Wireless Access

 View Only
last person joined: 2 days ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Mobility Master - blocking TCP connections to wireless clients

This thread has been viewed 15 times
  • 1.  Mobility Master - blocking TCP connections to wireless clients

    Posted Oct 21, 2022 10:03 AM
    Hey,
    i've got some weird issue - tcp and udp connections to wirelessly-connected clients are blocked somewhere inside Aruba while all kinds of client isolation settings i found are turned off.
    It's not seems like an external firewall or switches issue - i am able to do ICMP inside WLAN and WLAN>other network and vise-versa, i am able to do tcp/udp connections from WLAN clients to other networks and wire-connected clients in same VLAN,

    So my config are:
    • Mobility Master > 7030 Controller > AP-515 and AP-565 access points
    • Access Points configured as remote
    • VLAN X added as tagged on all switches ports where APs are connected and inside Aruba controller configuration
    • WLAN Y created with forwarding mode = bridge, mapped to VLAN X
    • firewall policy assigned to AAA profile for WLAN Y has only any-any-permit rules
    • In Virtual AP profile for WLAN Y option "Deny inter user traffic:" not enabled
    • In Services>Firewall tab options "Deny inter user bridging:" and "Deny inter user traffic:" are not enabled
    Any ideas why this happens? Or maybe some ideas how to troubleshoot this issue? - i've already done Wireshark investigations and only thing i see there is that TCP packed is going out from sender(same VLAN/WLAN or not - looks same) and never gets to the client inside WLAN, while arp and icmp are travelling without issues. Thanks in advance!


  • 2.  RE: Mobility Master - blocking TCP connections to wireless clients

    MVP
    Posted Oct 26, 2022 05:36 PM
    I would check the datapath session table on the controller (mobility gateway) as that is where the traffic will bridge between the WLAN and the LAN. It should show if traffic is being denied by the controller. Alternatively, you could enable debugging and check for logs that would indicate why traffic is being dropped.

    Can you determine the user-role for the wireless user and provide the output of "show rights <user-role>"

    ------------------------------
    Michael Haring
    ------------------------------



  • 3.  RE: Mobility Master - blocking TCP connections to wireless clients

    Posted 13 days ago
    It was in ACL for AP's ethernet port, someone configured firewall rules not in controller, but in profile applied to each AP