Wireless Access

Hello All -

 

I've been trying to debug an issue we have at one of our offices.  Here are the details:

 

1. this is a remote office, connected to the main office (and the aruba 3400 controller) via a VPN tunnel with no rules on it (full access allowed both directions)

 

2. At the remote office we have AP225s and RAP155s

 

3. All APs are in the same AP group

 

4. Controller is running version 6.3.1.19

 

5. When connected to the AP, I have trouble connecting to an internal website - it usually never connects or if it does, it's really slow.

 

6. When connecting to the RAP I can get to the the same internal website within seconds

 

7. User is fully authenticated using a certificate and username/password to the system via Clearpass - both APs use the same settings for this

 

Everything should be the same - the only difference I can see on the 2 is that the AP's use the internal IP of the controller, and the RAP uses the external. I'm at a loss here as to what could be causing this issue. All of these APs are on the whitelist, we do have firewall policies on the user roles - but both APs are using the same rules.

 

Please let me know if you need more information.

 

Thank you

 

Gerri

#RAP155
#AP225

Hi,

If I have understood correctly, your remote office and main office are connected by a VPN tunnel. The AP 225 communicates with the controller using its internal IP through the VPN tunnel. And RAP 155 reaches the controller using its external (public) IP and the traffic goes outside the VPN tunnel. Correct me if I'm wrong.

1. Do you see the slowness only for the internal website or for any website?
2. Try reducing the sap mtu on the AP system profile to 1200. 

 

(Controller) (config) #ap system-profile Test123
(Controller) (AP system profile "Test123") #mtu ?
<mtu> MTU on the wired link for the AP (1024-1578 bytes)  

 

Thanks,
Rajaguru Vincent

Thank you for the response - for the slowness - only seems to be from internal sites - but I've been focused on them, I'll try the change and see what happens - I'll let you know shortly.

 

Thanks!

Ok - I've made the change - sadly I messed up my remote system so I can't test - I've got somebody planning on testing first thing in the am - I'll let you know.

 

Thanks!

 

Gerri

Had somebody test at the site 2 internal websites are still not loading at all off the AP - they work off the RAP

 

any other thoughts?

 

Gerri

no direct solution, but i would start traffic captures, seeing how the traffic reaching (or not) the internal network via the AP and go from there. i suspect some NATing or routing issue, but it is difficult to know for sure without data.

What is the forwarding mode of the ssid ? Is it tunnelled or split-tunnelled?

Have you tried to provision the 225 as a RAP?

What is the role that the users are in and the access list? Post the output of 'show rights <role-name'

Split tunneled - 

 

Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any svc-dhcp permit Low Yes 4
2 any any svc-dns permit Low 4
3 any external.ip.address any permit Low 4
4 any external.ip.address any permit Low 4
5 any external.ip.address any permit Low 4
6 any external.ip.address svc-https permit Low 4
7 any external.ip.address svc-http permit Low 4
8 any external.ip.address svc-https permit Low 4
9 any external.ip.address svc-http permit Low 4
10 any external.ip.address any permit Low 4
11 any external.ip.address any permit Low 4
12 any external.ip.address svc-https permit Low 4
13 any external.ip.address svc-https permit Low 4
14 any external.ip.address svc-http permit Low 4
15 any wiki.internal.ip.address svc-http permit Low 4
16 any wiki.internal.ip.address svc-https permit Low 4
17 any Internal-Networks any permit Low 4
18 any Apple TVs tcp 7000 permit Low 4
19 any Apple TVs tcp 47000 permit Low 4
20 any Apple TVs tcp 7100 permit Low 4
21 any Apple TVs tcp 49228 permit Low 4
22 any Apple TVs tcp 50259 permit Low 4
23 any Apple TVs udp 62572 permit Low 4
24 any Apple TVs udp 54780 permit Low 4
25 any any any route src-nat Low Yes 4

 

All of the external IP addresses are specific for some of our tools etc to allow them full access as if they are in the main office. I added the wiki ip internal address to try to address the issue with the access from the remote office.

 

Not sure what you mean by adding the aps as a rap - the aps are currently in the white list and set up just like the rap (same provisioning).

 

thanks!

Difficult to get the traffic captures - I have one test system there and it always is connected to the RAP155 - not helpful - its a busy office so rebooting that device can be disruptive to get the system to switch (I have nobody in the office that can help - I am far away so it's all remote)

 

Since they have the issue and have to actually work - they plug into the network and it works fine - just not over wireless - we have been working on the VPN tunnel (the first one we have set up) thinking that it may be rules on the tunnel that are causing the issue too - we have removed all rules, set access on both ends and are still having issues. 

 

I'll set up some logging on specific systems and see if I can capture anything

 

thanks!

When you do a 'show ap database', is there an R flag for the AP225s ?

Yes - they are all flagged as Remote APs

Hi Gerri,

 

1. Are both 225 & 155 provisoned on the same AP-group?

The following command will help in finding the same:

 

show ap database | include <name of AP>

 

2. Please share the ap system profile output for the AP-group they are on.

 

show ap sysem-profile <name of profile>

 

AP Bss-Table:

 

show ap bss-table ap-name <name of working AP>

show ap bss-table ap-name <name of non-working AP>

 

3. Are the clients assigned the same role when connected to 225's & 155's?

 

4.  .As per your previous comments, the network is configured in split-tunnel mode.

As per the ACl's , the traffic for this intranet site should be locally bridged (go via AP's datapath)

 

So, we need to check if the traffic for intranet site is going via controller's datapath or AP's datapath

 

Kindly share the following output from the working/non-working AP when you are trying to access

the intranet site.

 

Controller's Datapath:

 

show datapath session table <ip-address of client>  | include <ip-address of intranet site>

 

AP's Datapath:

 

show datapath session ap-name <name of AP> | include <ip-address of intranet site>

 

show datapath user ap-name <name of AP>

 

Please mention the mac-address of the client as well.

 

 

Thanks,

Nitesh

(Aruba3400) #show ap database | include Indy
IndyAP1 RAP 225 x.x.4.114 Up 8d:5h:44m:34s Rc2 x.x.150.10 0.0.0.0
IndyAP2 RAP 225 x.x.4.116 Up 8d:5h:44m:33s Rc2 x.x.150.10 0.0.0.0
IndyAP3 RAP 225 x.x.4.115 Up 8d:5h:44m:34s Rc2 x.x.150.10 0.0.0.0
IndyOffice1 RAP RAP-155 x.x.4.117 Up 8d:5h:44m:38s Rc2 x.x.150.10 0.0.0.0

(Aruba3400) #show ap system-profile RAP

AP system profile "RAP"
-----------------------
Parameter Value
--------- -----
RF Band g
RF Band for AM mode scanning all
Native VLAN ID 1
Tunnel Heartbeat Interval 1
Session ACL RAP-Split-Tunneling
Corporate DNS Domain N/A
SNMP sysContact N/A
LED operating mode (11n/11ac APs only) normal
SAP MTU 1200 bytes
RAP MTU 1200 bytes
LMS IP N/A
Backup LMS IP N/A
LMS IPv6 N/A
Backup LMS IPv6 N/A
LMS Preemption Disabled
LMS Hold-down Period 600 sec
LMS ping interval 20
GRE Striping IP N/A
Remote-AP DHCP Server VLAN N/A
Remote-AP DHCP Server Id 192.168.11.1
Remote-AP DHCP Default Router 192.168.11.1
Remote-AP DHCP DNS Server x.x.1.125
Remote-AP DHCP DNS Server x.x.1.121
Remote-AP DHCP Pool Start 192.168.11.2
Remote-AP DHCP Pool End 192.168.11.254
Remote-AP DHCP Pool Netmask 255.255.255.0
Remote-AP DHCP Lease Time 0 days
Remote-AP uplink total bandwidth 0 kbps
Remote-AP bw reservation 1 N/A
Remote-AP bw reservation 2 N/A
Remote-AP bw reservation 3 N/A
Remote-AP Local Network Access Disabled
Bootstrap threshold 25
Double Encrypt Disabled
Dump Server N/A
Heartbeat DSCP 0
Maintenance Mode Disabled
Maximum Request Retries 10
Request Retry Interval 10 sec
Number of IPSEC retries 85
AeroScout RTLS Server N/A
RTLS Server configuration N/A
RTLS Server Compatibility Mode Enabled
Telnet Disabled
Spanning Tree Disabled

(Aruba3400) #show ap bss-table ap-name IndyOffice1

fm (forward mode): T-Tunnel, S-Split, D-Decrypt Tunnel, B-Bridge (s-standard, p-persistent, b-backup, a-always)

Aruba AP BSS Table
------------------
bss ess port ip phy type ch/EIRP/max-EIRP cur-cl ap name in-t(s) tot-t mtu acl-state acl fm
--- --- ---- -- --- ---- ---------------- ------ ------- ------- ----- --- --------- --- --
24:de:c6:6f:5a:c0 XXCorp N/A x.x.4.117 g-HT ap 1/23.5/23.5 1 IndyOffice1 0 8d:5h:44m:21s 1200 - 1 S
24:de:c6:6f:5a:c2 XXTV N/A x.x.4.117 g-HT ap 1/23.5/23.5 0 IndyOffice1 0 8d:5h:44m:21s 1200 - 75 T
24:de:c6:6f:5a:c3 XXGuest N/A x.x.4.117 g-HT ap 1/23.5/23.5 0 IndyOffice1 0 8d:5h:44m:21s 1200 - 78 T
24:de:c6:6f:5a:c4 XXINC N/A x.x.4.117 g-HT ap 1/23.5/23.5 5 IndyOffice1 0 8d:5h:44m:21s 1200 - 69 S
24:de:c6:6f:5a:c5 XXDisplays N/A x.x.4.117 g-HT ap 1/23.5/23.5 0 IndyOffice1 0 8d:5h:44m:21s 1200 - 81 T
24:de:c6:6f:5a:d0 XXCorp N/A x.x.4.117 a ap 157/23/23 1 IndyOffice1 0 8d:5h:44m:21s 1200 - 1 S
24:de:c6:6f:5a:d2 XXTV N/A x.x.4.117 a ap 157/23/23 0 IndyOffice1 0 8d:5h:44m:21s 1200 - 75 T
24:de:c6:6f:5a:d3 XXGuest N/A x.x.4.117 a ap 157/23/23 0 IndyOffice1 0 8d:5h:44m:21s 1200 - 78 T
24:de:c6:6f:5a:d4 XXINC N/A x.x.4.117 a ap 157/23/23 1 IndyOffice1 0 8d:5h:44m:21s 1200 - 69 S
24:de:c6:6f:5a:d5 XXDisplays N/A x.x.4.117 a ap 157/23/23 0 IndyOffice1 0 8d:5h:44m:21s 1200 - 81 T

Port information is available only on 6xx controller.
Channel followed by "*" indicates channel selected due to unsupported configured channel.
"Spectrum" followed by "^" indicates Local Spectrum Override in effect.

