Wireless Access

Regular Contributor I

7005 controller firewall issues

Here's an odd thing we've seen a couple of times...  When creating a new role the ACLs sometimes don't work properly. Only seen this on our lab environment, which is a clustered pair of 7005 controllers runing 8.5, with a virtual mobility master.


First time this happened the implicit deny at the end of the ACLs just didn't work. More recently my colleague was testing config for a new role and some of the rules didn't work. After spending a long time trying to figure out what was wrong, removed all the ACLs, re-added them and it all works.


I can't recreate this reliably, so there's no point raising a TAC call about it, but thought I'd put it out there in case anyone else has seen similar weirdness.

Guru Elite

Re: 7005 controller firewall issues

You should double-check that the ACLs have been applied properly by using the "show rights" command against the role on the MD and "show acl hits".  Beyond that, there is not enough information in your post to determine what is wrong.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars

Re: 7005 controller firewall issues

one possible thing you may be hitting here is that existing flows in the session table (show datapath session) do not get reclassified against changes/additions to the acls. 


For example, if I have an acl that says


user any svc-ftp permit
user any any deny

Then say I open a ftp session on the client to some server, and while I am using the FTP session I removed the ACL for svc-ftp, the session would still continue without being denied.

Maybe you encountered a variant of this ?


Regular Contributor I

Re: 7005 controller firewall issues

That's a distinct possibility. Will definitely look out for this next time.



Search Airheads
Showing results for 
Search instead for 
Did you mean: