Wireless Access


roles lost firewall policies after upgrade to

anyone see this before? after upgrading from to several roles seem to have lost their policies, for certain: guest, guest-logon and logon. seems to introduce new roles with the name based on the captive portal profiles, it also adds one big firewall policy with the earlier logon-control and captive-portal firewall policies combined. cant find anything about this in the release notes which is big NO NO in my opinion.


my own customer created name-guest-logon role didnt function after the upgrade, when i deleted and recreated it things worked again, might be related.


Re: roles lost firewall policies after upgrade to

I just did an upgrade this morning from to and did not see this behavior (was a 3200XM install; single controller).   The guest-logon and guest roles had custom policies applied to them; and remained so after the upgrade.  I also did not see any additional policies added as you suggest or any policies with logon-control and captive-portal policies combined.


If it is still an issue/concern for your or the customer I'd open a TAC case to see if they have any comments or explanation for your experience.

Systems Engineer, Northeast USA

Re: roles lost firewall policies after upgrade to


Just upgraded to no issues either .


Do you have a recent flashbackup ?


Like clembo said you should probably open a TAC case.



Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners

Re: roles lost firewall policies after upgrade to

quite weird, dont have a flash backup, but had a log-download.tar from before the upgrade which clearly shows the guest / guest-logon roles like they should be. it is a 72xx platform btw.


doubting if it is worth the TAC case, was able to get everything working, just wondering where this comes from.

Super Contributor II

Re: roles lost firewall policies after upgrade to

has your PEF licence expired?

Re: roles lost firewall policies after upgrade to

good question, it shouldnt be expired for sure, but using central licensing so perhaps something odd happened during the upgrade making the system think there was no pefng license.

Guru Elite

Re: roles lost firewall policies after upgrade to



If I read your initial post correctly, I think you are comparing the last back up, which might not have been the last thing changed by the customer, to the upgrade version.  Unless we can validate that no changes were made by the customer before the upgrade, we may not be able to get anywhere.  If it cannot be replicated, it cannot be fixed.  If you have the last backup, restore it and upgrade it.  If nothing happens, there is nothing we can do....  Name-based roles and captive portals seem to be the result of running the WLAN wizard.  Unless you can be sure that this did not happen, we probably have to move on...


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: roles lost firewall policies after upgrade to

i understand cjoseph, im not expecting THE exact reason to be provided here without further action on my side, my last reply was just to indicate that i liked the suggestion of the pef ng license. i started this to check if anyone had seen something and the reply before you pointed me in a possible direction.


btw: this was a fresh installation without a customer doing anything yet. the config file i had before the upgrade was the config right before the upgrade, not anything else. so something must have happened during the upgrade proces, but as you mention the only way to check that is to do it again and that isnt possible now.

Contributor I

Re: roles lost firewall policies after upgrade to


This exact same thing is happening to us! This has basically taking out our entire wireless on campus!



Contributor I

Re: roles lost firewall policies after upgrade to


We're experiencing intermittent loss of ACLs and roles on our local controllers. It definitely seems related to centralized licensing and PEF. When this occurs all authenticated ( .1X WPA2) users are being assigned the "guest" role and all nonauthenticated (open) users are being assigned the "logon" role.


From the user perspective they can authenticate to wireless but have no network connectivity.


Our TAC case for this is 1528307.

Search Airheads
Showing results for 
Search instead for 
Did you mean: