Wireless Access

 View Only
last person joined: 3 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Y flag troubleshooting

This thread has been viewed 4 times

  • 1.  Y flag troubleshooting

    Posted Mar 17, 2017 04:30 PM

    Sorry if this is duplicate. It appears that the original didn't post...

     

     

    I've got 2 production networks on different VLANs with the same configuration on both. On the "M" network, I can get everything with no problem. Websites load, I can ping, etc.   On the "D" network, I can ping websites, but I cannot establish any http or https traffic. 

     

    when viewing the datpath session table, I see that all the return traffic is being flagged with Y. I understand what that means, but what can I do to get to the bottom of the problem and get this network working?

     

    output:

    205.171.2.65    192.168.135.50  17   53    16755  0/0     0    0   0   tunnel 12   2    0          0          FYI
192.168.135.50  8.8.8.8         17   59804 53     0/0     0    0   0   tunnel 12   2    1          61         FCI
8.8.8.8         192.168.135.50  17   53    59804  0/0     0    0   0   tunnel 12   2    0          0          FYI
192.168.135.50  205.171.2.65    17   16755 53     0/0     0    0   0   tunnel 12   2    1          63         FCI
205.171.2.65    192.168.135.50  17   53    47764  0/0     0    0   0   tunnel 12   5    0          0          FYI
8.8.8.8         192.168.135.50  17   53    48911  0/0     0    0   1   tunnel 12   a    0          0          FYI
192.168.135.50  8.8.8.8         17   54884 53     0/0     0    0   0   tunnel 12   2    1          66         FCI
192.168.135.50  8.8.8.8         17   16958 53     0/0     0    0   0   tunnel 12   2    1          66         FCI
192.168.135.50  8.8.8.8         17   48911 53     0/0     0    0   1   tunnel 12   a    1          102        FCI
192.168.135.50  8.8.8.8         17   23840 53     0/0     0    0   1   tunnel 12   9    1          74         FCI
8.8.8.8         192.168.135.50  17   53    16958  0/0     0    0   0   tunnel 12   2    0          0          FYI
8.8.8.8         192.168.135.50  17   53    5450   0/0     0    0   1   tunnel 12   2    0          0          FYI
8.8.8.8         192.168.135.50  17   53    54884  0/0     0    0   1   tunnel 12   2    0          0          FYI
8.8.8.8         192.168.135.50  17   53    4209   0/0     0    0   0   tunnel 12   7    0          0          FYI
192.168.135.50  8.8.8.8         17   34465 53     0/0     0    0   0   tunnel 12   2    1          61         FCI
192.168.135.50  8.8.8.8         17   4209  53     0/0     0    0   0   tunnel 12   7    1          63         FCI
8.8.8.8         192.168.135.50  17   53    2282   0/0     0    0   1   tunnel 12   1e   0          0          FYI
205.171.2.65    192.168.135.50  17   53    9802   0/0     0    0   0   tunnel 12   4    0          0          FYI
192.168.135.50  8.8.8.8         17   5450  53     0/0     0    0   0   tunnel 12   2    1          74         FCI
8.8.8.8         192.168.135.50  17   53    31570  0/0     0    0   0   tunnel 12   2    0          0          FYI
192.168.135.50  205.171.2.65    17   35447 53     0/0     0    0   0   tunnel 12   7    1          64         FCI
192.168.135.50  8.8.8.8         17   2282  53     0/0     0    0   0   tunnel 12   1e   2          128        FCI
192.168.135.50  205.171.2.65    17   47764 53     0/0     0    0   0   tunnel 12   5    1          102        FCI
192.168.135.50  8.8.8.8         17   31570 53     0/0     0    0   0   tunnel 12   2    1          64         FCI
8.8.8.8         192.168.135.50  17   53    23840  0/0     0    0   0   tunnel 12   9    0          0          FYI
192.168.135.50  205.171.2.65    17   9802  53     0/0     0    0   0   tunnel 12   4    1          74         FCI
8.8.8.8         192.168.135.50  17   53    34465  0/0     0    0   0   tunnel 12   2    0          0          FYI
205.171.2.65    192.168.135.50  17   53    35447  0/0     0    0   0   tunnel 12   7    0          0          FYI

     

    -Joey
     


  • 2.  RE: Y flag troubleshooting

    Posted Mar 17, 2017 04:34 PM
    Do you have any ACLs rules that could be blocking the traffic from that particular network ?
    Are the sites internal or external ?

    Can you reach those sites by IP ?

    Get Outlook for iOS


  • 3.  RE: Y flag troubleshooting

    EMPLOYEE
    Posted Mar 17, 2017 05:45 PM

    If the Aruba Controller was blocking it, there would be a "D" in the session flag, regardless of the way it was being blocked.  A "Y" means that there is no return traffic or the traffic is UDP, which never has a SYN.  I would look upstream from the Aruba Controller or ping hop by hop to determine where your traffic is not being returned from..