Thanks for sharing... Just out of curiosity, I'm running 8.10.0.10 (not in a large environment), but for me the Monitor IP fields are empty, which I then think is the default settings. Did you by any chance change that in the past from the default?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Apr 18, 2024 10:47 AM
From: m.eaves@ed.ac.uk
Subject: ArubaOS 8.10.0.10 LSR Security Gotcha
Dear all,
Just spent the last two days trying to resolve an issue with Mobility Master. We have a relatively large setup and were running 8.10.0.7 LSR.
Upgraded to 8.10.0.10 LSR and ended up in a world of pain. It looks like (from what little info I can see in the changelog) - that some changes made to make the "firewall" functionality start working properly. We were massively tripped up by the number of users that were connecting and found that Monitor IP sessions attack was set way too low. No massive difference in traffic between 8.10.0.7 and 8.10.0.10; we think that somehow the basic firewall settings were probably broken on the earlier versions and they were fixed in 8.10.0.10 (not in release notes). Needless to say that the Aruba TAC team knew what the problem was within 30 seconds of looking at our tech-support logs (which makes me think this is not the first time this has happened).
So if your system boots fine; has no errors, but very few people are able to connect, go look at your blacklist. You might find it hugely filling up by the second.
We were given a method of overcoming this to match the traffic levels:
1) On one of your controllers (not master), type in: show datapath session counters.You will get a large list of parameters. You need to concentrate on the one marked: Current Entries. Make a note of that figure.
2) After 30 seconds, do the same thing again: type in show datapath session counters.
3) You now have two sets of numbers. Subtract the later one from the earlier one. This is the number of connections you have being made in a period of 30 seconds (which is the number you need for the firewall setting).
4) Get that number and give it a healthy 20% overhead.
5) Put that number into Monitor IP Sessions Attack: field.
6) Delete all your blacklisted clients (at MM level) by typing:
- Access the MM via CLI
- Access the MD using #cd <name of the controller>
- Connect to the controller using #mdc.
- Delete all the blacklist entries related to that controller using #stm purge-denylist-clients.
7) Continue to monitor - and adjust the number as appropriate up or down for your need.