Controllerless Networks

Hi,

I have a strange issue and was wondering if someone could shed some light on it. 
We have about 8 Aruba Instant devices on the network. All are connected via a cisco switch to a sophos firewall that provides the DHCP services.
On a mac I am running a virtual machine (ubuntu) on a mac connected to the Aruba AP and configured it in bridged mode so that it gets its own LAN ip address. I can see that DHCPDISCOVER packets are being broadcast by the guest OS. However these get blocked by the Aruba AP.

I am quite certain at this point that it is the Aruba AP that is blocking it because when the mac is on another non Aruba Access Point connected to the same firewall, my virtual machines are getting DHCP addresses when in bridged mode.
I tried disabling protect-windows-bridge but that does not seem to help.
Would you know what configuration in the Aruba AP triggers this block?

Hello,

can you post a config file of your Aruba Instant?

do you have the option "enforce dhcp" activated? This is a SSID specific option.

Regards,

Matijs

Thanks, this is the configuration 

version 8.5.0.0-8.5.0
virtual-controller-country IN
virtual-controller-key bef90f4a019ababd6a049cd3940e3ee50b072f661d303cf858
name Z-AP-Pantry
terminal-access
clock timezone none 00 00
rf-band all

allow-new-aps
allowed-ap 40:e3:d6:cc:1f:76
allowed-ap ac:a3:1e:c5:8c:dc
allowed-ap 80:8d:b7:c4:41:06
allowed-ap 00:4e:35:c0:f3:50
allowed-ap 7c:57:3c:ca:9e:6c
allowed-ap 7c:57:3c:ca:95:74
allowed-ap 7c:57:3c:ca:af:9a

arm
wide-bands 5ghz
80mhz-support
min-tx-power 18
max-tx-power 127
band-steering-mode prefer-5ghz
air-time-fairness-mode fair-access
client-aware
scanning
client-match

syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless

mgmt-user admin xxxxx

wlan access-rule default_wired_port_profile
index 0
rule any any match any any any permit

wlan access-rule wired-SetMeUp
index 1
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit

wlan access-rule ZWiFi
index 2
rule any any match any any any permit

wlan ssid-profile ZWiFi
enable
index 0
type employee
essid ZWiFi
wpa-passphrase xxxxxxx
opmode wpa2-psk-aes
max-authentication-failures 0
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
dot11r
dot11k
dot11v

auth-survivability cache-time-out 24

wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https

blacklist-time 3600
auth-failure-blacklist-time 3600

ids
wireless-containment none
infrastructure-detection-level high
client-detection-level high
infrastructure-protection-level high
client-protection-level custom
protect-valid-sta

wired-port-profile wired-SetMeUp
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-SetMeUp
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x

wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x

enet0-port-profile default_wired_port_profile

uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180

airgroup
enable
multi-swarm

airgroupservice airplay
enable
description AirPlay

airgroupservice airprint
enable
description AirPrint

airgroupservice "DLNA Media"
enable

airgroupservice googlecast
enable

airgroupservice "DLNA Print"
enable

Have you tried to disable the broadcast filter and/or IDS?

Kind regards,

Thanks will do. I saw similar issue discussed in Spanish.

https://community.arubanetworks.com/t5/Foro-en-Espa%C3%B1ol/Instant-Problemas-para-obtener-IP-maquina-virtual/m-p/624797#M5524

Will set the broadcast filtering disabled and see. 

I just checked in my lab setup. IDS/IPS config is fine,

you need to disable broadcast filter. 

However, according to UG, Broadcast filter ARP will allow DHCP packets, where as in this case, they are being blocked.

Any experts might want to shed some light ?

So while doing WS capture on my host machine, i can see that DHCP DISCOVER is formed by using the host's mac address as the actual sender, and inside the DHCP packet, the client (guest) mac address is provided which is not normal and hence AP is rejected the packets. 

This point is further confirmed on below post ( i am using vmware workstation)

https://communities.vmware.com/thread/518642

Thank you. I did both initially. Turned off IDS and also the Broadcast Filtering. It had worked. 

Tested again with just broadcast filter off. It is working for me now.

Thanks for the investigation and analysis.

May be this is something that could be fixed in future.

Much appreciate.

Regards