Security

Hi :)

I'm in the process of deploying an Aruba UBT infrastructure, and for the first time, I'm working with a pair of Gateways operating in a clustered setup.

Everything is working well so far, but I've run into an issue while configuring my security policies:

The rule any > any icmp behaves as expected and allows traffic without issues.

However, when I try to define the rule more granularly-specifically userrole IT > userrole IT icmp-things break down if the clients are connected to different Gateways.

Here's what happens: Client A is connected to Gateway 1 with the IT user role, and Client B is connected to Gateway 2, also with the IT user role. In this scenario, Client A is unable to ping Client B.

Running show datapath session table <ClientA> on Gateway 2 reveals that the session is being denied (indicated by the 'D' flag).

My assumption is that Gateway 2 doesn't recognize the user role of Client A, which causes the ICMP request to be blocked. I was under the impression that both Gateways in a cluster would synchronize or share role information between them.

This theory is backed up by the fact that everything works perfectly when both clients are connected to the same Gateway. For example, Client C and Client D, both on Gateway 1 and assigned the IT role, can ping each other without any issue.

Am I missing something here?

AOS8 Deployment , no Central

What version of AOS 8?

------------------------------
Carson Hulcher, ACEX#110
------------------------------

Original Message:
Sent: Apr 28, 2025 03:17 AM
From: kevindylla
Subject: Aruba Gateway Cluster – Role Info Not Syncing?

Hi :)

I'm in the process of deploying an Aruba UBT infrastructure, and for the first time, I'm working with a pair of Gateways operating in a clustered setup.

Everything is working well so far, but I've run into an issue while configuring my security policies:

The rule any > any icmp behaves as expected and allows traffic without issues.

However, when I try to define the rule more granularly-specifically userrole IT > userrole IT icmp-things break down if the clients are connected to different Gateways.

Here's what happens: Client A is connected to Gateway 1 with the IT user role, and Client B is connected to Gateway 2, also with the IT user role. In this scenario, Client A is unable to ping Client B.

Running show datapath session table <ClientA> on Gateway 2 reveals that the session is being denied (indicated by the 'D' flag).

My assumption is that Gateway 2 doesn't recognize the user role of Client A, which causes the ICMP request to be blocked. I was under the impression that both Gateways in a cluster would synchronize or share role information between them.

This theory is backed up by the fact that everything works perfectly when both clients are connected to the same Gateway. For example, Client C and Client D, both on Gateway 1 and assigned the IT role, can ping each other without any issue.

Am I missing something here?

AOS8 Deployment , no Central

------------------------------
~ Kevin Dylla
------------------------------

What version of AOS 8?

Hi :)

I'm in the process of deploying an Aruba UBT infrastructure, and for the first time, I'm working with a pair of Gateways operating in a clustered setup.

Everything is working well so far, but I've run into an issue while configuring my security policies:

The rule any > any icmp behaves as expected and allows traffic without issues.

However, when I try to define the rule more granularly-specifically userrole IT > userrole IT icmp-things break down if the clients are connected to different Gateways.

Here's what happens: Client A is connected to Gateway 1 with the IT user role, and Client B is connected to Gateway 2, also with the IT user role. In this scenario, Client A is unable to ping Client B.

Running show datapath session table <ClientA> on Gateway 2 reveals that the session is being denied (indicated by the 'D' flag).

My assumption is that Gateway 2 doesn't recognize the user role of Client A, which causes the ICMP request to be blocked. I was under the impression that both Gateways in a cluster would synchronize or share role information between them.

This theory is backed up by the fact that everything works perfectly when both clients are connected to the same Gateway. For example, Client C and Client D, both on Gateway 1 and assigned the IT role, can ping each other without any issue.

Am I missing something here?

AOS8 Deployment , no Central

I scattered the documentation and couldn't Fond anything about it. It's seeminhly possible with Central : https://arubanetworking.hpe.com/techdocs/central/2.5.8/content/nms/apps/acn/global-client-roles/cfg-client-roles.htm

But I Need r2r policies to work with aOS8 m/m cluster

you know if possible?

What version of AOS 8?

Hi :)

I'm in the process of deploying an Aruba UBT infrastructure, and for the first time, I'm working with a pair of Gateways operating in a clustered setup.

Everything is working well so far, but I've run into an issue while configuring my security policies:

The rule any > any icmp behaves as expected and allows traffic without issues.

However, when I try to define the rule more granularly-specifically userrole IT > userrole IT icmp-things break down if the clients are connected to different Gateways.

Here's what happens: Client A is connected to Gateway 1 with the IT user role, and Client B is connected to Gateway 2, also with the IT user role. In this scenario, Client A is unable to ping Client B.

Running show datapath session table <ClientA> on Gateway 2 reveals that the session is being denied (indicated by the 'D' flag).

My assumption is that Gateway 2 doesn't recognize the user role of Client A, which causes the ICMP request to be blocked. I was under the impression that both Gateways in a cluster would synchronize or share role information between them.

This theory is backed up by the fact that everything works perfectly when both clients are connected to the same Gateway. For example, Client C and Client D, both on Gateway 1 and assigned the IT role, can ping each other without any issue.

Am I missing something here?

AOS8 Deployment , no Central

Hi,

what is your exact setup? The clients are connected via switches with an working ubt setup? So your breakout for your wired clients is at the controller cluster, right?

Where is your local user role configured? On the /md level? Please check if the configuration for your user role is inherited properly down to the devices.  

And how does your role and acl configuration on the controller cluster look like? 

Best

Levi

I scattered the documentation and couldn't Fond anything about it. It's seeminhly possible with Central : https://arubanetworking.hpe.com/techdocs/central/2.5.8/content/nms/apps/acn/global-client-roles/cfg-client-roles.htm

But I Need r2r policies to work with aOS8 m/m cluster

you know if possible?

What version of AOS 8?

Hi :)

I'm in the process of deploying an Aruba UBT infrastructure, and for the first time, I'm working with a pair of Gateways operating in a clustered setup.

Everything is working well so far, but I've run into an issue while configuring my security policies:

The rule any > any icmp behaves as expected and allows traffic without issues.

However, when I try to define the rule more granularly-specifically userrole IT > userrole IT icmp-things break down if the clients are connected to different Gateways.

Here's what happens: Client A is connected to Gateway 1 with the IT user role, and Client B is connected to Gateway 2, also with the IT user role. In this scenario, Client A is unable to ping Client B.

Running show datapath session table <ClientA> on Gateway 2 reveals that the session is being denied (indicated by the 'D' flag).

My assumption is that Gateway 2 doesn't recognize the user role of Client A, which causes the ICMP request to be blocked. I was under the impression that both Gateways in a cluster would synchronize or share role information between them.

This theory is backed up by the fact that everything works perfectly when both clients are connected to the same Gateway. For example, Client C and Client D, both on Gateway 1 and assigned the IT role, can ping each other without any issue.

Am I missing something here?

AOS8 Deployment , no Central

Hey, 

Thanks for the reply. Yes everything works with ubt until I Need Communication between 2 Clients connected to different Gateways and I only have R2R Policies. 

I See Both (only have one User Role configured atm) Clients connected with the User Role assigned on the individual Gateway. Local User Role has been pushed down from MD. 

I'll get back to you with an Updated ACL 

Hi,

what is your exact setup? The clients are connected via switches with an working ubt setup? So your breakout for your wired clients is at the controller cluster, right?

Where is your local user role configured? On the /md level? Please check if the configuration for your user role is inherited properly down to the devices.  

And how does your role and acl configuration on the controller cluster look like? 

Best

Levi

I scattered the documentation and couldn't Fond anything about it. It's seeminhly possible with Central : https://arubanetworking.hpe.com/techdocs/central/2.5.8/content/nms/apps/acn/global-client-roles/cfg-client-roles.htm

But I Need r2r policies to work with aOS8 m/m cluster

you know if possible?

What version of AOS 8?

Hi :)

I'm in the process of deploying an Aruba UBT infrastructure, and for the first time, I'm working with a pair of Gateways operating in a clustered setup.

Everything is working well so far, but I've run into an issue while configuring my security policies:

The rule any > any icmp behaves as expected and allows traffic without issues.

However, when I try to define the rule more granularly-specifically userrole IT > userrole IT icmp-things break down if the clients are connected to different Gateways.

Here's what happens: Client A is connected to Gateway 1 with the IT user role, and Client B is connected to Gateway 2, also with the IT user role. In this scenario, Client A is unable to ping Client B.

Running show datapath session table <ClientA> on Gateway 2 reveals that the session is being denied (indicated by the 'D' flag).

My assumption is that Gateway 2 doesn't recognize the user role of Client A, which causes the ICMP request to be blocked. I was under the impression that both Gateways in a cluster would synchronize or share role information between them.

This theory is backed up by the fact that everything works perfectly when both clients are connected to the same Gateway. For example, Client C and Client D, both on Gateway 1 and assigned the IT role, can ping each other without any issue.

Am I missing something here?

AOS8 Deployment , no Central

I've personally not set this up before so don't know for sure, but you might have to configure a policy domain to properly support the R2R configuration.

Hey, 

Thanks for the reply. Yes everything works with ubt until I Need Communication between 2 Clients connected to different Gateways and I only have R2R Policies. 

I See Both (only have one User Role configured atm) Clients connected with the User Role assigned on the individual Gateway. Local User Role has been pushed down from MD. 

I'll get back to you with an Updated ACL 

Hi,

what is your exact setup? The clients are connected via switches with an working ubt setup? So your breakout for your wired clients is at the controller cluster, right?

Where is your local user role configured? On the /md level? Please check if the configuration for your user role is inherited properly down to the devices.  

And how does your role and acl configuration on the controller cluster look like? 

Best

Levi

I scattered the documentation and couldn't Fond anything about it. It's seeminhly possible with Central : https://arubanetworking.hpe.com/techdocs/central/2.5.8/content/nms/apps/acn/global-client-roles/cfg-client-roles.htm

But I Need r2r policies to work with aOS8 m/m cluster

you know if possible?

What version of AOS 8?

Hi :)

I'm in the process of deploying an Aruba UBT infrastructure, and for the first time, I'm working with a pair of Gateways operating in a clustered setup.

Everything is working well so far, but I've run into an issue while configuring my security policies:

The rule any > any icmp behaves as expected and allows traffic without issues.

However, when I try to define the rule more granularly-specifically userrole IT > userrole IT icmp-things break down if the clients are connected to different Gateways.

Here's what happens: Client A is connected to Gateway 1 with the IT user role, and Client B is connected to Gateway 2, also with the IT user role. In this scenario, Client A is unable to ping Client B.

Running show datapath session table <ClientA> on Gateway 2 reveals that the session is being denied (indicated by the 'D' flag).

My assumption is that Gateway 2 doesn't recognize the user role of Client A, which causes the ICMP request to be blocked. I was under the impression that both Gateways in a cluster would synchronize or share role information between them.

This theory is backed up by the fact that everything works perfectly when both clients are connected to the same Gateway. For example, Client C and Client D, both on Gateway 1 and assigned the IT role, can ping each other without any issue.

Am I missing something here?

AOS8 Deployment , no Central

Hi, 

I also havent set this up before. But as far as I know, policy domain is a feature for role synchronization across different clusters. Not for within one. 

What exactly is your target scenario? 

When i get this right, you want simple RBAC for wired clients with tunneled traffic (dynamic segmentation). For this, you only have to configure a ubt tunnel to both controllers. So one ubt profile with a primary and backup controller. On top you habe to configure the role and acl settings on the cluster (/md level) and you need an enforcement (cppm) that assings your roles accordingly. 

Best,

Levi

I've personally not set this up before so don't know for sure, but you might have to configure a policy domain to properly support the R2R configuration.

Hey, 

Thanks for the reply. Yes everything works with ubt until I Need Communication between 2 Clients connected to different Gateways and I only have R2R Policies. 

I See Both (only have one User Role configured atm) Clients connected with the User Role assigned on the individual Gateway. Local User Role has been pushed down from MD. 

I'll get back to you with an Updated ACL 

Hi,

what is your exact setup? The clients are connected via switches with an working ubt setup? So your breakout for your wired clients is at the controller cluster, right?

Where is your local user role configured? On the /md level? Please check if the configuration for your user role is inherited properly down to the devices.  

And how does your role and acl configuration on the controller cluster look like? 

Best

Levi

I scattered the documentation and couldn't Fond anything about it. It's seeminhly possible with Central : https://arubanetworking.hpe.com/techdocs/central/2.5.8/content/nms/apps/acn/global-client-roles/cfg-client-roles.htm

But I Need r2r policies to work with aOS8 m/m cluster

you know if possible?

What version of AOS 8?

Hi :)

I'm in the process of deploying an Aruba UBT infrastructure, and for the first time, I'm working with a pair of Gateways operating in a clustered setup.

Everything is working well so far, but I've run into an issue while configuring my security policies:

The rule any > any icmp behaves as expected and allows traffic without issues.

However, when I try to define the rule more granularly-specifically userrole IT > userrole IT icmp-things break down if the clients are connected to different Gateways.

Here's what happens: Client A is connected to Gateway 1 with the IT user role, and Client B is connected to Gateway 2, also with the IT user role. In this scenario, Client A is unable to ping Client B.

Running show datapath session table <ClientA> on Gateway 2 reveals that the session is being denied (indicated by the 'D' flag).

My assumption is that Gateway 2 doesn't recognize the user role of Client A, which causes the ICMP request to be blocked. I was under the impression that both Gateways in a cluster would synchronize or share role information between them.

This theory is backed up by the fact that everything works perfectly when both clients are connected to the same Gateway. For example, Client C and Client D, both on Gateway 1 and assigned the IT role, can ping each other without any issue.

Am I missing something here?

AOS8 Deployment , no Central