Wireless Access

Reply
Occasional Contributor I

TFTP issue

Hi,

 

I am using a cluster of 3400 in version 6.4.4.16 with 70 APs configured and I have one problem with the TFTP protocol.

I have PEF license but with a pemit rule any to any.

the current SSID is configured as bridge with no firewall 

 

I tried to use a softphone solution and the first step is to start a tftp session to download the phone information without any success.

the desktop on the same vlan but with a wire connection worked fine

so the problem is on AP and I captured packets , checked logs and didn't find anything.

I tried also to perform from my laptop a tftp copy from a switch to my desktop with the same behavior.

so the problem seems to be linked to this protocol but I don't know why.

 

Regards

 

 

 

 

 

 

 

 

 

 

Guru Elite

Re: TFTP issue

What is the role that the user gets when the user connects to the bridged SSID?  Find out what role the user is in and type "show rights <role>" to see what policies are enforced.  In a bridged SSID, the firewall policies are enforced on the AP.  If in that role you are blocking tftp in either direction, it will not work.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Occasional Contributor I

Re: TFTP issue

 

about my users

 

172.16.121.32   e8:b1:fc:e7:bb:e8  host/FRVPTLT15016.xxx.group.com       authenticated   00:00:38    8021x-Machine            FR-RBD-AP205-01-Z4    Associated(Remote)  G_Corporate/84:d4:7e:bb:40:50/a-VHT  AAA_G    bridge        Win 8

 

and about "authenticated" role

 

show rights authenticated

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'authenticated'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Number of users referencing it = 322
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Youtube education: Disabled
 Web Content Classification: Enabled
 ACL Number = 73/0
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                      Type     Location
--------  ----                      ----     --------
1         global-sacl               session
2         apprf-authenticated-sacl  session
3         allowall                  session
4         v6-allowall               session

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
apprf-authenticated-sacl
------------------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
allowall
--------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any          any                   permit             Yes           Low                                                           4    
v6-allowall
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any          any-v6                permit                           Low                                                           6    

Expired Policies (due to time constraints) = 0

Guru Elite

Re: TFTP issue

You should try changing the ap-uplink-acl to 'allowall'.  Please see here:  http://community.arubanetworks.com/t5/Remote-Networking/What-is-the-ap-uplink-acl-and-how-does-it-work/td-p/13428

 

That restriction does not exist in a tunneled mode SSID.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: