Wireless Access

Hey,
i've got some weird issue - tcp and udp connections to wirelessly-connected clients are blocked somewhere inside Aruba while all kinds of client isolation settings i found are turned off.
It's not seems like an external firewall or switches issue - i am able to do ICMP inside WLAN and WLAN>other network and vise-versa, i am able to do tcp/udp connections from WLAN clients to other networks and wire-connected clients in same VLAN, 

So my config are:

• Mobility Master > 7030 Controller > AP-515 and AP-565 access points
• Access Points configured as remote
• VLAN X added as tagged on all switches ports where APs are connected and inside Aruba controller configuration
• WLAN Y created with forwarding mode = bridge, mapped to VLAN X
• firewall policy assigned to AAA profile for WLAN Y has only any-any-permit rules
• In Virtual AP profile for WLAN Y option "Deny inter user traffic:" not enabled
• In Services>Firewall tab options "Deny inter user bridging:" and "Deny inter user traffic:" are not enabled

Any ideas why this happens? Or maybe some ideas how to troubleshoot this issue? - i've already done Wireshark investigations and only thing i see there is that TCP packed is going out from sender(same VLAN/WLAN or not - looks same) and never gets to the client inside WLAN, while arp and icmp are travelling without issues. Thanks in advance!

I would check the datapath session table on the controller (mobility gateway) as that is where the traffic will bridge between the WLAN and the LAN. It should show if traffic is being denied by the controller. Alternatively, you could enable debugging and check for logs that would indicate why traffic is being dropped.

Can you determine the user-role for the wireless user and provide the output of "show rights <user-role>"

------------------------------
Michael Haring
------------------------------

Original Message:
Sent: Oct 21, 2022 04:37 AM
From: Alex Kuzmin
Subject: Mobility Master - blocking TCP connections to wireless clients

Hey,
i've got some weird issue - tcp and udp connections to wirelessly-connected clients are blocked somewhere inside Aruba while all kinds of client isolation settings i found are turned off.
It's not seems like an external firewall or switches issue - i am able to do ICMP inside WLAN and WLAN>other network and vise-versa, i am able to do tcp/udp connections from WLAN clients to other networks and wire-connected clients in same VLAN,

So my config are:

• Mobility Master > 7030 Controller > AP-515 and AP-565 access points
• Access Points configured as remote
• VLAN X added as tagged on all switches ports where APs are connected and inside Aruba controller configuration
• WLAN Y created with forwarding mode = bridge, mapped to VLAN X
• firewall policy assigned to AAA profile for WLAN Y has only any-any-permit rules
• In Virtual AP profile for WLAN Y option "Deny inter user traffic:" not enabled
• In Services>Firewall tab options "Deny inter user bridging:" and "Deny inter user traffic:" are not enabled

Any ideas why this happens? Or maybe some ideas how to troubleshoot this issue? - i've already done Wireshark investigations and only thing i see there is that TCP packed is going out from sender(same VLAN/WLAN or not - looks same) and never gets to the client inside WLAN, while arp and icmp are travelling without issues. Thanks in advance!

It was in ACL for AP's ethernet port, someone configured firewall rules not in controller, but in profile applied to each AP
Original Message:
Sent: Oct 26, 2022 05:35 PM
From: Michael Haring
Subject: Mobility Master - blocking TCP connections to wireless clients

I would check the datapath session table on the controller (mobility gateway) as that is where the traffic will bridge between the WLAN and the LAN. It should show if traffic is being denied by the controller. Alternatively, you could enable debugging and check for logs that would indicate why traffic is being dropped.

Can you determine the user-role for the wireless user and provide the output of "show rights <user-role>"

------------------------------
Michael Haring

Original Message:
Sent: Oct 21, 2022 04:37 AM
From: Alex Kuzmin
Subject: Mobility Master - blocking TCP connections to wireless clients

Hey,
i've got some weird issue - tcp and udp connections to wirelessly-connected clients are blocked somewhere inside Aruba while all kinds of client isolation settings i found are turned off.
It's not seems like an external firewall or switches issue - i am able to do ICMP inside WLAN and WLAN>other network and vise-versa, i am able to do tcp/udp connections from WLAN clients to other networks and wire-connected clients in same VLAN,

So my config are:

• Mobility Master > 7030 Controller > AP-515 and AP-565 access points
• Access Points configured as remote
• VLAN X added as tagged on all switches ports where APs are connected and inside Aruba controller configuration
• WLAN Y created with forwarding mode = bridge, mapped to VLAN X
• firewall policy assigned to AAA profile for WLAN Y has only any-any-permit rules
• In Virtual AP profile for WLAN Y option "Deny inter user traffic:" not enabled
• In Services>Firewall tab options "Deny inter user bridging:" and "Deny inter user traffic:" are not enabled

Any ideas why this happens? Or maybe some ideas how to troubleshoot this issue? - i've already done Wireshark investigations and only thing i see there is that TCP packed is going out from sender(same VLAN/WLAN or not - looks same) and never gets to the client inside WLAN, while arp and icmp are travelling without issues. Thanks in advance!