We're getting traffic denied to an ip despite the role has an allow_all rule at the top. It happens periodically and im unable to find out why.
When i check "show datapath session table <ip>" it has a lot of entries with the "D" in it.
I have checked the security log for the ip and the mac-adress with no luck. Does any have any suggestion what can be causing this? The global firewall is my guess, but is there any way to check that?
Are you sure that the device is being assigned to that specific role? Is it a public ip address?
Yes, i've checked the assigned role and they all are in the role with the allow all rule. The ip that is being blocked is an private ip address.
We would need specific information about your configuration, otherwise we would just be guessing the ways traffic can be blocked even when in an allow all role. If you have deny inter user traffic or deny layer 2 bridging, that would also stop traffic, but it would stop it all of the time. If the blocking is intermittent like you say, your configuration would need to be pulled apart to see if you have a bug, and that would entail opening a technical support case.
The only thing I could think of, is if the traffic is voice traffic and a voice ALG might be blocking return traffic from a voice server or between voice clients. If that is not your issue, you should probably open a technical support case.
I have the same exact issue with our Guest network. No Captive portal, no password, nothing. We do block inter user traffic and deny layer 2 bridging. It should be client->ap->controller->switch->firewall. We have some rules to block APIPA and RFC but everything else is open. Also, I had to add separate rules for providers (caption phones, facebook, etc.) as even if the IPs were public., they were denied. TAC is not very helpful.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.