Pulling this apart: "from firewall i cannot ping a device in vlan 10 on core switch ( 192.168.10.5 ) , it failed , but i can ping the 192.168.10.1"
This would mean that either your core switch is not doing IP routing, on ArubaOS-switch you need to enable IP routing, not sure on the 1930; or your client device 192.168.10.5 is not having its default gateway set to the core 192.168.10.1. Can you ping between clients (like 192.168.10.5 to 192.168.40.5)?
Second: "From core side we are able to ping the firewall interface but still cannot reach internet, traffic is outgoing only when it comes to internet traffic."
Is your firewall doing NAT for your client subnets and the 10.10.100.0/24 subnet??
Or is the gateway 192.168.250.1 the device doing the NAT? In that case, you will need to have routes on the gateway for the 10.10.100.0/24 (and 192.168.x.0/24) to the firewall. And you need to make sure that that gateway is performing NAT for your client subnets.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------
Original Message:
Sent: Apr 19, 2021 05:32 AM
From: mohammad shamseddine
Subject: Aruba 1930 Instant-on network problem
Thanks for your comment ! unfortunately we were not able to locate the issue. The behavior from core side and firewall side is similar. From core side we are able to ping the firewall interface but still cannot reach internet, traffic is outgoing only when it comes to internet traffic. From firewall side, we are able to ping the core switch interface , and the SVIs as well, the weird thing is that we are not able to ping internal devices but able to ping their gateway. For example, from firewall i cannot ping a device in vlan 10 on core switch ( 192.168.10.5 ) , it failed , but i can ping the 192.168.10.1. When doing tracert from firewall to 192.168.10.1 the routing is correct where the hop is 10.10.100.1 , but when doing tracert from firewall to internal device ( 192.168.10.5) the routing is not correct and the next hop is the internet gateway ( 192.168.250.1 ). Below is an illustration of the setup . Actually i am beginning to run out of ideas , appreciate further support, thank you
------------------------------
mohammad shamseddine
Original Message:
Sent: Apr 19, 2021 04:30 AM
From: Herman Robers
Subject: Aruba 1930 Instant-on network problem
Check hop-by-hop till where your routing works and check at points where it fails your routing entries. Firewalls sometimes block ping, in which case you can check the ARP&routing tables to see if there are ARP entries and if the correct routes are active, as well you may run a packet capture to see if inbound traffic is seen, and/or outbound traffic, which gives you an indication of where your routing (or firewall) issues lie.
What helps me is to draw an L2 and L3 diagram of all the links, VLANs, and routing. Verify that to what it should be and what you see happening in the network.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Apr 18, 2021 12:06 PM
From: mohammad shamseddine
Subject: Aruba 1930 Instant-on network problem
hello,
Yes it do support L3 features. And also the testing is done on Vlans with no access lists associated so i do not think it is an access list issue. Client is able to ping his gateway and other gateways also, besides client is able to ping the firewall interface. But we discovered that from firewall side we are not able to ping the core sw ( 10.10.100.1 ) , eventhough i created static routes on the firewall for the internal vlans and allowed their communication through security policy, but still there is an issue, we will have more troubleshooting sessions this week, i appreciate if you have any ideas you would propose to try during troubleshooting ,
Thanks
------------------------------
mohammad shamseddine
Original Message:
Sent: Apr 15, 2021 05:10 PM
From: Davide Poletto
Subject: Aruba 1930 Instant-on network problem
IMHO it should (my take: since the Aruba 1930 is declared to support ACL then that would imply that VLAN IP interfaces can be created in order to apply ACL against them, isn't it?). To be honest QuickSpecs document isn't enough explicit about that though (generically the QuickSpecs document reports Layer 2+ and some Layer 3 Advanced featutes as supported by Aruba 1930 Switch series). Maybe I'm wrong, maybe not...I don't own an Aruba 1930 to test.
Original Message:
Sent: 4/15/2021 3:04:00 PM
From: Herman Robers
Subject: RE: Aruba 1930 Instant-on network problem
I'm not sure if the 1930 can do L3 routing, the data sheet is ambiguous. Please ask your question on the Aruba Instant On community for a better audience.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Apr 15, 2021 06:11 AM
From: mohammad shamseddine
Subject: Aruba 1930 Instant-on network problem
Hello Team,
I am running into a problem where we are not able to locate the issue. We have network of 10 aruba 1930- instant on switches, one of those are used as core switch. Vlans with their interfaces are created on the core switch, intervlan routing and access lists are working properly. For internet, i created a vlan and gave it ip 10.10.100.1/24 , and untagged it on a port on the core switch. This port is connected to physical interface on hillstone firewall of ip 10.10.100.2/24. Default route is created on the core switch created 0.0.0.0 0.0.0.0 10.10.100.2 .
Default route on the firewall is created to the internet gateway. Also static routes created on the firewall for reaching the internal vlans ( for example for vlan 10 : ip route 192.168.10.0 255.255.255.0 10.10.100.1 ) . Natting is configured on firewall, also proper policy rules are configured to allow internal packets to the internet.
The issue is that internal vlans are still not reaching the internet. I am running out of solutions and hope someone would help out to be able to locate the issue , thanks alot !
------------------------------
mohammad shamseddine
------------------------------