Wireless Access

Reply
Contributor II

Y flag troubleshooting

Sorry if this is duplicate. It appears that the original didn't post...

 

 

I've got 2 production networks on different VLANs with the same configuration on both. On the "M" network, I can get everything with no problem. Websites load, I can ping, etc.   On the "D" network, I can ping websites, but I cannot establish any http or https traffic. 

 

when viewing the datpath session table, I see that all the return traffic is being flagged with Y. I understand what that means, but what can I do to get to the bottom of the problem and get this network working?

 

output:

205.171.2.65    192.168.135.50  17   53    16755  0/0     0    0   0   tunnel 12   2    0          0          FYI
192.168.135.50  8.8.8.8         17   59804 53     0/0     0    0   0   tunnel 12   2    1          61         FCI
8.8.8.8         192.168.135.50  17   53    59804  0/0     0    0   0   tunnel 12   2    0          0          FYI
192.168.135.50  205.171.2.65    17   16755 53     0/0     0    0   0   tunnel 12   2    1          63         FCI
205.171.2.65    192.168.135.50  17   53    47764  0/0     0    0   0   tunnel 12   5    0          0          FYI
8.8.8.8         192.168.135.50  17   53    48911  0/0     0    0   1   tunnel 12   a    0          0          FYI
192.168.135.50  8.8.8.8         17   54884 53     0/0     0    0   0   tunnel 12   2    1          66         FCI
192.168.135.50  8.8.8.8         17   16958 53     0/0     0    0   0   tunnel 12   2    1          66         FCI
192.168.135.50  8.8.8.8         17   48911 53     0/0     0    0   1   tunnel 12   a    1          102        FCI
192.168.135.50  8.8.8.8         17   23840 53     0/0     0    0   1   tunnel 12   9    1          74         FCI
8.8.8.8         192.168.135.50  17   53    16958  0/0     0    0   0   tunnel 12   2    0          0          FYI
8.8.8.8         192.168.135.50  17   53    5450   0/0     0    0   1   tunnel 12   2    0          0          FYI
8.8.8.8         192.168.135.50  17   53    54884  0/0     0    0   1   tunnel 12   2    0          0          FYI
8.8.8.8         192.168.135.50  17   53    4209   0/0     0    0   0   tunnel 12   7    0          0          FYI
192.168.135.50  8.8.8.8         17   34465 53     0/0     0    0   0   tunnel 12   2    1          61         FCI
192.168.135.50  8.8.8.8         17   4209  53     0/0     0    0   0   tunnel 12   7    1          63         FCI
8.8.8.8         192.168.135.50  17   53    2282   0/0     0    0   1   tunnel 12   1e   0          0          FYI
205.171.2.65    192.168.135.50  17   53    9802   0/0     0    0   0   tunnel 12   4    0          0          FYI
192.168.135.50  8.8.8.8         17   5450  53     0/0     0    0   0   tunnel 12   2    1          74         FCI
8.8.8.8         192.168.135.50  17   53    31570  0/0     0    0   0   tunnel 12   2    0          0          FYI
192.168.135.50  205.171.2.65    17   35447 53     0/0     0    0   0   tunnel 12   7    1          64         FCI
192.168.135.50  8.8.8.8         17   2282  53     0/0     0    0   0   tunnel 12   1e   2          128        FCI
192.168.135.50  205.171.2.65    17   47764 53     0/0     0    0   0   tunnel 12   5    1          102        FCI
192.168.135.50  8.8.8.8         17   31570 53     0/0     0    0   0   tunnel 12   2    1          64         FCI
8.8.8.8         192.168.135.50  17   53    23840  0/0     0    0   0   tunnel 12   9    0          0          FYI
192.168.135.50  205.171.2.65    17   9802  53     0/0     0    0   0   tunnel 12   4    1          74         FCI
8.8.8.8         192.168.135.50  17   53    34465  0/0     0    0   0   tunnel 12   2    0          0          FYI
205.171.2.65    192.168.135.50  17   53    35447  0/0     0    0   0   tunnel 12   7    0          0          FYI

 

-Joey
 
-Joey

Re: Y flag troubleshooting

Do you have any ACLs rules that could be blocking the traffic from that particular network ?
Are the sites internal or external ?

Can you reach those sites by IP ?

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
Guru Elite

Re: Y flag troubleshooting

If the Aruba Controller was blocking it, there would be a "D" in the session flag, regardless of the way it was being blocked.  A "Y" means that there is no return traffic or the traffic is UDP, which never has a SYN.  I would look upstream from the Aruba Controller or ping hop by hop to determine where your traffic is not being returned from..



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: