We would need specific information about your configuration, otherwise we would just be guessing the ways traffic can be blocked even when in an allow all role. If you have deny inter user traffic or deny layer 2 bridging, that would also stop traffic, but it would stop it all of the time. If the blocking is intermittent like you say, your configuration would need to be pulled apart to see if you have a bug, and that would entail opening a technical support case.
The only thing I could think of, is if the traffic is voice traffic and a voice ALG might be blocking return traffic from a voice server or between voice clients. If that is not your issue, you should probably open a technical support case.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides:
https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card------------------------------
Original Message:
Sent: Sep 18, 2023 07:31 AM
From: tlilja
Subject: Traffiic denied despite allow all role
Yes, i've checked the assigned role and they all are in the role with the allow all rule. The ip that is being blocked is an private ip address.
Original Message:
Sent: Sep 18, 2023 07:18 AM
From: cjoseph
Subject: Traffiic denied despite allow all role
Are you sure that the device is being assigned to that specific role? Is it a public ip address?
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
Original Message:
Sent: Sep 18, 2023 05:56 AM
From: tlilja
Subject: Traffiic denied despite allow all role
Hello,
We're getting traffic denied to an ip despite the role has an allow_all rule at the top. It happens periodically and im unable to find out why.
When i check "show datapath session table <ip>" it has a lot of entries with the "D" in it.
I have checked the security log for the ip and the mac-adress with no luck. Does any have any suggestion what can be causing this? The global firewall is my guess, but is there any way to check that?
/Tomas