Wireless Access

Reply
Contributor II

RAPIDS log full of "IP Spoofing" messages....

So we have some test equipment that will create an ad-hoc network, and let vehicles connect to it for testing.

 

The problem is, they all use the same ip address (hard-coded in to the diagnostic software).

 

So....I have 40 valid clients, which disconnect from the wireless and then set up a local ad-hoc for a car to connect to, and they are all just spamming the crap out of my IDS log.  It's about 15-20 per minute.  Just of IP Spoofing.

 

I already turned off "prohibit ip spoofing" in the firewall and disabled the SNMP trap for wlsxIpSpoofingDetected, but they are still coming through in droves.

 

I need to get rid of them, they are valid, but I had to turn of IDS triggers for now because my email was blowing up from IDS event triggers.......

 

Anyone have any clue how to get them to stop?  I've gone through the controller, airwave, can't find it anywhere....

Moderator

Re: RAPIDS log full of "IP Spoofing" messages....

I suggest opening a support case for this.  This seems to require some investigation from both the AMP side and the controller side. Perhaps there needs to be some way to whitelist the client IP address (possible feature enhancement request?).  If you can spare a day, try to disable all traps on the controller, and then enable them one by one to see which one is actually generating that message (the list of AMP supported traps is in the Aruba/AirWave Best Practices Guide on support.arubanetworks.com). It might be possible that another trap may be firing the message.


Rob Gin
Senior QA Engineer - Network Services
Aruba Networks, a Hewlett Packard Enterprise Company
Contributor II

Re: RAPIDS log full of "IP Spoofing" messages....

I actually found the trap that was generating the messages and disabled it.

 

There are TWO traps for spoofied IP's......

 

There is 

wlsxIpSpoofingDetected

 

AND

 

wlsxNIpSpoofingDetected

 

Not sure why but there are a bunch of traps that are duplicated with N right after the "wlsx"

 

Anyway, after disabling the second IP spoofing trap the messages stopped coming through.

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: