Hi Andreas.
Very strange indeed. What it is usually recommended in such a case is to upgrade to latest release of your branch FW or go to latest Long Support Release version and see, if it resolve the issue. If not then TAC time.
Original Message:
Sent: Sep 11, 2024 04:53 AM
From: Muellermann
Subject: Problem blocking Applications
It gets even stranger!
The log says
Sep 11 10:48:16, authmgr[3722]: <124006> <3722> <WARN> |authmgr| {7625} TCP srcip=172.25.8.149 srcport=34502 dstip=157.240.223.174 dstport=443, action=deny, role=Schueler, policy=Schueler
Sep 11 10:48:16, authmgr[3722]: <124006> <3722> <WARN> |authmgr| {7626} TCP srcip=172.25.8.149 srcport=34508 dstip=157.240.223.174 dstport=443, action=deny, role=Schueler, policy=Schueler
Sep 11 10:48:16, authmgr[3722]: <124006> <3722> <WARN> |authmgr| {7627} TCP srcip=172.25.8.149 srcport=34524 dstip=157.240.223.174 dstport=443, action=deny, role=Schueler, policy=Schueler
Sep 11 10:48:16, authmgr[3722]: <124006> <3722> <WARN> |authmgr| {7628} TCP srcip=172.25.8.149 srcport=34530 dstip=157.240.223.174 dstport=443, action=deny, role=Schueler, policy=Schueler
Sep 11 10:48:19, authmgr[3722]: <124006> <3722> <WARN> |authmgr| {7629} TCP srcip=172.25.8.149 srcport=57412 dstip=157.240.223.63 dstport=443, action=deny, role=Schueler, policy=Schueler
Sep 11 10:48:19, authmgr[3722]: <124006> <3722> <WARN> |authmgr| {7630} TCP srcip=172.25.8.149 srcport=57426 dstip=157.240.223.63 dstport=443, action=deny, role=Schueler, policy=Schueler
Sep 11 10:48:19, authmgr[3722]: <124006> <3722> <WARN> |authmgr| {7631} TCP srcip=172.25.8.149 srcport=57428 dstip=157.240.223.63 dstport=443, action=deny, role=Schueler, policy=Schueler
Sep 11 10:48:19, authmgr[3722]: <124006> <3722> <WARN> |authmgr| {7632} TCP srcip=172.25.8.149 srcport=57440 dstip=157.240.223.63 dstport=443, action=deny, role=Schueler, policy=Schueler
Sep 11 10:48:19, authmgr[3722]: <124006> <3722> <WARN> |authmgr| {7633} TCP srcip=172.25.8.149 srcport=57442 dstip=157.240.223.63 dstport=443, action=deny, role=Schueler, policy=Schueler
Sep 11 10:48:19, authmgr[3722]: <124006> <3722> <WARN> |authmgr| {7634} TCP srcip=172.25.8.149 srcport=57452 dstip=157.240.223.63 dstport=443, action=deny, role=Schueler, policy=Schueler
Sep 11 10:48:50, authmgr[3722]: <124006> <3722> <WARN> |authmgr| {7646} TCP srcip=172.25.8.149 srcport=42982 dstip=157.240.223.63 dstport=443, action=deny, role=Schueler, policy=Schueler
Sep 11 10:48:50, authmgr[3722]: <124006> <3722> <WARN> |authmgr| {7647} TCP srcip=172.25.8.149 srcport=42994 dstip=157.240.223.63 dstport=443, action=deny, role=Schueler, policy=Schueler
Sep 11 10:48:50, authmgr[3722]: <124006> <3722> <WARN> |authmgr| {7648} TCP srcip=172.25.8.149 srcport=43008 dstip=157.240.223.63 dstport=443, action=deny, role=Schueler, policy=Schueler
Sep 11 10:48:50, authmgr[3722]: <124006> <3722> <WARN> |authmgr| {7649} TCP srcip=172.25.8.149 srcport=43016 dstip=157.240.223.63 dstport=443, action=deny, role=Schueler, policy=Schueler
Sep 11 10:48:50, authmgr[3722]: <124006> <3722> <WARN> |authmgr| {7650} TCP srcip=172.25.8.149 srcport=43020 dstip=157.240.223.63 dstport=443, action=deny, role=Schueler, policy=Schueler
If I do a "show datapath session table 172.25.8.149 | include 157.240.223.174" it says
157.240.223.174 172.25.8.149 6 443 34524 1/3 0 0 3 tunnel 491 3c 10 5718 ih 22
172.25.8.149 157.240.223.174 6 34530 443 1/2 0 0 3 tunnel 491 3b 110 9424 Cih 30
172.25.8.149 157.240.223.174 6 34524 443 1/2 0 0 4 tunnel 491 3c 11 2347 Cih 30
172.25.8.149 157.240.223.174 6 34508 443 1/2 0 0 4 tunnel 491 3c 11 2443 Cih 30
172.25.8.149 157.240.223.174 6 34502 443 1/2 0 0 3 tunnel 491 3c 14 2531 Cih 30
157.240.223.174 172.25.8.149 6 443 34502 1/3 0 0 4 tunnel 491 3c 14 6700 ih 22
157.240.223.174 172.25.8.149 6 443 34508 1/3 0 0 4 tunnel 491 3c 10 5716 ih 22
157.240.223.174 172.25.8.149 6 443 34530 1/3 0 0 3 tunnel 491 3b 111 129521 ih 22
So the D flag is missing there.
