permit 256284188 cpbwc-ipv4-snmp

ipv4 any 17 5060 5060 Permit 61

ipv4 any 17 8209 8209 Permit 10578867 

If the local office firewall has an any/any policy, why am I not seeing any traffic(packet capture) flow from the controller to airwave on port 8209?

There is no problem receiving data from the Controller to Airwave on port 8211. I see plenty of traffic on port 8211, along with 514(syslog).

With CPSec enabled and an any/any policy on the firewall, there is still no packet flow on port 8209 from the controller to airwave.

You mentioned that Airwave receives Clarity Data on Port 8211. And I believe in an earlier posting, you mentioned that the controller ‘pushes’ the clarity data to Airwave using AMON. With CPSec enable, will the controller use port 8211 or 8209 to send Clarity data to Airwave?

If the Office Firewall is set to any/any, why does the Controller Firewall show a ‘DenyNotSecure’ for ports 8209 and 8211(show firewall-cp internal) and later a ‘Permit’ for the same ports?

Is it possible to modify the Action on initial DenyNotSecure entries for Port 8209 and 8211 in Stateful Firewall ACL White List?

Honestly,

If you are in contact with a TAC engineer, please continue to work with them through a case.  You could have a special situation or a bug and I could be misleading you.

Also,

Clarity and Clarity synthetic are two different products.  Clarity should only need UDP 8211 from the controller to Airwave to function.

Lastly, the CP firewall on the controller by default should have all the settings necessary for successful communications and should not be edited.  

You can see what traffic is going from your controller and to your airwave server by using the command:

show datapath session table <ip address of airwave server>

You should also be able to see if clarity is generating any info by using the command:

show mgmt-server message-counters process dhcp