Wireless Access

last person joined: 4 minutes ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Activesync and Aruba

Jump to Best Answer
  • 1.  Activesync and Aruba

    Posted Jun 10, 2013 05:00 PM

    Hello,

     

    We recently switched out Sidewinder firewalls and went with Check Point firewalls.  Since then, we've been having a lot of problems getting activesync to work on the Internal Wireless Network.  If we take our phones off of the Aruba WLAN network and just use our Cellular network, mail comes in just fine.  Once we connect back up to the Arubas, we can't even connect to our Exchange Server.  Firewall logs show no dropped packets at all for https connections to Activesync.  However, the interesting thing we are seeing is that it seems our phones are trying to contact our ISP's DNS servers looking for the front end exchange server.

     

    Any thoughts on how we might be able to remedy this?



  • 2.  RE: Activesync and Aruba

    Posted Jun 11, 2013 03:30 AM

    What DNS servers are the clients being provided and how are they being provided with these?

    Might also be worth seeing what role the clients are assigned (#show user-table) and checking the permissions for this role (#show rights xxxxx)



  • 3.  RE: Activesync and Aruba

    Posted Jun 11, 2013 09:30 AM

    Thanks for the replies,

     

    From the looks of the settings on the phone, they are pulling ISP DNS settings, unfortunately, I'm not exactly sure how this is getting assigned.  The guy prior to me was the one who put this all together.  As far as roles and permissions go it's every role that has this issue.  Permissions for the group that I'm in are "AllowAll" for the ACL.  It's not really restrictive at all because it's the SSID used for IT and our the company directors.

     

    @VFabian

     

    I ran the datapath command on my phone and it appears that it's communicating with google (Andriod phone) and that's it.

     

    74.125.225.135      172.***.***.***        6      443       54394      0/0      0 0      12      tunnel      19      c1
    172.***.***.***          125.225.135          6     54394   443          0/0      0 0      12      tunnel      19      c1     C
    173.194.68.188      172.***.***.***        6      5228     51798     0/0      0 0       11      tunnel      19     578
    172.***.***.***          173.194.68.188    6      51798  5228        0/0      0 0       12      tunnel      19     578 C

     

     

    Again this is happening with every phone regardless of what SSID or Role it has.  I'm sure this is a firewall issue, but I have no clue where the issue is as the logs are showing no drops what-so-ever.



  • 4.  RE: Activesync and Aruba

    Posted Jun 11, 2013 09:32 AM

    How are the users obtaining an IP address? Via the DHCP server on the controller or an external one. I expect this would be providing your DNS servers unless they are statically set.



  • 5.  RE: Activesync and Aruba

    Posted Jun 11, 2013 09:50 AM

    Looks like our Juniper Switches are handling DNS.  We changed these to reflect our internal network and the only thing that changed was that now we're not able to get to the internet.  Still no connection to Activesync.



  • 6.  RE: Activesync and Aruba

    Posted Jun 11, 2013 09:52 AM

    What does show datapath session table <ip address> show? Are you seeing any "D", i.e traffic being denied now?



  • 7.  RE: Activesync and Aruba

    Posted Jun 11, 2013 10:00 AM

     

     

    Have you tried creating a rule in the checkpoint firewall to allow all for just one particular IP address ?



  • 8.  RE: Activesync and Aruba

    Posted Jun 11, 2013 10:21 AM

    The command shows that my phone was communicating with the internal DNS servers, but that's it.  I have no "D" traffic, just the 2 connections to the internal DNS servers.  I even tried re-setting up my activesync based on the server IP address instead of the DNS entry and it won't connect.  I also don't see traffic going to it while logged onto the WLAN controller, and the last entry for my phone's IP in the firewall was prior to making the DNS change on our Juniper core switch.

     

    @VFabian

     

    I have not done a rule for a single IP address, but I did add a rule, at the top, that would allow traffic from our wireless subnet range to communicate to our front end exchange server.  That rule has zero hits on it.

     

     

     



  • 9.  RE: Activesync and Aruba

    Posted Jun 11, 2013 10:44 AM

    Do you see the traffic reaching the firewall? What does a tcpdump show? Do you see a reply? Might be worth checking your NAT's and routing on the firewall back to the wireless VLAN.



  • 10.  RE: Activesync and Aruba

    Posted Jun 11, 2013 11:37 AM

     

    I imaging that your wired users are able to reach the exchange server with no issues ?



  • 11.  RE: Activesync and Aruba

    Posted Jun 11, 2013 02:51 PM

    Yes, oddly enough I can see my phone traffic hitting the front end exchange.  So perhaps it is something on the way back that is not making it through.  I'll do a tcpdump and see what comes of that.  NAT had also come to my mind as well.

     

    @vVFabian

     

    Yes, everything from a desktop PC or Laptop to exchange is good.  Everything works great in Activesync when we're on the cellular network outside the company (Tested on lunch)  It's just when we're connected to the internal wireless that it craps out.



  • 12.  RE: Activesync and Aruba

    Posted Jun 12, 2013 11:05 AM

    So I ran a TCPDUMP on the firewall for my phone's IP Address on the wireless network.  Ran TCPDUMP as the src and the dst.

     

    I saw all kinds of traffic from my phone hitting the front end exchange server, however I saw absolutely zero traffic coming back to my phone from the server.  Our consultant is telling us that it's because we're going outside to the internet and then coming back in to get to exchange, however this is defitienly done by design.  The wireless networks aren't supposed to be communicating internally with the servers, their entire purpose is just to provide mobile devices internet access.  So this makes sense why it's acting this way. The consultant tells us that the Check Point firewall doesn't like it when this happens.


    There has to be a way to make this work, I can't imagine that we're the only ones running into this.  It worked on our Sidewinder Firewalls, there has to be some way, without having to do any drastic network redesigns.



  • 13.  RE: Activesync and Aruba

    Posted Jun 17, 2013 05:27 AM

    So this should work similiar to hairpin routing?



  • 14.  RE: Activesync and Aruba
    Best Answer

    Posted Jun 18, 2013 10:50 AM

    We actually got this working.  It appears it was an ICMP redirect that was causing the issue.

     

    We had to add a static route to the exchange server telling it to go out our firewall interface for our wireless network instead of the core switch.  Apparently Checkpoint hates ICMP redirects.  Which is something we need to fix on a greater scale as apparently Server 2008 and server 2012 also don't like it.

    Thanks for all your suggestions and help guys!  Much appreciated.



  • 15.  RE: Activesync and Aruba

    Posted Jun 11, 2013 07:57 AM

     

     

    You should also pick an address of one of the devices in question and run the following command :

     

    show datapath session table <ip address>