Wireless Access

last person joined: 12 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

ACL to actively send a deny or reject on a controller

This thread has been viewed 2 times

  • 1.  ACL to actively send a deny or reject on a controller

    Posted Nov 13, 2015 03:57 AM

    Hi,

     

    i currently try to implement a session ACL that actively sends a reject to a TCP-Connection instead of just dropping the traffic so that the user's trying to access this service out of a wrong network have long timeouts and get a reject instantly.

    And i didn't get it working. So i implemented a test-acl in my lab looking:

    ip access-list session my-test-acl
  any user svc-icmp  permit
  any any svc-icmp  permit
  any any svc-https  deny send-deny-response
!

    To reject all traffic to port 443. A web browser shows the same behaviour (it takes a very long time until a error is shown up) than the other app. So i started wireshark to examine it a bit and wireshark shows this:

    packet-reject.png

     

    Initially i expected some ICMP packet to be sent from the aruba controller stating that the services is not reachable, but instead it seems that the controller answers with a TCP RST packet - but this packet seems to be malformed and so the client just drops it instead of processing it.

     

    Did i miss something or is this the wrong way to 'reject' a TCP connection? Tried this with 6.4.3.4 and 6.4.4.1.

     

    Thanks & Bye,

          Chris