Original Message:
Sent: Sep 09, 2024 06:26 AM
From: GorazdKikelj
Subject: Problem blocking Applications
Hi Andreas.
What is strange for me is that you have value "none" in PktsDpi field on all your entries. Check if DPI is really fully enabled.
Best, Gorazd
------------------------------
Gorazd Kikelj
MVP Guru 2024
Original Message:
Sent: Sep 06, 2024 09:23 AM
From: Muellermann
Subject: Problem blocking Applications
Thanks Gorazd,
these are the results:
show dpi application instagram
Applications
------------
Name App ID App Category Default Ports Applied
---- ------ ------------ ------------- -------
instagram 1175 social-networking tcp 80,443 6
show dpi application instagram
Applications
------------
Name App ID App Category Default Ports Applied
---- ------ ------------ ------------- -------
instagram 1175 social-networking tcp 80,443 6
(Aruba7270) [mynode] #show datapath session dpi | include instagram
172.25.4.5 157.240.223.63 6 52646 443 1/1 0 0 1 tunnel 518 11 37 6884 12d7 20080bb5 0 5 none instagram (1175) 3961/3963 Ci 9a5 30 31
157.240.223.1 172.25.4.94 6 443 47118 1/2 0 0 0 tunnel 513 2 4 240 0 200001b0 0 2 none instagram (1175) 0/231 Aih 4a5 29 31
157.240.223.174 172.25.4.5 6 443 60416 1/2 0 0 0 tunnel 518 1d 320 277117 0 200003b4 0 4 none instagram (1175) 0/3963 ih 45d 26 31
157.240.223.63 172.25.4.5 6 443 34400 1/2 0 0 1 tunnel 518 1b 9 5420 0 200003b4 0 4 none instagram (1175) 0/3963 Fih 92d 23 31
157.240.223.63 172.25.4.5 6 443 34410 1/2 0 0 1 tunnel 518 1b 9 5420 0 200003b4 0 4 none instagram (1175) 0/3963 Fih bed 23 31
172.25.4.5 157.240.223.63 6 34426 443 1/1 0 0 0 tunnel 518 19 343 33808 12d7 20080bb5 0 6 none instagram (1175) 3961/3963 Cih 29b 30 31
157.240.223.63 172.25.4.5 6 443 34374 1/2 0 0 1 tunnel 518 1c 67 55631 0 200003b4 0 3 none instagram (1175) 0/3963 ih cfb 23 31
157.240.223.63 172.25.4.5 6 443 34378 1/2 0 0 1 tunnel 518 1b 9 5418 0 200003b4 0 4 none instagram (1175) 0/3963 Fih 47e 23 31
172.25.4.5 157.240.223.63 6 34410 443 1/1 0 0 1 tunnel 518 1c 11 2373 12d7 20080bb5 0 3 none instagram (1175) 3961/3963 FCih bed 30 31
157.240.223.63 172.25.4.5 6 443 34464 1/2 0 0 1 tunnel 518 18 12 5838 0 200003b4 0 5 none instagram (1175) 0/3963 i 67 23 31
172.25.4.5 157.240.223.63 6 34400 443 1/1 0 0 1 tunnel 518 1c 11 2181 12d7 20080bb5 0 3 none instagram (1175) 3961/3963 FCih 92d 30 31
157.240.223.174 172.25.4.5 6 443 60406 1/2 0 0 2 tunnel 518 1e 9 1482 0 200003b4 0 4 none instagram (1175) 0/3963 ih a8d 26 31
172.25.4.5 157.240.223.63 6 34374 443 1/1 0 0 1 tunnel 518 1d 69 8234 12d7 20080bb5 0 6 none instagram (1175) 3961/3963 Cih cfb 30 31
172.25.4.5 157.240.223.63 6 34386 443 1/1 0 0 1 tunnel 518 1c 11 2103 12d7 20080bb5 0 3 none instagram (1175) 3961/3963 FCih cf8 30 31
157.240.223.63 172.25.4.5 6 443 34386 1/2 0 0 1 tunnel 518 1c 9 5418 0 200003b4 0 4 none instagram (1175) 0/3963 Fih cf8 23 31
172.25.4.5 157.240.223.63 6 34378 443 1/1 0 0 1 tunnel 518 1c 11 2277 12d7 20080bb5 0 3 none instagram (1175) 3961/3963 FCih 47e 30 31
172.25.4.5 157.240.223.174 6 60406 443 1/1 0 0 2 tunnel 518 1e 11 3047 12d7 20080bb5 0 4 none instagram (1175) 3961/3963 Cih a8d 30 31
157.240.223.63 172.25.4.5 6 443 34440 1/2 0 0 1 tunnel 518 19 10 1132 0 200003b4 0 5 none instagram (1175) 0/3963 FAih b7d 23 31
82.194.62.33 172.25.4.5 6 443 39244 1/2 0 0 1 tunnel 518 14 38 37288 0 1b4 0 4 none instagram (1175) 0/3963 5b2 20 31
157.240.223.63 172.25.4.5 6 443 34448 1/2 0 0 1 tunnel 518 19 13 5660 0 200003b4 0 6 none instagram (1175) 0/3963 Fi c73 23 31
172.25.4.5 157.240.223.174 6 60416 443 1/1 0 0 0 tunnel 518 1e 295 67928 12d7 20080bb5 0 2 none instagram (1175) 3961/3963 Cih 45d 30 31
157.240.223.63 172.25.4.5 6 443 34426 1/2 0 0 0 tunnel 518 1a 418 523310 0 200003b4 0 3 none instagram (1175) 0/3963 ih 29b 23 31
172.25.4.5 157.240.223.63 6 34440 443 1/1 0 0 1 tunnel 518 19 17 3229 12d7 20080bb5 0 8 none instagram (1175) 3961/3963 FCAih b7d 30 31
172.25.4.5 157.240.223.63 6 34448 443 1/1 0 0 1 tunnel 518 19 14 2275 12d7 20080bb5 0 4 none instagram (1175) 3961/3963 FCi c73 30 31
172.25.4.5 157.240.223.63 6 34464 443 1/1 0 0 1 tunnel 518 19 14 2453 12d7 20080bb5 0 4 none instagram (1175) 3961/3963 Ci 67 30 31
172.25.4.5 82.194.62.33 6 39244 443 1/1 0 0 1 tunnel 518 15 37 4066 12d7 809b5 0 3 none instagram (1175) 3963/3963 C 5b2 30 31
157.240.223.63 172.25.4.5 6 443 52646 1/2 0 0 1 tunnel 518 13 43 5521 0 200003b4 0 4 none instagram (1175) 0/3963 i 9a5 23 31
Any idea, whats wrong there?
Again thanks and best regards
Andreas
Original Message:
Sent: Sep 06, 2024 09:13 AM
From: GorazdKikelj
Subject: Problem blocking Applications
Hi Andreas.
Looks like you will need to dig deeper.
As Herman wrote, you will need to look into datapath and sessions established.
"show rights Schueler" will show active rights for the role. Instagram app id is 1175.
show dpi application instagram
Applications
------------
Name App ID App Category Default Ports Applied
---- ------ ------------ ------------- -------
instagram 1175 social-networking tcp 80,443 0
You should be able to see instagram sessions with command "show datapath session dpi | incl instagram"
Best, Gorazd
------------------------------
Gorazd Kikelj
MVP Guru 2024
Original Message:
Sent: Sep 06, 2024 07:42 AM
From: Muellermann
Subject: Problem blocking Applications
It seems to hit the ACL, but the traffic goes through.
show acl hits role Schueler
User Role ACL Hits
------------------
Role Policy Src Dst Service/Application Action Dest/Opcode New Hits Total Hits Index Ipv4/Ipv6
---- ------ --- --- ------------------- ------ ----------- -------- ---------- ----- ---------
Schueler Schueler any any app tiktok deny 0 11 11640 ipv4
Schueler Schueler any any app instagram deny 0 14 11641 ipv4
Schueler Schueler any any app facebook deny 0 1 11642 ipv4
Schueler Schueler any any any permit 190 1295 11643 ipv4
Port Based Session/Route ACL
----------------------------
Policy Src Dst Service/Application Action Dest/Opcode New Hits Total Hits Index Ipv4/Ipv6
------ --- --- ------------------- ------ ----------- -------- ---------- ----- ---------
Port ACL Hits
-------------
ACL ACE New Hits Total Hits Index Ipv4/Ipv6
--- --- -------- ---------- ----- ---------
show acl hits
User Role ACL Hits
------------------
Role Policy Src Dst Service/Application Action Dest/Opcode New Hits Total Hits Index Ipv4/Ipv6
---- ------ --- --- ------------------- ------ ----------- -------- ---------- ----- ---------
logon logon any any web-cc-reputation high-risk deny 0 5 7910 ipv4
logon logon any any any permit 3223 1596143 7911 ipv4
sys-ap-role sys-control any any sys-svc-papi permit 955 10642158 7795 ipv4
sys-ap-role sys-control any any sys-svc-sec-papi permit 197 3324563 7797 ipv4
sys-ap-role sys-control any any sys-svc-natt permit 193 3412862 7807 ipv4
sys-ap-role sys-ap-acl any any sys-svc-gre permit 0 153 7810 ipv4
sys-ap-role sys-ap-acl any any sys-svc-syslog permit 2 3398 7812 ipv4
sys-ap-role sys-ap-acl user any sys-svc-ftp permit 0 1 7823 ipv4
denyall denyall any any any deny 0 2581 7749 ipv4
Schueler Schueler any any app tiktok deny 0 11 11640 ipv4
Schueler Schueler any any app instagram deny 0 14 11641 ipv4
Schueler Schueler any any app facebook deny 0 1 11642 ipv4
Schueler Schueler any any any permit 215 1510 11643 ipv4
Port Based Session/Route ACL
----------------------------
Policy Src Dst Service/Application Action Dest/Opcode New Hits Total Hits Index Ipv4/Ipv6
------ --- --- ------------------- ------ ----------- -------- ---------- ----- ---------
validuser 169.254.0.0 255.255.0.0 any any deny 0 990 7781 ipv4
validuser any any any permit 127 600490 7785 ipv4
Port ACL Hits
-------------
ACL ACE New Hits Total Hits Index Ipv4/Ipv6
--- --- -------- ---------- ----- ---------
Original Message:
Sent: Sep 06, 2024 07:19 AM
From: GorazdKikelj
Subject: Problem blocking Applications
Hi Andreas.
What are "show acl hits role Schueler" and "show acl hits" showing? Did it ever hit your rules?
Best, Gorazd
------------------------------
Gorazd Kikelj
MVP Guru 2024
Original Message:
Sent: Sep 06, 2024 07:04 AM
From: Muellermann
Subject: Problem blocking Applications
Hi Gorazd,
that doesn´t make a difference. Still no blocking.
Best regards
Andreas
Original Message:
Sent: Sep 06, 2024 06:53 AM
From: GorazdKikelj
Subject: Problem blocking Applications
Hi.
Can you try with Source User in your deny rule instead of sany?
Best, Gorazd
------------------------------
Gorazd Kikelj
MVP Guru 2024
Original Message:
Sent: Sep 06, 2024 05:40 AM
From: Muellermann
Subject: Problem blocking Applications
Dear Herman,
thanks for your answer. We have a role called "Schueler" which is the default logon role for the WLAN "nymphlan"
The Role uses the policie "Schueler" and there the app facebook is denied.
Original Message:
Sent: Sep 06, 2024 03:43 AM
From: Herman Robers
Subject: Problem blocking Applications
But does it work? Applications like Instagram can only be classified after they are initiated, so it may be that the flow is there, then after some time classified and dropped.
If traffic does go through, even classified, can you share your role (show rights) and the flows that you see go through?
If you are not too familiar with troubleshooting, it may be good to work with your Aruba partner or TAC.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Sep 04, 2024 07:18 AM
From: Muellermann
Subject: Problem blocking Applications
Hi there,
I´ve set up a role and a policy to deny e.g. Instagram on an Aruba 7200 mobility controller. We are using DPI and PEF.
Although the default role for the SSID is set to the role I´ve created I still see dataflow which is categorized as Instagram.
Is there something I forgot to set up?
I´m somewhat clueless.
Thanks in advance and best regards
Andreas