Wireless Access

 View Only
  • 1.  ArubaOS 8.10.0.10 LSR Security Gotcha

    Posted Apr 18, 2024 11:12 AM

    Dear all,

    Just spent the last two days trying to resolve an issue with Mobility Master.  We have a relatively large setup and were running 8.10.0.7 LSR.

    Upgraded to 8.10.0.10 LSR and ended up in a world of pain.  It looks like (from what little info I can see in the changelog) - that some changes made to make the "firewall" functionality start working properly.  We were massively tripped up by the number of users that were connecting and found that Monitor IP sessions attack was set way too low.  No massive difference in traffic between 8.10.0.7 and 8.10.0.10; we think that somehow the basic firewall settings were probably broken on the earlier versions and they were fixed in 8.10.0.10 (not in release notes).  Needless to say that the Aruba TAC team knew what the problem was within 30 seconds of looking at our tech-support logs (which makes me think this is not the first time this has happened).

    So if your system boots fine; has no errors, but very few people are able to connect, go look at your blacklist.  You might find it hugely filling up by the second.

    We were given a method of overcoming this to match the traffic levels:

    1) On one of your controllers (not master), type in: show datapath session counters.You will get a large list of parameters.  You need to concentrate on the one marked: Current Entries. Make a note of that figure.

    2) After 30 seconds, do the same thing again: type in show datapath session counters

    3) You now have two sets of numbers.  Subtract the later one from the earlier one.  This is the number of connections you have being made in a period of 30 seconds (which is the number you need for the firewall setting).

    4) Get that number and give it a healthy 20% overhead.

    5) Put that number into Monitor IP Sessions Attack:  field. 

    6) Delete all your blacklisted clients (at MM level) by typing:

    • Access the MM via CLI
    • Access the MD using #cd <name of the controller>
    • Connect to the controller using #mdc.
    • Delete all the blacklist entries related to that controller using #stm purge-denylist-clients.

    7) Continue to monitor  - and adjust the number as appropriate up or down for your need.



  • 2.  RE: ArubaOS 8.10.0.10 LSR Security Gotcha

    Posted Apr 18, 2024 11:17 AM

    Thanks for sharing... Just out of curiosity, I'm running 8.10.0.10 (not in a large environment), but for me the Monitor IP fields are empty, which I then think is the default settings. Did you by any chance change that in the past from the default?



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: ArubaOS 8.10.0.10 LSR Security Gotcha

    Posted Apr 18, 2024 11:27 AM

    Hi Herman,

    Yes, we set up some settings (with an Aruba TAC specialist) a couple of years back to overcome problems we had at the time.  One thing we didn't do was verify that the firewall functionality was actually working at that point.  That was our fault.  We think that the firewall functionality was partially broken.  Glad its now working; just somewhat unexpected.




  • 4.  RE: ArubaOS 8.10.0.10 LSR Security Gotcha

    Posted May 26, 2024 06:15 PM

    Hi, I wish I had seen your post earlier! We had the same issue after upgrading from 8.10.0.9->8.10.0.10. We had 5-10 users at each of our locations ending up on the denylist and 3 days of tickets before it was escalated. Last week I closed our TAC case as it was of no help. Our workaround was to bump the numbers up. I think the recommendation is 960 for each of these.

    attack-rate tcp-syn 600 -> 4000
    attack-rate session 2000 -> 8000




  • 5.  RE: ArubaOS 8.10.0.10 LSR Security Gotcha

    Posted May 28, 2024 03:57 AM
    Edited by m.eaves@ed.ac.uk May 28, 2024 03:59 AM

    Just to also let you folk know - there is also a bug that I'm currently working through with Aruba TAC in relation to the banlist/blacklist not correctly displaying in the GUI (current in 8.10.0.11LSR - was also present in 8.10.0.10LSR too).  You may find that you have multiple users in the blacklist - which if you cleardown the blacklist using stm purge-denylist-clients - doesn't get correctly reflected in the GUI.  You may find stale entries that cannot be deleted.  My recommendation is that you only rely on the blacklist in the CLI for the moment.

    Another issue is that the bantime - is somewhat random.  You should be able to edit the bantime on a per-SSID basis, but this value never get inherited from MM and therefore you might find that your user's are forever banned, when they should be only banned for a defined period (I think its 960 secs if I remember correct as default).