Wireless Access

 View Only
  • 1.  Traffic Blocked, but which policy did it?

    Posted Jul 30, 2024 11:44 AM

    I have a pair of clustered 7220s running 8.10.  I have a role for authenticated users.  But users in this role are having port 443 traffic denied to a specific website.  

    show datapath session table shows:

    Source IP or MAC  Destination IP  Prot SPort DPort Cntr     Prio ToS Age Destination TAge Packets    Bytes      Flags           CPU ID  
    ----------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------- ---------- --------------- ------- 
    10.10.32.104      10.80.0.4       6    12079 443    0/0     0    0   0   tunnel 2994 5    2          104        FDYC            27       
    10.10.32.104      10.80.0.4       6    12078 443    0/0     0    0   0   tunnel 2994 5    2          104        FDYC            27       

    show rights includes allowall which should allow the traffic, correct?

    allowall
    --------
    Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Denylist  Mirror  DisScan  IPv4/6  Contract  Mark  Description
    --------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  --------  ------  -------  ------  --------  ----  -----------
    1         any     any          any                   permit                           Low                                           4                        
    2         any     any          any-v6                permit                           Low                                           6                        

    So how can I figure out what policy is causing the D?



    ------------------------------
    -Bill
    ------------------------------


  • 2.  RE: Traffic Blocked, but which policy did it?

    Posted Jul 31, 2024 05:15 AM

    It could be that the session was blocked because of inter-user traffic? Or that the traffic was dynamically blocked from the WebUI?



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Traffic Blocked, but which policy did it?

    Posted Aug 19, 2024 01:43 PM

    So it turns out that the problem was due to the blocked website being the inside interface of the firewall.  We had a remote access point traversing the firewall and exiting on the same interface as the firewall's website. The aruba controller interpreted that traffic as bound for the remote AP and not the firewall so it dropped the traffic.   We assigned a new internal address to the remote AP and traffic starting flowing as normal again.



    ------------------------------
    -Bill
    ------------------------------