Wireless Access

Reply
Occasional Contributor I

TFTP issue

Hi,

 

I am using a cluster of 3400 in version 6.4.4.16 with 70 APs configured and I have one problem with the TFTP protocol.

I have PEF license but with a pemit rule any to any.

the current SSID is configured as bridge with no firewall 

 

I tried to use a softphone solution and the first step is to start a tftp session to download the phone information without any success.

the desktop on the same vlan but with a wire connection worked fine

so the problem is on AP and I captured packets , checked logs and didn't find anything.

I tried also to perform from my laptop a tftp copy from a switch to my desktop with the same behavior.

so the problem seems to be linked to this protocol but I don't know why.

 

Regards

 

 

 

 

 

 

 

 

 

 

Guru Elite

Re: TFTP issue

What is the role that the user gets when the user connects to the bridged SSID?  Find out what role the user is in and type "show rights <role>" to see what policies are enforced.  In a bridged SSID, the firewall policies are enforced on the AP.  If in that role you are blocking tftp in either direction, it will not work.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: TFTP issue

 

about my users

 

172.16.121.32   e8:b1:fc:e7:bb:e8  host/FRVPTLT15016.xxx.group.com       authenticated   00:00:38    8021x-Machine            FR-RBD-AP205-01-Z4    Associated(Remote)  G_Corporate/84:d4:7e:bb:40:50/a-VHT  AAA_G    bridge        Win 8

 

and about "authenticated" role

 

show rights authenticated

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'authenticated'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Number of users referencing it = 322
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Youtube education: Disabled
 Web Content Classification: Enabled
 ACL Number = 73/0
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                      Type     Location
--------  ----                      ----     --------
1         global-sacl               session
2         apprf-authenticated-sacl  session
3         allowall                  session
4         v6-allowall               session

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
apprf-authenticated-sacl
------------------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
allowall
--------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any          any                   permit             Yes           Low                                                           4    
v6-allowall
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any          any-v6                permit                           Low                                                           6    

Expired Policies (due to time constraints) = 0

Guru Elite

Re: TFTP issue

You should try changing the ap-uplink-acl to 'allowall'.  Please see here:  http://community.arubanetworks.com/t5/Remote-Networking/What-is-the-ap-uplink-acl-and-how-does-it-work/td-p/13428

 

That restriction does not exist in a tunneled mode SSID.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: