Wired

last person joined: yesterday 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

Aruba 1930 Instant-on network problem

This thread has been viewed 59 times
  • 1.  Aruba 1930 Instant-on network problem

    Posted 24 days ago
    Hello Team,

    I am running into a problem where we are not able to locate the issue. We have network of 10 aruba 1930- instant on switches, one of those are used as core switch. Vlans with their interfaces are created on the core switch, intervlan routing and access lists are working properly. For internet, i created a vlan and gave it ip 10.10.100.1/24 , and untagged it on a port on the core switch. This port is connected to physical interface on hillstone firewall of ip 10.10.100.2/24. Default route is created on the core switch created 0.0.0.0 0.0.0.0 10.10.100.2 .

    Default route on the firewall is created to the internet gateway. Also static routes created on the firewall for reaching the internal vlans ( for example for vlan 10 : ip route 192.168.10.0 255.255.255.0 10.10.100.1 ) . Natting is configured on firewall, also proper policy rules are configured to allow internal packets to the internet. 

    The issue is that internal vlans are still not reaching the internet. I am running out of solutions and hope someone would help out to be able to locate the issue , thanks alot !

    ------------------------------
    mohammad shamseddine
    ------------------------------


  • 2.  RE: Aruba 1930 Instant-on network problem

    Posted 23 days ago
    Hi! since you wrote that your internal VLANs have their respective IP Interfaces (SVI) on one of your ten Aruba 1930 which is acting as the Core for your internal networks...then can you verify that from one client on a particular VLAN you can ping its default gateway IP on the Core switch (Client's Default Gateway = SVI IP Address on the Core switch) and vice versa. That's to be sure internal routing is happing correctly between hosts and Core and/or between hosts in different VLANs (if permitted by deployed ACLs, if any). Probably it's an issue related to ACL. You could try to test with a new VLAN id (new SVI thus new subnet addressing) and, once correctly set also on your Firewall, try a test without applying any ACL on that particular VLAN id to see if packets are correctly routed to (and from) the Firewall for any other destination network that is non locally connected to your Core.

    ------------------------------
    Davide Poletto
    ------------------------------



  • 3.  RE: Aruba 1930 Instant-on network problem

    Posted 23 days ago
    I'm not sure if the 1930 can do L3 routing, the data sheet is ambiguous. Please ask your question on the Aruba Instant On community for a better audience.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 4.  RE: Aruba 1930 Instant-on network problem

    Posted 23 days ago
    IMHO it should (my take: since the Aruba 1930 is declared to support ACL then that would imply that VLAN IP interfaces can be created in order to apply ACL against them, isn't it?). To be honest QuickSpecs document isn't enough explicit about that though (generically the QuickSpecs document reports Layer 2+ and some Layer 3 Advanced featutes as supported by Aruba 1930 Switch series). Maybe I'm wrong, maybe not...I don't own an Aruba 1930 to test.





  • 5.  RE: Aruba 1930 Instant-on network problem

    Posted 20 days ago
    hello,

    Yes it do support L3 features. And also the testing is done on Vlans with no access lists associated so i do not think it is an access list issue. Client is able to ping his gateway and other gateways also, besides client is able to ping the firewall interface. But we discovered that from firewall side we are not able to ping the core sw ( 10.10.100.1 ) , eventhough i created static routes on the firewall for the internal vlans and allowed their communication through security policy, but still there is an issue, we will have more troubleshooting sessions this week, i appreciate if you have any ideas you would propose to try during troubleshooting ,

    Thanks

    ------------------------------
    mohammad shamseddine
    ------------------------------



  • 6.  RE: Aruba 1930 Instant-on network problem

    Posted 20 days ago
    Check hop-by-hop till where your routing works and check at points where it fails your routing entries. Firewalls sometimes block ping, in which case you can check the ARP&routing tables to see if there are ARP entries and if the correct routes are active, as well you may run a packet capture to see if inbound traffic is seen, and/or outbound traffic, which gives you an indication of where your routing (or firewall) issues lie.

    What helps me is to draw an L2 and L3 diagram of all the links, VLANs, and routing. Verify that to what it should be and what you see happening in the network.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 7.  RE: Aruba 1930 Instant-on network problem

    Posted 20 days ago
    Thanks for your comment ! 

    unfortunately we were not able to locate the issue. The behavior from core side and firewall side is similar. From core side  we are able to ping the firewall interface but still cannot reach internet, traffic is outgoing only when it comes to internet traffic. From firewall side, we are able to ping the core switch interface , and the SVIs as well, the weird thing is that we are not able to ping internal devices but able to ping their gateway. For example, from firewall i cannot ping a device in vlan 10 on core switch ( 192.168.10.5 ) , it failed , but i can ping the 192.168.10.1. When doing tracert from firewall to 192.168.10.1 the routing is correct where the hop is 10.10.100.1 , but when doing tracert from firewall to internal device ( 192.168.10.5) the routing is not correct and the next hop is the internet gateway ( 192.168.250.1 ). Below is an illustration of the setup . Actually i am beginning to run out of ideas , appreciate further support, thank you


    ------------------------------
    mohammad shamseddine
    ------------------------------



  • 8.  RE: Aruba 1930 Instant-on network problem

    Posted 19 days ago
    Pulling this apart: "from firewall i cannot ping a device in vlan 10 on core switch ( 192.168.10.5 ) , it failed , but i can ping the 192.168.10.1"
    This would mean that either your core switch is not doing IP routing, on ArubaOS-switch you need to enable IP routing, not sure on the 1930; or your client device 192.168.10.5 is not having its default gateway set to the core 192.168.10.1. Can you ping between clients (like 192.168.10.5 to 192.168.40.5)?

    Second: "From core side  we are able to ping the firewall interface but still cannot reach internet, traffic is outgoing only when it comes to internet traffic."
    Is your firewall doing NAT for your client subnets and the 10.10.100.0/24 subnet??
    Or is the gateway 192.168.250.1 the device doing the NAT? In that case, you will need to have routes on the gateway for the 10.10.100.0/24 (and 192.168.x.0/24) to the firewall. And you need to make sure that that gateway is performing NAT for your client subnets.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 9.  RE: Aruba 1930 Instant-on network problem

    Posted 19 days ago
    hello ,

    thanks for your response, as stated before, intervlan routing is working yes and ip routing is enabled on the core sw ( so clients in different vlans can ping each other ) the issue is with the traffic to the firewall.

    As for NAT, sNAT is perfomed for all traffic outgoing from firewall to the gateway , to be natted to the ip of the interface ( 192.168.250.3 ), i do not think that the issue is with NAT as the rule is already there, actually i had done this setup before and it is working but it is my first time dealing with aruba as core. I am not able to know where exactly our issue resides.

    Regards

    ------------------------------
    mohammad shamseddine
    ------------------------------



  • 10.  RE: Aruba 1930 Instant-on network problem

    Posted 13 days ago
    Based on the information, I don't think the issue lies in the 1930 but rather on the firewall. I would start capturing traffic on the firewall and analyze in which direction the issue lies and if routing is configured correctly on all points in your network.

    I would advise you to ask your question on the Aruba Instant On community to see if the people there know possibly additional troubleshooting tools on the 1930 switch.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------