Wireless Access

 View Only
last person joined: 2 days ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

ARP requests drop

This thread has been viewed 18 times
  • 1.  ARP requests drop

    Posted Jan 19, 2022 02:10 AM
    Hi,

    We had install a cluster of controllers 7210 in version 8.7.1.3. The controllers are used for wireless access and UBT with Aruba-CX Switchs

    Customer have a cluster of Forcepoint Firewall with "Packet dispatch" feature.

    We recently notice that when the firewall loses their ARP table (in case of failover for example), they lose connectivity to all clients behind the controllers (UBT or Wireless).

    When we reproduce the issue, we see the ARP requests work perfectly from the client to the VIP of firewall (.15). We see the request and the response.
    On his side, the firewall tries to ARP request the clients, but the client doesn't receive this request from the firewall IP (.13 or .14).
    When we try to ping the firewall directly, not the VIP, we can see ARP request and response with no problem and we begin to receive the request from the firewall.

    It's like the controllers refused to forward the ARP requests until the client try to contact this IP.

    When the client first connects to the network, a gratuitous ARP is generated and we don't have the issues.

    I'm not very familiar with the firewall features of the controllers, it is a normal behavior in the processing of the ARP packets ?

    We try to disable the "ARP broadcast to unicast" and "drop unknow broadcast and multicast" with no result.

    Thanks for your help,

    ------------------------------
    Marc Antoine Catteau
    ------------------------------


  • 2.  RE: ARP requests drop

    EMPLOYEE
    Posted Jan 20, 2022 04:03 AM
    I would not see why the controller would not forward the ARP requests from the firewall cluster nodes, or proxy-arp 'on-behalf of' the client.

    Please open a TAC case and include packet captures from the firewall side and controller side. There are two devices doing possible non-standard things, and there might be a unforeseen incompatibility if you combine both, however I would not know why that would be as devices on the wired side of the controller should be able to send ARP request to clients at any time as otherwise after an ARP timeout (or reboot or similar) the client would be disconnected as you see.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: ARP requests drop

    Posted Jan 20, 2022 06:03 AM
    Hi,

    Thanks for your response.

    I will also try to ARP request from an other client on wired side to not include the firewall in the troubleshooting.

    I try to get the capture from controller to contact the TAC and i will update this topic if we find an answer.

    Thanks,


    ------------------------------
    Marc Antoine Catteau
    ------------------------------



  • 4.  RE: ARP requests drop

    EMPLOYEE
    Posted Jan 27, 2022 10:23 PM
    do you happen to have "bcmc-opt" enabled on a vlan that has a l3 ip address interface in the affected vlan ?


  • 5.  RE: ARP requests drop

    Posted Jan 28, 2022 05:17 AM
    Hi,

    Thanks for your help.

    We isolated the problem on the VXLAN infrastructure. The more important VTEP seems to not forward ARP broadcast in the VXLAN tunnels.

    I create a ticket with TAC to understand where is the problem.

    Thanks,

    ------------------------------
    Marc Antoine Catteau
    ------------------------------



  • 6.  RE: ARP requests drop

    Posted Mar 17, 2022 01:55 PM
    Hi,

    It seems we have a very similar problem.
    Clients are connected to some AP-205 access points; access points are connected to a firewall.
    We captured packets with Wireshark on both client and firewall, we saw a strange behavior :

    When the client send an ARP request to the firewall, the firewall answer immediatly -> no problem
    When the firewall send an ARP request to a client, the request never reach the client -> no answer -> loss of connectivity for the client
    The client has to been disconnected/reconnected to WiFi -> the ARP request from the firewall reach the client.

    Any idea ?

    Antoine

    ------------------------------
    Antoine EVRARD
    ------------------------------



  • 7.  RE: ARP requests drop

    Posted Mar 21, 2022 02:52 AM
    Hi,

    On my case, the switchs are the root cause of the problem. We have VXLAN/EVPN topology and one VTEP does not forward ARP properly.

    For your problem, which option about broadcast are enable ? Do you try to enable or disable the feature like "Convert Broadcast to Unicast" and "Drop unknown Broadcast and Multicast" ?

    Regards,

    ------------------------------
    Marc Antoine Catteau
    ------------------------------



  • 8.  RE: ARP requests drop

    EMPLOYEE
    Posted 27 days ago
    Please open a TAC Support case, this could be version, compatibility or configuration issues.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------