Wireless Access

last person joined: 23 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

TFTP issue

This thread has been viewed 4 times

  • 1.  TFTP issue

    Posted Jan 09, 2018 07:11 AM

    Hi,

     

    I am using a cluster of 3400 in version 6.4.4.16 with 70 APs configured and I have one problem with the TFTP protocol.

    I have PEF license but with a pemit rule any to any.

    the current SSID is configured as bridge with no firewall 

     

    I tried to use a softphone solution and the first step is to start a tftp session to download the phone information without any success.

    the desktop on the same vlan but with a wire connection worked fine

    so the problem is on AP and I captured packets , checked logs and didn't find anything.

    I tried also to perform from my laptop a tftp copy from a switch to my desktop with the same behavior.

    so the problem seems to be linked to this protocol but I don't know why.

     

    Regards

     

     

     

     

     

     

     

     

     

     



  • 2.  RE: TFTP issue

    EMPLOYEE
    Posted Jan 09, 2018 07:15 AM

    What is the role that the user gets when the user connects to the bridged SSID?  Find out what role the user is in and type "show rights <role>" to see what policies are enforced.  In a bridged SSID, the firewall policies are enforced on the AP.  If in that role you are blocking tftp in either direction, it will not work.



  • 3.  RE: TFTP issue

    Posted Jan 09, 2018 09:16 AM

     

    about my users

     

    172.16.121.32   e8:b1:fc:e7:bb:e8  host/FRVPTLT15016.xxx.group.com       authenticated   00:00:38    8021x-Machine            FR-RBD-AP205-01-Z4    Associated(Remote)  G_Corporate/84:d4:7e:bb:40:50/a-VHT  AAA_G    bridge        Win 8

     

    and about "authenticated" role

     

    show rights authenticated

    Valid = 'Yes'
    CleanedUp = 'No'
    Derived Role = 'authenticated'
     Up BW:No Limit   Down BW:No Limit
     L2TP Pool = default-l2tp-pool
     PPTP Pool = default-pptp-pool
     Number of users referencing it = 322
     Periodic reauthentication: Disabled
     DPI Classification: Enabled
     Youtube education: Disabled
     Web Content Classification: Enabled
     ACL Number = 73/0
     Max Sessions = 65535

     Check CP Profile for Accounting = TRUE

    Application Exception List
    --------------------------
    Name  Type
    ----  ----

    Application BW-Contract List
    ----------------------------
    Name  Type  BW Contract  Id  Direction
    ----  ----  -----------  --  ---------

    access-list List
    ----------------
    Position  Name                      Type     Location
    --------  ----                      ----     --------
    1         global-sacl               session
    2         apprf-authenticated-sacl  session
    3         allowall                  session
    4         v6-allowall               session

    global-sacl
    -----------
    Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    apprf-authenticated-sacl
    ------------------------
    Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    allowall
    --------
    Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    1         any     any          any                   permit             Yes           Low                                                           4    
    v6-allowall
    -----------
    Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    1         any     any          any-v6                permit                           Low                                                           6    

    Expired Policies (due to time constraints) = 0



  • 4.  RE: TFTP issue
    Best Answer

    EMPLOYEE
    Posted Jan 09, 2018 09:38 AM

    You should try changing the ap-uplink-acl to 'allowall'.  Please see here:  http://community.arubanetworks.com/t5/Remote-Networking/What-is-the-ap-uplink-acl-and-how-does-it-work/td-p/13428

     

    That restriction does not exist in a tunneled mode SSID.