Security

Hello,

I have an IAP-325, firmware 6.4.2.6-4.1.3.0, configured to serve two SSIDs. The IAP is connected to a trunk port on a Cisco SG500 switch and there are 2 employees Vlans configured.

Cisco side we have a port for the up link to the IAP configured as:

switch port mode trunk, native Vlan = 1, Vlans allowed 1 Untagged, 2-3 Tagged.

The switch provides two DHCP pools 192.168.1.x and 192.168.2.x to serve the Vlans.

IAP has a static IP address assigned on the net 192.168.0.x (native Vlan 1 used for management purpose).

I have setup 2 SSIDs:

SSID Office, Client IP assignment - Network  assigned, Client Vlan management Static 2

SSID Sales, Client IP assignment - Network assigned, Client Vlan management Static 3

When i try to connect to the SSID Office (serving Vlan 2) it goes on DHCP timeout and the defualt DHCP address 169.254.x.x is provided (so not working), whilst when i connect to the SSID Sales (serving Vlan 3) it works well (the correct DHCP address in network 192.168.2.x is provided).

The only way i have found to make the Vlan 2 works is:

I assigned an ip address to the IAP on the 192.168.1.x (belonging to the Vlan 2)

I modified the Cisco switch port  excluding the Vlan 1 and making the Vlan 2 native (untagged). Then i modified the static assignment of the network SSID Office from Vlan 2 to Vlan 1. It is really weird, because in the Cisco trunk port Vlan 1 is not allowed (i have Vlan 2 untagged and Vlan 3 tagged), i didn't use a packet analyzer but it seems the Vlan 1 and 2 are reverted. Strange but it works. 

Any idea about this weird behaviour ?

What is the default gateway of your clients?

Cisco switch works on L3, so in my case i have :

Net 192.168.1.0 Def Gateway 192.168.1.1

Net 192.168.2.0 Def Gateway 192.168.2.1

What you should do, is do a dhcp debug packet dump to ensure that the client is indeed requesting dhcp packets:  https://community.arubanetworks.com/t5/Controller-less-WLANs/How-to-enable-packet-trace-to-debug-DHCP-packets-in-Instant/ta-p/179952

I did some debug on both setup.

First setup (NOT WORKING).

Cisco switch uplink port in trunk mode, Vlan 1 untagged (native), Vlan 2-3 tagged.

IAP IP address 192.168.0.5 i guess in Vlan 1 (ad by default IAP settings).

SSID Office Vlan 2 DHCP pool 192.168.1.x (assigned by Cisco switch), not working.

SSID Sales Vlan 3 DHCP pool 192.168.1.x (assigned by Cisco switch),  working.

DHCP debug info on a client (desktop) :

WIFIAD01# debug pkt mac 04:69:f8:dd:6f:1f
WIFIAD01# debug pkt match mac
WIFIAD01# debug pkt type dhcp
WIFIAD01# debug pkt dump
If source or destination MAC is 04:69:f8:dd:6f:1f
AND packet is of type DHCP
Press 'q' to quit.

Received packet from aruba101 (timestamp (116-8-11 22:31:15:184176) )
[asap_firewall_forward(5048):firewall entry] len 342, vlan 0, egress CP, ingress aruba101:
#mac: etype 0800 smac 04:69:f8:dd:6f:1f dmac ff:ff:ff:ff:ff:ff
#ip: sip 0.0.0.0, dip 255.255.255.255, proto 17, dscp 48, fragment ok, last fragment, fragment offset 0
#udp: sport 68 dport 67 len 308
#dhcp: message-type: request
hardware type: 1, len: 6, hops: 0
txn id: 0xabc2874b, seconds elapsed: 10
client mac: 04:69:f8:dd:6f:1f
magic cookie: 0x63825363
#dhcp-option: message-type: discover
[asap_firewall_forward(5218):vlan decision] len 342, vlan 2, egress CP, ingress aruba101:
[asap_firewall_check_dhcp_packet(2386):dhcp packet from client] len 342, vlan 2, egress CP, ingress aruba101:
[asap_firewall_forward(5583):looking up bridge entry] len 342, vlan 2, egress CP, ingress aruba101:
[asap_firewall_forward(5894):bridge section] len 342, vlan 2, egress CP, ingress aruba101:
[asap_firewall_forward(6023):session section] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_forward(6217):fastpath returned 1 opcode 4] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_forward(6249):slowpath section: opcode 4] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_forward(6485):back to fastpath, opcode 3] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_forward(6789):route section] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_forward(6839):cp route section] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_forward(7122):forward section] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_flood(8476):flooding] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_flood(8533):adding option 82] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_add_rem_dhcp_option82(8125):returning w/o adding option 82] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_add_vlan_to_dhcp(8313):adding vlan to dhcp] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_add_vlan_to_dhcp(8354):added vlan to dhcp] len 346, vlan 2, egress vlan 2, ingress aruba101:
#mac: etype 0800 smac 04:69:f8:dd:6f:1f dmac ff:ff:ff:ff:ff:ff
#ip: sip 0.0.0.0, dip 255.255.255.255, proto 17, dscp 48, fragment ok, last fragment, fragment offset 0
#udp: sport 68 dport 67 len 312
#dhcp: message-type: request
hardware type: 1, len: 6, hops: 0
txn id: 0xabc2874b, seconds elapsed: 10
client mac: 04:69:f8:dd:6f:1f
magic cookie: 0x63825363
#dhcp-option: message-type: discover
#dhcp-option: aruba-vlan: 2
[asap_firewall_flood(9208):stack section protocol=0x8ffb, type=1] len 346, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_send_up_stack(3316):going to stack protocol:0x8ffb type:1] len 332, vlan 2, egress vlan 2, ingress br0:

Received packet from aruba101 (timestamp (116-8-11 22:31:16:242876) )
[asap_firewall_forward(5048):firewall entry] len 342, vlan 0, egress CP, ingress aruba101:
#mac: etype 0800 smac 04:69:f8:dd:6f:1f dmac ff:ff:ff:ff:ff:ff
#ip: sip 0.0.0.0, dip 255.255.255.255, proto 17, dscp 48, fragment ok, last fragment, fragment offset 0
#udp: sport 68 dport 67 len 308
#dhcp: message-type: request
hardware type: 1, len: 6, hops: 0
txn id: 0xabc2874b, seconds elapsed: 11
client mac: 04:69:f8:dd:6f:1f
magic cookie: 0x63825363
#dhcp-option: message-type: discover
[asap_firewall_forward(5218):vlan decision] len 342, vlan 2, egress CP, ingress aruba101:
[asap_firewall_check_dhcp_packet(2386):dhcp packet from client] len 342, vlan 2, egress CP, ingress aruba101:
[asap_firewall_forward(5583):looking up bridge entry] len 342, vlan 2, egress CP, ingress aruba101:
[asap_firewall_forward(5894):bridge section] len 342, vlan 2, egress CP, ingress aruba101:
[asap_firewall_forward(6023):session section] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_forward(6217):fastpath returned 1 opcode 4] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_forward(6249):slowpath section: opcode 4] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_forward(6485):back to fastpath, opcode 3] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_forward(6789):route section] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_forward(6839):cp route section] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_forward(7122):forward section] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_flood(8476):flooding] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_flood(8533):adding option 82] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_add_rem_dhcp_option82(8125):returning w/o adding option 82] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_add_vlan_to_dhcp(8313):adding vlan to dhcp] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_add_vlan_to_dhcp(8354):added vlan to dhcp] len 346, vlan 2, egress vlan 2, ingress aruba101:
#mac: etype 0800 smac 04:69:f8:dd:6f:1f dmac ff:ff:ff:ff:ff:ff
#ip: sip 0.0.0.0, dip 255.255.255.255, proto 17, dscp 48, fragment ok, last fragment, fragment offset 0
#udp: sport 68 dport 67 len 312
#dhcp: message-type: request
hardware type: 1, len: 6, hops: 0
txn id: 0xabc2874b, seconds elapsed: 11
client mac: 04:69:f8:dd:6f:1f
magic cookie: 0x63825363
#dhcp-option: message-type: discover
#dhcp-option: aruba-vlan: 2
[asap_firewall_flood(9208):stack section protocol=0x8ffb, type=1] len 346, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_send_up_stack(3316):going to stack protocol:0x8ffb type:1] len 332, vlan 2, egress vlan 2, ingress br0:

Received packet from aruba101 (timestamp (116-8-11 22:31:18:795360) )
[asap_firewall_forward(5048):firewall entry] len 342, vlan 0, egress CP, ingress aruba101:
#mac: etype 0800 smac 04:69:f8:dd:6f:1f dmac ff:ff:ff:ff:ff:ff
#ip: sip 0.0.0.0, dip 255.255.255.255, proto 17, dscp 48, fragment ok, last fragment, fragment offset 0
#udp: sport 68 dport 67 len 308
#dhcp: message-type: request
hardware type: 1, len: 6, hops: 0
txn id: 0xabc2874b, seconds elapsed: 13
client mac: 04:69:f8:dd:6f:1f
magic cookie: 0x63825363
#dhcp-option: message-type: discover
[asap_firewall_forward(5218):vlan decision] len 342, vlan 2, egress CP, ingress aruba101:
[asap_firewall_check_dhcp_packet(2386):dhcp packet from client] len 342, vlan 2, egress CP, ingress aruba101:
[asap_firewall_forward(5583):looking up bridge entry] len 342, vlan 2, egress CP, ingress aruba101:
[asap_firewall_forward(5894):bridge section] len 342, vlan 2, egress CP, ingress aruba101:
[asap_firewall_forward(6023):session section] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_forward(6217):fastpath returned 1 opcode 4] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_forward(6249):slowpath section: opcode 4] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_forward(6485):back to fastpath, opcode 3] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_forward(6789):route section] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_forward(6839):cp route section] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_forward(7122):forward section] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_flood(8476):flooding] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_flood(8533):adding option 82] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_add_rem_dhcp_option82(8125):returning w/o adding option 82] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_add_vlan_to_dhcp(8313):adding vlan to dhcp] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_add_vlan_to_dhcp(8354):added vlan to dhcp] len 346, vlan 2, egress vlan 2, ingress aruba101:
#mac: etype 0800 smac 04:69:f8:dd:6f:1f dmac ff:ff:ff:ff:ff:ff
#ip: sip 0.0.0.0, dip 255.255.255.255, proto 17, dscp 48, fragment ok, last fragment, fragment offset 0
#udp: sport 68 dport 67 len 312
#dhcp: message-type: request
hardware type: 1, len: 6, hops: 0
txn id: 0xabc2874b, seconds elapsed: 13
client mac: 04:69:f8:dd:6f:1f
magic cookie: 0x63825363
#dhcp-option: message-type: discover
#dhcp-option: aruba-vlan: 2
[asap_firewall_flood(9208):stack section protocol=0x8ffb, type=1] len 346, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_send_up_stack(3316):going to stack protocol:0x8ffb type:1] len 332, vlan 2, egress vlan 2, ingress br0:

Received packet from aruba101 (timestamp (116-8-11 22:31:23:670524) )
[asap_firewall_forward(5048):firewall entry] len 342, vlan 0, egress CP, ingress aruba101:
#mac: etype 0800 smac 04:69:f8:dd:6f:1f dmac ff:ff:ff:ff:ff:ff
#ip: sip 0.0.0.0, dip 255.255.255.255, proto 17, dscp 48, fragment ok, last fragment, fragment offset 0
#udp: sport 68 dport 67 len 308
#dhcp: message-type: request
hardware type: 1, len: 6, hops: 0
txn id: 0xabc2874b, seconds elapsed: 18
client mac: 04:69:f8:dd:6f:1f
magic cookie: 0x63825363
#dhcp-option: message-type: discover
[asap_firewall_forward(5218):vlan decision] len 342, vlan 2, egress CP, ingress aruba101:
[asap_firewall_check_dhcp_packet(2386):dhcp packet from client] len 342, vlan 2, egress CP, ingress aruba101:
[asap_firewall_forward(5583):looking up bridge entry] len 342, vlan 2, egress CP, ingress aruba101:
[asap_firewall_forward(5894):bridge section] len 342, vlan 2, egress CP, ingress aruba101:
[asap_firewall_forward(6023):session section] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_forward(6217):fastpath returned 1 opcode 4] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_forward(6249):slowpath section: opcode 4] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_forward(6485):back to fastpath, opcode 3] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_forward(6789):route section] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_forward(6839):cp route section] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_forward(7122):forward section] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_flood(8476):flooding] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_flood(8533):adding option 82] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_add_rem_dhcp_option82(8125):returning w/o adding option 82] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_add_vlan_to_dhcp(8313):adding vlan to dhcp] len 342, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_add_vlan_to_dhcp(8354):added vlan to dhcp] len 346, vlan 2, egress vlan 2, ingress aruba101:
#mac: etype 0800 smac 04:69:f8:dd:6f:1f dmac ff:ff:ff:ff:ff:ff
#ip: sip 0.0.0.0, dip 255.255.255.255, proto 17, dscp 48, fragment ok, last fragment, fragment offset 0
#udp: sport 68 dport 67 len 312
#dhcp: message-type: request
hardware type: 1, len: 6, hops: 0
txn id: 0xabc2874b, seconds elapsed: 18
client mac: 04:69:f8:dd:6f:1f
magic cookie: 0x63825363
#dhcp-option: message-type: discover
#dhcp-option: aruba-vlan: 2
[asap_firewall_flood(9208):stack section protocol=0x8ffb, type=1] len 346, vlan 2, egress vlan 2, ingress aruba101:
[asap_firewall_send_up_stack(3316):going to stack protocol:0x8ffb type:1] len 332, vlan 2, egress vlan 2, ingress br0:

END OF DEBUG INFO

Second setup ( WORKING).

Cisco switch uplink port in trunk mode, Vlan 2 untagged (native), Vlan 3 tagged.

IAP IP address 192.168.1.5.

SSID Office Vlan 1 DHCP pool 192.168.1.x (assigned by Cisco switch),  working.

SSID Sales Vlan 3 DHCP pool 192.168.1.x (assigned by Cisco switch),  working.

DHCP debug info on a client (desktop) :

WIFIAD01# debug pkt mac 04:69:f8:dd:6f:1f

WIFIAD01# debug pkt match mac

WIFIAD01# debug pkt type dhcp

WIFIAD01# debug pkt dump

If source or destination MAC is 04:69:f8:dd:6f:1f

AND packet is of type DHCP 

Press 'q' to quit.

Received packet from bond0 (timestamp (116-8-11 22:19:34:620470) )

[asap_firewall_forward(5048):firewall entry] len 286, vlan 0, egress CP, ingress bond0:

  #mac: etype 0800 smac 24:01:c7:03:72:09 dmac 04:69:f8:dd:6f:1f

  #ip: sip 192.168.1.1, dip 192.168.1.151, proto 17, dscp 56, fragment ok, last fragment, fragment offset 0

    #udp: sport 67 dport 68 len 252

      #dhcp: message-type: reply

             hardware type: 0, len: 0, hops: 0

             txn id: 0x00000000, seconds elapsed: 0

             your ip: 192.168.1.151

             magic cookie: 0x63825363

      #dhcp-option: message-type: nack

[asap_firewall_forward(5218):vlan decision] len 286, vlan 1, egress CP, ingress bond0:

[asap_firewall_check_dhcp_packet(2426):dhcp packet to client] len 286, vlan 1, egress CP, ingress bond0:

[asap_firewall_forward(5583):looking up bridge entry] len 286, vlan 1, egress CP, ingress bond0:

[asap_firewall_forward(5894):bridge section] len 286, vlan 1, egress CP, ingress bond0:

[asap_firewall_forward(6023):session section] len 286, vlan 1, egress vlan 1, ingress bond0:

[asap_firewall_forward(6217):fastpath returned 1 opcode 4] len 286, vlan 1, egress vlan 1, ingress bond0:

[asap_firewall_forward(6249):slowpath section: opcode 4] len 286, vlan 1, egress vlan 1, ingress bond0:

[asap_firewall_forward(6485):back to fastpath, opcode 3] len 286, vlan 1, egress vlan 1, ingress bond0:

[asap_firewall_forward(6789):route section] len 286, vlan 1, egress vlan 1, ingress bond0:

[asap_firewall_forward(6839):cp route section] len 286, vlan 1, egress vlan 1, ingress bond0:

[asap_firewall_forward(7122):forward section] len 286, vlan 1, egress vlan 1, ingress bond0:

[asap_firewall_flood(8476):flooding] len 286, vlan 1, egress vlan 1, ingress bond0:

[asap_firewall_flood(8675):checking dev8 bond0] len 286, vlan 1, egress vlan 1, ingress bond0:

[asap_firewall_flood(8675):checking dev20 aruba101] len 286, vlan 1, egress vlan 1, ingress bond0:

[asap_firewall_flood(9190):flooding to aruba101] len 286, vlan 1, egress vlan 1, ingress bond0:

[asap_firewall_flood(9208):stack section protocol=0x800, type=3] len 286, vlan 1, egress vlan 1, ingress bond0:

WIFIAD01# debug pkt mac 04:69:f8:dd:6f:1f

WIFIAD01# debug pkt match mac            

WIFIAD01# debug pkt type dhcp

WIFIAD01# debug pkt dump

If source or destination MAC is 04:69:f8:dd:6f:1f

AND packet is of type DHCP 

Press 'q' to quit.

Received packet from aruba001 (timestamp (116-8-11 22:21:31:938246) )

[asap_firewall_forward(5048):firewall entry] len 342, vlan 0, egress CP, ingress aruba001:

  #mac: etype 0800 smac 04:69:f8:dd:6f:1f dmac ff:ff:ff:ff:ff:ff

  #ip: sip 0.0.0.0, dip 255.255.255.255, proto 17, dscp 48, fragment ok, last fragment, fragment offset 0

    #udp: sport 68 dport 67 len 308

      #dhcp: message-type: request

             hardware type: 1, len: 6, hops: 0

             txn id: 0xabc28749, seconds elapsed: 0

             client mac: 04:69:f8:dd:6f:1f

             magic cookie: 0x63825363

      #dhcp-option: message-type: discover

[asap_firewall_forward(5218):vlan decision] len 342, vlan 1, egress CP, ingress aruba001:

[asap_firewall_check_dhcp_packet(2386):dhcp packet from client] len 342, vlan 1, egress CP, ingress aruba001:

[asap_firewall_forward(5583):looking up bridge entry] len 342, vlan 1, egress CP, ingress aruba001:

[asap_firewall_forward(5894):bridge section] len 342, vlan 1, egress CP, ingress aruba001:

[asap_firewall_forward(6023):session section] len 342, vlan 1, egress vlan 1, ingress aruba001:

[asap_firewall_forward(6217):fastpath returned 1 opcode 4] len 342, vlan 1, egress vlan 1, ingress aruba001:

[asap_firewall_forward(6249):slowpath section: opcode 4] len 342, vlan 1, egress vlan 1, ingress aruba001:

[asap_firewall_forward(6485):back to fastpath, opcode 3] len 342, vlan 1, egress vlan 1, ingress aruba001:

[asap_firewall_forward(6789):route section] len 342, vlan 1, egress vlan 1, ingress aruba001:

[asap_firewall_forward(6839):cp route section] len 342, vlan 1, egress vlan 1, ingress aruba001:

[asap_firewall_forward(7122):forward section] len 342, vlan 1, egress vlan 1, ingress aruba001:

[asap_firewall_flood(8476):flooding] len 342, vlan 1, egress vlan 1, ingress aruba001:

[asap_firewall_flood(8675):checking dev8 bond0] len 342, vlan 1, egress vlan 1, ingress aruba001:

[asap_firewall_flood(9190):flooding to bond0] len 342, vlan 1, egress vlan 1, ingress aruba001:

[asap_firewall_flood(8675):checking dev19 aruba001] len 342, vlan 1, egress vlan 1, ingress aruba001:

[asap_firewall_flood(8675):checking dev20 aruba101] len 342, vlan 1, egress vlan 1, ingress aruba001:

[asap_firewall_flood(9208):stack section protocol=0x800, type=1] len 342, vlan 1, egress vlan 1, ingress aruba001:

Received packet from bond0 (timestamp (116-8-11 22:21:31:941370) )

[asap_firewall_forward(5048):firewall entry] len 351, vlan 0, egress CP, ingress bond0:

  #mac: etype 0800 smac 24:01:c7:03:72:09 dmac 04:69:f8:dd:6f:1f

  #ip: sip 192.168.1.1, dip 192.168.1.151, proto 17, dscp 56, fragment ok, last fragment, fragment offset 0

    #udp: sport 67 dport 68 len 317

      #dhcp: message-type: reply

             hardware type: 1, len: 6, hops: 0

             txn id: 0xabc28749, seconds elapsed: 0

             your ip: 192.168.1.151

             client mac: 04:69:f8:dd:6f:1f

             magic cookie: 0x63825363

      #dhcp-option: netmask: 255.255.255.0

      #dhcp-option: router: 192.168.1.1

      #dhcp-option: dns-server: 192.168.1.22

      #dhcp-option: dns-name: xxxxxxxx

      #dhcp-option: message-type: offer

      #dhcp-option: dhcp-server: 192.168.1.1

[asap_firewall_forward(5218):vlan decision] len 351, vlan 1, egress CP, ingress bond0:

[asap_firewall_check_dhcp_packet(2426):dhcp packet to client] len 351, vlan 1, egress CP, ingress bond0:

[asap_firewall_forward(5583):looking up bridge entry] len 351, vlan 1, egress CP, ingress bond0:

[asap_firewall_forward(5894):bridge section] len 351, vlan 1, egress CP, ingress bond0:

[asap_firewall_forward(6023):session section] len 351, vlan 1, egress aruba001, ingress bond0:

[asap_firewall_forward(6217):fastpath returned 1 opcode 4] len 351, vlan 1, egress aruba001, ingress bond0:

[asap_firewall_forward(6249):slowpath section: opcode 4] len 351, vlan 1, egress aruba001, ingress bond0:

[asap_firewall_forward(6485):back to fastpath, opcode 3] len 351, vlan 1, egress aruba001, ingress bond0:

[asap_firewall_forward(6789):route section] len 351, vlan 1, egress aruba001, ingress bond0:

[asap_firewall_forward(6839):cp route section] len 351, vlan 1, egress aruba001, ingress bond0:

[asap_firewall_forward(7122):forward section] len 351, vlan 1, egress aruba001, ingress bond0:

[asap_firewall_forward(7439):forwarding packet to aruba001] len 351, vlan 1, egress aruba001, ingress aruba001:

Received packet from aruba001 (timestamp (116-8-11 22:21:32:955272) )

[asap_firewall_forward(5048):firewall entry] len 342, vlan 0, egress CP, ingress aruba001:

  #mac: etype 0800 smac 04:69:f8:dd:6f:1f dmac ff:ff:ff:ff:ff:ff

  #ip: sip 0.0.0.0, dip 255.255.255.255, proto 17, dscp 48, fragment ok, last fragment, fragment offset 0

    #udp: sport 68 dport 67 len 308

      #dhcp: message-type: request

             hardware type: 1, len: 6, hops: 0

             txn id: 0xabc28749, seconds elapsed: 1

             client mac: 04:69:f8:dd:6f:1f

             magic cookie: 0x63825363

      #dhcp-option: requested-ip: 192.168.1.151

      #dhcp-option: message-type: request

      #dhcp-option: dhcp-server: 192.168.1.1

[asap_firewall_forward(5218):vlan decision] len 342, vlan 1, egress CP, ingress aruba001:

[asap_firewall_check_dhcp_packet(2386):dhcp packet from client] len 342, vlan 1, egress CP, ingress aruba001:

[asap_firewall_forward(5583):looking up bridge entry] len 342, vlan 1, egress CP, ingress aruba001:

[asap_firewall_forward(5894):bridge section] len 342, vlan 1, egress CP, ingress aruba001:

[asap_firewall_forward(6023):session section] len 342, vlan 1, egress vlan 1, ingress aruba001:

[asap_firewall_forward(6217):fastpath returned 1 opcode 4] len 342, vlan 1, egress vlan 1, ingress aruba001:

[asap_firewall_forward(6249):slowpath section: opcode 4] len 342, vlan 1, egress vlan 1, ingress aruba001:

[asap_firewall_forward(6485):back to fastpath, opcode 3] len 342, vlan 1, egress vlan 1, ingress aruba001:

[asap_firewall_forward(6789):route section] len 342, vlan 1, egress vlan 1, ingress aruba001:

[asap_firewall_forward(6839):cp route section] len 342, vlan 1, egress vlan 1, ingress aruba001:

[asap_firewall_forward(7122):forward section] len 342, vlan 1, egress vlan 1, ingress aruba001:

[asap_firewall_flood(8476):flooding] len 342, vlan 1, egress vlan 1, ingress aruba001:

[asap_firewall_flood(8675):checking dev8 bond0] len 342, vlan 1, egress vlan 1, ingress aruba001:

[asap_firewall_flood(9190):flooding to bond0] len 342, vlan 1, egress vlan 1, ingress aruba001:

[asap_firewall_flood(8675):checking dev19 aruba001] len 342, vlan 1, egress vlan 1, ingress aruba001:

[asap_firewall_flood(8675):checking dev20 aruba101] len 342, vlan 1, egress vlan 1, ingress aruba001:

[asap_firewall_flood(9208):stack section protocol=0x800, type=1] len 342, vlan 1, egress vlan 1, ingress aruba001:

Received packet from bond0 (timestamp (116-8-11 22:21:32:957771) )

[asap_firewall_forward(5048):firewall entry] len 351, vlan 0, egress CP, ingress bond0:

  #mac: etype 0800 smac 24:01:c7:03:72:09 dmac 04:69:f8:dd:6f:1f

  #ip: sip 192.168.1.1, dip 192.168.1.151, proto 17, dscp 56, fragment ok, last fragment, fragment offset 0

    #udp: sport 67 dport 68 len 317

      #dhcp: message-type: reply

             hardware type: 1, len: 6, hops: 0

             txn id: 0xabc28749, seconds elapsed: 0

             your ip: 192.168.1.151

             client mac: 04:69:f8:dd:6f:1f

             magic cookie: 0x63825363

      #dhcp-option: netmask: 255.255.255.0

      #dhcp-option: router: 192.168.1.1

      #dhcp-option: dns-server: 192.168.1.22

      #dhcp-option: dns-name: xxxxxxx

      #dhcp-option: message-type: ack

      #dhcp-option: dhcp-server: 192.168.1.1

[asap_firewall_forward(5218):vlan decision] len 351, vlan 1, egress CP, ingress bond0:

[asap_firewall_check_dhcp_packet(2426):dhcp packet to client] len 351, vlan 1, egress CP, ingress bond0:

[asap_firewall_check_dhcp_packet(2467):Send dhcp user(192.168.1.151) to STM and create the L3 user] len 351, vlan 1, egress CP, ingress bond0:

[asap_firewall_check_dhcp_packet(2484):Created L3 user] len 351, vlan 1, egress CP, ingress bond0:

[asap_firewall_forward(5583):looking up bridge entry] len 351, vlan 1, egress CP, ingress bond0:

[asap_firewall_forward(5894):bridge section] len 351, vlan 1, egress CP, ingress bond0:

[asap_firewall_forward(6023):session section] len 351, vlan 1, egress aruba001, ingress bond0:

[asap_firewall_forward(6217):fastpath returned 1 opcode 4] len 351, vlan 1, egress aruba001, ingress bond0:

[asap_firewall_forward(6249):slowpath section: opcode 4] len 351, vlan 1, egress aruba001, ingress bond0:

[asap_firewall_forward(6485):back to fastpath, opcode 3] len 351, vlan 1, egress aruba001, ingress bond0:

[asap_firewall_forward(6789):route section] len 351, vlan 1, egress aruba001, ingress bond0:

[asap_firewall_forward(6839):cp route section] len 351, vlan 1, egress aruba001, ingress bond0:

[asap_firewall_forward(7122):forward section] len 351, vlan 1, egress aruba001, ingress bond0:

[asap_firewall_forward(7439):forwarding packet to aruba001] len 351, vlan 1, egress aruba001, ingress aruba001:

END OF DEBUG INFO

I noticed that in the first case (not working) the received packets are on "aruba101" interface and in the second one (working) the received packets are on "bond0" interface.

Any idea ?