Wired Intelligent Edge

 View Only
last person joined: 22 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Expand all | Collapse all

UBT no data traffic out of gateway

This thread has been viewed 36 times
  • 1.  UBT no data traffic out of gateway

    Posted Aug 01, 2024 08:29 AM

    Hey,

    I'm setting up a new UBT for a client.
    We have 2x 9240 gateways & AOS-CX6300M switches.
    Both gateway & switch has ip addresses in the same L2 subnet.
    I see that the tunnels comes up, but the client can not send or receive any traffic.
    Pinging to the default gateway doesn't work.
    If I place the client into the same user- vlan directly via the switch everything works. 

    Switch & Gateway are managed by Aruba Central.
    I see following output in the CLI.
    Has someone an idea what is going wrong?

    I use DUR's with gateway zone push from clearpass.
    Dur's are working fine with local breakout, so DUR setup isn't the issue.



  • 2.  RE: UBT no data traffic out of gateway

    Posted Aug 01, 2024 09:00 AM
      |   view attached

    The trace buf above wasn't correct. here is a correct one.




  • 3.  RE: UBT no data traffic out of gateway

    EMPLOYEE
    Posted Aug 01, 2024 08:19 PM

    Please share the switch configuration.

    Note that when configuring UBT on the the Cx switches, the "primary-controller ip" should be the system-ip or controller-ip on the gateway.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 4.  RE: UBT no data traffic out of gateway

    Posted Aug 02, 2024 03:46 AM

    Hi Ariyap,

    Below you find the configuration of switch what I did for UBT.
    Clearpass auth is working fine so didn't provide that.

    I confirm that system IP is used for the config in the cx switch.
    I see that the tunnel is up and running on the gateway & switch.
    Also see the user on the gateway, but I can not send any traffic.
    Feels like the allowall of the role isn't there. or something blocks all traffic.

    The role on the gateway has an allow-all policy.

    What I also find odd, is that in aruba-central there are clients connected which doesn't show up on the cli of both gateways.
    show user on gateway shows only 1 client which is using the UBT tunnel.
    I checked and the vlan and interface are trusted. (in central & CLI.)


    Attachment(s)

    txt
    debug ubt.txt   2 KB 1 version
    txt
    switch config.txt   1 KB 1 version


  • 5.  RE: UBT no data traffic out of gateway

    EMPLOYEE
    Posted Aug 02, 2024 07:45 PM

    your switch config looks fine to me. what is the output of the following commands on the switch

    sh aaa authentication port-access interface all client-status

    sh ubt users all

    and these commands on the controller.

    show user
    show rights <user-role> 



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 6.  RE: UBT no data traffic out of gateway

    Posted Aug 08, 2024 09:31 AM

    Hi Ariyap,

    Sorry for the late response.
    But in attachement all the output which looks fine for me.
    But still nothing is working and client can not ping or connect to anything.

    I opened already a TAC case but without success or any clue from them.
    If someone got any idea what is going wrong, I would be grateful.




  • 7.  RE: UBT no data traffic out of gateway

    Posted Aug 09, 2024 02:39 AM

    Hi,
    I would test to send an additional VSA attribute from ClearPass with the Aruba user vlan. I know before that there was a problem before with DUR and having the user vlan in the DUR. So test and send the User role and aruba-user-vlan in separate VSA´s from ClearPass.
    You also need to adjust the MTU size on the physical interfaces and IP MTU size from the switch all the way to the Aruba GW to get 1500 IP MTU through because of the GRE overhead.





  • 8.  RE: UBT no data traffic out of gateway

    Posted Aug 09, 2024 03:52 AM

    Hi,

    I tested already with a lur on the switch.
    Without success.
    So I already removed the DUR config off the troubleshoot list.




  • 9.  RE: UBT no data traffic out of gateway

    Posted Aug 09, 2024 09:01 AM

    Do you have a DUR for both the switch and the gateway? I know for sure that DUR on the gateway is not working with a user vlan, that has to be a separate vsa.
    Test to use a static role on the gateway with a VLAN attached the role where the client should get an ip address.




  • 10.  RE: UBT no data traffic out of gateway

    Posted Aug 09, 2024 09:37 AM

    Hi,

    I use DUR for the switch and send the gateway role via the DUR.
    On the gateway I configured static vlan assignment on the gateway role.

    When disabling the arp spoofing protection on the gateway, everything works.
    I have no idea why the gateway found that the UBT traffic was ARP spoofed.

    Anyone else encountered this issue?