Num APs:10
Num Associations:8

(Aruba3400) #show ap bss-table ap-name IndyAP1

fm (forward mode): T-Tunnel, S-Split, D-Decrypt Tunnel, B-Bridge (s-standard, p-persistent, b-backup, a-always)

Aruba AP BSS Table
------------------
bss ess port ip phy type ch/EIRP/max-EIRP cur-cl ap name in-t(s) tot-t mtu acl-state acl fm
--- --- ---- -- --- ---- ---------------- ------ ------- ------- ----- --- --------- --- --
04:bd:88:36:d4:e0 XXDisplays N/A x.x.4.114 g-HT ap 6/21/21 0 IndyAP1 0 8d:5h:44m:29s 1200 - 81 T
04:bd:88:36:d4:e1 XXGuest N/A x.x.4.114 g-HT ap 6/21/21 0 IndyAP1 0 8d:5h:44m:29s 1200 - 78 T
04:bd:88:36:d4:e2 XXCorp N/A x.x.4.114 g-HT ap 6/21/21 0 IndyAP1 0 8d:5h:44m:29s 1200 - 1 S
04:bd:88:36:d4:e3 XXTV N/A x.x.4.114 g-HT ap 6/21/21 0 IndyAP1 0 8d:5h:44m:29s 1200 - 75 T
04:bd:88:36:d4:e5 XXINC N/A x.x.4.114 g-HT ap 6/21/21 4 IndyAP1 0 8d:5h:44m:29s 1200 - 69 S
04:bd:88:36:d4:f0 XXDisplays N/A x.x.4.114 a ap 165/22/22 0 IndyAP1 0 8d:5h:44m:29s 1200 - 81 T
04:bd:88:36:d4:f1 XXGuest N/A x.x.4.114 a ap 165/22/22 0 IndyAP1 0 8d:5h:44m:29s 1200 - 78 T
04:bd:88:36:d4:f2 XXCorp N/A x.x.4.114 a ap 165/22/22 5 IndyAP1 0 8d:5h:44m:29s 1200 - 1 S
04:bd:88:36:d4:f3 XXTV N/A x.x.4.114 a ap 165/22/22 3 IndyAP1 0 8d:5h:44m:29s 1200 - 75 T
04:bd:88:36:d4:f5 XXINC N/A x.x.4.114 a ap 165/22/22 4 IndyAP1 0 8d:5h:44m:29s 1200 - 69 S

Port information is available only on 6xx controller.
Channel followed by "*" indicates channel selected due to unsupported configured channel.
"Spectrum" followed by "^" indicates Local Spectrum Override in effect.

Num APs:10
Num Associations:16

 

 

(Aruba3400) #show datapath session table 10.113.0.49 | include 10.0.1.41
10.113.0.49 10.0.1.41 6 59999 443 0/0 0 0 0 tunnel 470 17 1 40 C
10.113.0.49 10.0.1.41 6 59998 443 0/0 0 0 1 tunnel 470 17 0 0 C
10.113.0.49 10.0.1.41 6 59997 443 0/0 0 0 1 tunnel 470 17 0 0 C
10.113.0.49 10.0.1.41 6 59996 443 0/0 0 0 0 tunnel 470 17 1 40 C
10.113.0.49 10.0.1.41 6 59995 443 0/0 0 0 1 tunnel 470 17 0 0 FC
10.113.0.49 10.0.1.41 6 60004 443 0/0 0 0 1 tunnel 470 16 3 144 C
10.113.0.49 10.0.1.41 6 60000 443 0/0 0 0 0 tunnel 470 17 14 704 C
10.113.0.49 10.0.1.41 6 60015 443 0/0 0 0 0 tunnel 470 2 9 2723 C
10.113.0.49 10.0.1.41 6 60016 443 0/0 0 0 0 tunnel 470 2 11 2851 C
10.0.1.41 10.113.0.49 6 443 60016 0/0 0 0 0 tunnel 470 2 10 7340
10.0.1.41 10.113.0.49 6 443 60004 0/0 0 0 1 tunnel 470 16 6 7956
10.0.1.41 10.113.0.49 6 443 60000 0/0 0 0 0 tunnel 470 17 26 34133
10.0.1.41 10.113.0.49 6 443 60015 0/0 0 0 0 tunnel 470 2 14 13095
10.0.1.41 10.113.0.49 6 443 59999 0/0 0 0 0 tunnel 470 17 3 1406 F
10.0.1.41 10.113.0.49 6 443 59998 0/0 0 0 0 tunnel 470 17 1 1326
10.0.1.41 10.113.0.49 6 443 59997 0/0 0 0 0 tunnel 470 17 1 1326
10.0.1.41 10.113.0.49 6 443 59996 0/0 0 0 0 tunnel 470 17 3 1406 F
10.0.1.41 10.113.0.49 6 443 59995 0/0 0 0 1 tunnel 470 17 0 0

(Aruba3400) #
(Aruba3400) #show datapath session table 10.113.0.49 | include 10.0.1.41
10.113.0.49 10.0.1.41 6 60087 443 0/0 0 0 0 tunnel 470 1 7 702 C
10.113.0.49 10.0.1.41 6 60090 443 0/0 0 0 0 tunnel 470 1 12 4748 C
10.113.0.49 10.0.1.41 6 60088 443 0/0 0 0 0 tunnel 470 1 14 4848 FC
10.113.0.49 10.0.1.41 6 60000 443 0/0 0 0 2 tunnel 470 41 0 0 FC
10.113.0.49 10.0.1.41 6 60023 443 0/0 0 0 1 tunnel 470 1f 0 0 FC
10.113.0.49 10.0.1.41 6 60022 443 0/0 0 0 1 tunnel 470 1f 0 0 FC
10.113.0.49 10.0.1.41 6 60021 443 0/0 0 0 2 tunnel 470 1f 0 0 C
10.113.0.49 10.0.1.41 6 60020 443 0/0 0 0 0 tunnel 470 1f 18 956 C
10.113.0.49 10.0.1.41 6 60019 443 0/0 0 0 1 tunnel 470 1f 0 0 C
10.0.1.41 10.113.0.49 6 443 60023 0/0 0 0 0 tunnel 470 1f 0 0 F
10.0.1.41 10.113.0.49 6 443 60022 0/0 0 0 0 tunnel 470 1f 0 0 F
10.0.1.41 10.113.0.49 6 443 60021 0/0 0 0 0 tunnel 470 1f 0 0
10.0.1.41 10.113.0.49 6 443 60020 0/0 0 0 0 tunnel 470 1f 36 47736
10.0.1.41 10.113.0.49 6 443 60019 0/0 0 0 0 tunnel 470 1f 0 0 F
10.0.1.41 10.113.0.49 6 443 60000 0/0 0 0 0 tunnel 470 41 0 0
10.0.1.41 10.113.0.49 6 443 60087 0/0 0 0 0 tunnel 470 1 6 2487
10.0.1.41 10.113.0.49 6 443 60090 0/0 0 0 0 tunnel 470 1 17 13684
10.0.1.41 10.113.0.49 6 443 60089 0/0 0 0 0 tunnel 470 1 6 2487
10.0.1.41 10.113.0.49 6 443 60088 0/0 0 0 0 tunnel 470 1 21 18988

(Aruba3400) #show datapath session table 10.113.0.49 | include 10.0.1.41
10.113.0.49 10.0.1.41 6 60103 443 0/0 0 0 0 tunnel 470 2 34 3984 C
10.113.0.49 10.0.1.41 6 60108 443 0/0 0 0 0 tunnel 470 1 7 2556 C
10.113.0.49 10.0.1.41 6 60107 443 0/0 0 0 0 tunnel 470 1 7 2588 C
10.113.0.49 10.0.1.41 6 60106 443 0/0 0 0 0 tunnel 470 1 11 2892 C
10.113.0.49 10.0.1.41 6 60105 443 0/0 0 0 0 tunnel 470 1 15 3120 C
10.113.0.49 10.0.1.41 6 60104 443 0/0 0 0 0 tunnel 470 1 10 2808 C
10.113.0.49 10.0.1.41 6 60087 443 0/0 0 0 0 tunnel 470 16 2 80 FC
10.113.0.49 10.0.1.41 6 60090 443 0/0 0 0 0 tunnel 470 16 1 52 C
10.113.0.49 10.0.1.41 6 60088 443 0/0 0 0 0 tunnel 470 16 1 60 FC
10.113.0.49 10.0.1.41 6 60000 443 0/0 0 0 1 tunnel 470 56 1 41 FC
10.113.0.49 10.0.1.41 6 60021 443 0/0 0 0 0 tunnel 470 34 2 81 FC
10.113.0.49 10.0.1.41 6 60020 443 0/0 0 0 0 tunnel 470 34 2 100 FC
10.0.1.41 10.113.0.49 6 443 60021 0/0 0 0 0 tunnel 470 34 4 2744
10.0.1.41 10.113.0.49 6 443 60020 0/0 0 0 0 tunnel 470 34 7 7996
10.0.1.41 10.113.0.49 6 443 60000 0/0 0 0 1 tunnel 470 56 2 1378
10.0.1.41 10.113.0.49 6 443 60103 0/0 0 0 0 tunnel 470 2 48 56105
10.0.1.41 10.113.0.49 6 443 60108 0/0 0 0 0 tunnel 470 1 10 7003
10.0.1.41 10.113.0.49 6 443 60107 0/0 0 0 0 tunnel 470 1 11 7043
10.0.1.41 10.113.0.49 6 443 60106 0/0 0 0 0 tunnel 470 1 15 13633
10.0.1.41 10.113.0.49 6 443 60105 0/0 0 0 0 tunnel 470 1 24 25567
10.0.1.41 10.113.0.49 6 443 60104 0/0 0 0 0 tunnel 470 1 15 13633
10.0.1.41 10.113.0.49 6 443 60087 0/0 0 0 1 tunnel 470 16 3 173 F
10.0.1.41 10.113.0.49 6 443 60090 0/0 0 0 0 tunnel 470 16 3 1406 F
10.0.1.41 10.113.0.49 6 443 60089 0/0 0 0 1 tunnel 470 16 3 173 F
10.0.1.41 10.113.0.49 6 443 60088 0/0 0 0 0 tunnel 470 16 2 80 F

(Aruba3400) #
(Aruba3400) #show datapath user ap-name IndyAP1

Datapath User Table Entries
---------------------------

Flags: P - Permanent, W - WEP, T- TKIP, A - AESCCM, G - AESGCM, V - ProxyArp to/for MN(Visitor),
N - VPN, L - local, Y - Any IP user, R - Routed user, M - Media Capable,
S - Src NAT with VLAN IP, E - L2 Enforced, F - IPIP Force Delete, O - VOIP user, I - Interim stats,
C - Inactive, D - Suppress Idle TMO, m - IP mobile user anchor
FM(Forward Mode): S - Split, B - Bridge, N - N/A

IP MAC ACLs Contract Location Age Sessions Flags Vlan FM IdleTMO
--------------- ----------------- ------- --------- -------- --- --------- ----- ---- -- -------
10.0.2.40 38:71:DE:8B:5A:A8 80/0 0/0 0 17 1/65535 2 S 600
10.0.2.44 F0:24:75:62:1D:CE 80/0 0/0 0 2 1/65535 2 S 600
10.0.2.208 44:00:10:1D:16:F6 80/0 0/0 0 1 0/65535 2 S 600
10.0.2.248 F0:DB:E2:F2:1E:B3 80/0 0/0 0 0 0/65535 2 S 600
10.0.2.252 E0:B5:2D:E0:31:D8 80/0 0/0 0 0 3/65535 2 S 600
0.0.0.0 6C:40:08:91:C9:B2 84/0 0/0 0 0 0/65535 P 13 S 600
0.0.0.0 60:57:18:41:21:34 84/0 0/0 0 0 0/65535 P 13 S 600
0.0.0.0 F8:16:54:50:B5:B3 84/0 0/0 0 0 0/65535 P 13 S 600
0.0.0.0 60:57:18:98:02:B5 84/0 0/0 0 0 0/65535 P 13 S 600
10.113.0.64 3C:15:C2:E1:F4:22 84/0 0/0 0 0 3/65535 13 S 600
10.113.0.68 60:57:18:41:21:34 84/0 0/0 0 8 0/65535 13 S 600
10.113.0.49 F8:16:54:50:B5:B3 84/0 0/0 0 0 48/65535 13 S 600
10.113.0.48 6C:40:08:B9:82:BE 84/0 0/0 0 0 1/65535 13 S 600
10.113.0.53 6C:40:08:B7:66:84 84/0 0/0 0 0 1/65535 13 S 600
10.113.0.52 6C:40:08:91:C9:B2 84/0 0/0 0 0 22/65535 13 S 600

10.113.0.55 48:51:B7:18:A6:5A 84/0 0/0 0 7 0/65535 13 S 600
10.113.0.54 6C:40:08:8F:D7:60 84/0 0/0 0 5 0/65535 13 S 600
10.113.0.56 60:57:18:5E:7B:0D 84/0 0/0 0 0 1/65535 13 S 600
10.113.0.60 6C:40:08:8F:D7:56 84/0 0/0 0 0 30/65535 13 S 600
10.113.0.63 60:57:18:5E:7B:9E 84/0 0/0 0 0 0/65535 13 S 600
10.113.0.62 48:51:B7:22:50:2E 84/0 0/0 0 0 38/65535 13 S 600
10.113.0.47 60:57:18:98:02:B5 84/0 0/0 0 1 1/65535 13 S 600
10.113.0.46 60:57:18:5C:BE:AD 84/0 0/0 0 5 0/65535 13 S 600
10.113.0.158 A4:5E:60:DD:A6:1B 84/0 0/0 0 0 71/65535 13 S 600
192.168.11.1 04:BD:88:CB:6D:4E 2700/0 0/0 0 22264 0/65535 P 4095 N 300
0.0.0.0 60:57:18:5E:7B:9E 84/0 0/0 0 0 0/65535 P 13 S 600
10.0.150.10 00:0B:86:6D:8D:E0 2703/0 0/0 0 26 0/65535 P 0 N 300
0.0.0.0 38:71:DE:8B:5A:A8 80/0 0/0 0 0 0/65535 P 2 S 600
0.0.0.0 E0:B5:2D:E0:31:D8 80/0 0/0 0 0 0/65535 P 2 S 600
10.9.6.138 04:BD:88:CB:6D:4E 2700/0 0/0 0 0 1/65535 P 1 N 300

0.0.0.0 D8:BB:2C:7C:D8:D7 80/0 0/0 0 0 0/65535 P 2 S 600
10.0.4.115 D8:BB:2C:7C:D8:D7 80/0 0/0 0 0 3/65535 2 S 600
0.0.0.0 A4:5E:60:DD:A6:1B 84/0 0/0 0 0 0/65535 P 13 S 600
0.0.0.0 44:00:10:1D:16:F6 80/0 0/0 0 0 0/65535 P 2 S 600
0.0.0.0 48:51:B7:22:50:2E 84/0 0/0 0 0 0/65535 P 13 S 600
0.0.0.0 6C:40:08:8F:D7:56 84/0 0/0 0 0 0/65535 P 13 S 600

(Aruba3400) #

 

 

Mac address of client: f8:16:54:50:b5:b3

 

 

 

Hi Gerri,

 

Thank you for sharing the outputs.

I do not see any anamolies in the outputs that are attached. Few of the outputs like datapth session are from the same AP as shown by tunnel ID.

 

As per the datapath session, traffic is tunneled all the way back to the controller probably due to 

the following ACL:

 

any Internal-Networks any permit

 

However a live debug session & more insight in to the network topolgy will help in narrowing down

the issue.

 

We can take datapath capture for the client on the controller for more information.

 

Is it possible for you to open a TAC case for the same?

Yes - I can do that - thanks for the assist.