Wireless Access

 View Only
last person joined: 5 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Problem with removing overwritten firewall CP

This thread has been viewed 15 times
  • 1.  Problem with removing overwritten firewall CP

    Posted Apr 24, 2020 06:37 PM

    Hi community

     

    I have 8.3 architecture with MM and MDs with some configuration is global on folder level and some local on MD.s.

    I have overwritten firewall CP rules on MD level.

    But now when I want to remove local firewall CP I cannot remove last IPv6 rule

    ipv6 deny any proto 0 ports 0 65535

     

    When I try to remove it says

     

    Invalid data: FW CP ACL not found

     

    I would like to use inherited firewall CP, but this last rule seems to block inheritance

     

    Any idea ? I appreciate any help

     

    Karol

     

     

     



  • 2.  RE: Problem with removing overwritten firewall CP

    MVP GURU
    Posted Apr 24, 2020 09:41 PM

    Have you tried a show "configuration effective detail" to see where this line of config is being derived from?

     

     



  • 3.  RE: Problem with removing overwritten firewall CP

    Posted Apr 25, 2020 09:58 AM

    Hi Dustin

     

    Thanks for reply

     

    I have checked it now once more, this ACL rule is local.

     

    Karol



  • 4.  RE: Problem with removing overwritten firewall CP

    MVP GURU
    Posted Apr 26, 2020 01:11 PM

    If the controller configuration still can not be removed, I would try turning on disaster recovery with the "disaster-recovery on" command when your in MD connect or ssh directly into the controller, and then try to remove the configuration. When you're done turn disaster recovery off. 

     

    If it still doesn't go away, try a reboot. Next step after that may be a call to TAC. 

     

     



  • 5.  RE: Problem with removing overwritten firewall CP

    Posted Apr 27, 2020 03:40 AM

    Hi Dustin 

     

    From disaster-recovery mode it is the same - cannot delete ACL rule 

     

    It seems it is a kind of default deny any for all protocols and ports

     

    I would call this problem to TAC 

     

    Thanks

     

    K



  • 6.  RE: Problem with removing overwritten firewall CP

    EMPLOYEE
    Posted Apr 27, 2020 12:41 PM

    User roles typically end with an implicit deny all ... so anything not matched and acted on by policies will get dropped if there is no match. That may be what this is.

     

    Where/how are you seeing the rule in question? Is it in the config file, show command output, etc?



  • 7.  RE: Problem with removing overwritten firewall CP

    Posted Apr 28, 2020 03:39 AM

    Hi

     

    it isn't user policy but in firewall cp 

     

    I see it in CLI and GUI.

     

    In CLI ther is following entry 

     

    firewall cp
        ipv6 deny any proto 0 ports 0 65535

     

    When I try to delete it I have message:

     

    Invalid data: FW CP ACL not found

     

    When I try to delete it from GUI message is a little bit different 

     

    Error: expecting integer from 0 to 254

     

    Karol



  • 8.  RE: Problem with removing overwritten firewall CP

    EMPLOYEE
    Posted Apr 28, 2020 10:29 AM

    Why are you trying to remove control plane firewall policies? That is a default policy. Control plane firewall policies should not be changed without guidance from TAC.



  • 9.  RE: Problem with removing overwritten firewall CP

    Posted May 05, 2020 07:22 PM

    Hi

     

    I use firewall cp policies to control access to controller itself like ssh/https.

     

    I have defined custom policies to allow/deny my custom networks.

     

    As I have written in original post I would like to move those policies from local config to folder config, but it isn't possible it seems even one last rule block inheritance from folder level.

     

    Of course there is solution to write erase and to reconnet MD to MM, but in my case for this moment this is not the case. 

     

    Maybe yes it is kind of defult, but how to avoid problem ?

     

    Karol

     



  • 10.  RE: Problem with removing overwritten firewall CP

    Posted Jun 20, 2022 11:08 PM
    Hi,

    Did you ever figure this out?


    ------------------------------
    Ambidexter
    ------------------------------



  • 11.  RE: Problem with removing overwritten firewall CP

    Posted Sep 12, 2022 10:47 PM
    Hi Karol, i have the same error. I have the firewall cp list configured on the group level (MM) but unfortunetly i have a few lines on the controller level which i can´t deleted.
    the only way that i found was doing a wipeup on that controller. i tried with a "disaster recovrey" but i had the same issue. If you found a better way please let me know.


    regards.


  • 12.  RE: Problem with removing overwritten firewall CP

    EMPLOYEE
    Posted Sep 13, 2022 04:38 AM
    This looks like a corner case, and I would work with Aruba Support to see what is the best way to get around this. Also, TAC can report this as a bug so it will be resolved in future software version.

    You may, if you haven't yet, upgrade to a recent version of firmware in case it has been resolved in recent version.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------