Wireless Access

 View Only
last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

Traffiic denied despite allow all role

This thread has been viewed 20 times
  • 1.  Traffiic denied despite allow all role

    Posted Sep 18, 2023 05:56 AM

    Hello, 

    We're getting traffic denied to an ip despite the role has an allow_all rule at the top. It happens periodically and im unable to find out why.

    When i check "show datapath session table <ip>" it has a lot of entries with the "D" in it.

    I have checked the security log for the ip and the mac-adress with no luck. Does any have any suggestion what can be causing this? The global firewall is my guess, but is there any way to check that?

    /Tomas



  • 2.  RE: Traffiic denied despite allow all role

     
    Posted Sep 18, 2023 07:19 AM

    Are you sure that the device is being assigned to that specific role?  Is it a public ip address?



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 3.  RE: Traffiic denied despite allow all role

    Posted Sep 18, 2023 07:32 AM

    Yes, i've checked the assigned role and they all are in the role with the allow all rule. The ip that is being blocked is an private ip address.




  • 4.  RE: Traffiic denied despite allow all role

     
    Posted Sep 18, 2023 07:39 AM

    We would need specific information about your configuration, otherwise we would just be guessing the  ways traffic can be blocked even when in an allow all role.  If you have deny inter user traffic or deny layer 2 bridging, that would also stop traffic, but it would stop it all of the time.  If the blocking is intermittent like you say, your configuration would need to be pulled apart to see if you have a bug, and that would entail opening a technical support case.

    The only thing I could think of, is if the traffic is voice traffic and a voice ALG might be blocking return traffic from a voice server or between voice clients.  If that is not your issue, you should probably open a technical support case.



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 5.  RE: Traffiic denied despite allow all role

    Posted Sep 18, 2023 03:41 PM

    I have the same exact issue with our Guest network. No Captive portal, no password, nothing. We do block inter user traffic and deny layer 2 bridging. It should be client->ap->controller->switch->firewall. We have some rules to block APIPA and RFC but everything else is open. Also, I had to add separate rules for providers (caption phones, facebook, etc.) as even if the IPs were public., they were denied. TAC is not very helpful. 



    ------------------------------
    DamianNita
    ------------------------------