Wireless Access

Hi Community. We have two MD 7210 managed by a VMM. We have about 350 AP and give access to about 2500 users. Everything is under release 8.4.0. We upgrade from 8.3 after licenses issues. With release 8.4.0 we are facing very extrange problems with an external Captive Portal. Everything works for some days and then sudenly stop working. It happend randomly in each controller. If the controller is reboot, the problem is solve for some time. The external CP is Socifi and during the error the site can not upload correctly (it only upload the main portal with an image indicating that maybe the walled garden is not well configure because it can not access other sites - so it seems that during the error the walled garden is not working proprerly).
I could not find any related issue. User-table during the error show less sessions - seems logical. I uploaded an alias with the list of all IP that Socifi needs (to bypass the walled garden) but without success.

I made some modifications on the walled garden and it seems that it does not work on the fly - for example add a website that should work during preauth. Maybe there is a service/process that I can check?

I can not figure out how to debug this and find the error. I will downgrade to 8.3.0.6 and check - hope this solve the issue. However I need to understand how to find where the issue is for future debug. I could not simulated the error in my lab.
Regards

Are you using walled garden with ip addresses or hostname/urls?  See if those hostnames end up with "show firewall dns-names".  Essentially, when a user attempts to go to a hostname, the controller caches the returned DNS address and either allows or blocks traffic to that ip address.  If it does not show up in "show firewall dns-names" on the local controller, that means something is not right.

Hi cjoseph. We are using names (domains/url). However after facing this issue I configured an ACL in the preauth policy allowing every IP involved and the problem continues.

I will try   "show firewall dns-names" and let you know th results. 

Now that you mention the walled garden behaviur, I would like to understand it. When a user try to reach, let say www.google.com, and the page exist in the walled garden (e.g. *.google.com), the controller allow traffic for the IP address resolved by the DNS server that use the user or the DNS server that has the controller? Although we are using the same DNS server, the IP resolve could be different. This Captive Portal is in AWS and they return diffrent IP for the same FQDN. Thanks and regards.

If there is an ACL, the controller will return whatever ip address(es) are returned by wireless clients resolving that ip address or hostname.  Later when hostnames are used in an ACL, those ip addresses are used.

Hi. Although we are not facing the problem yet (using version 8.3.6) we now reach the the same sympton explain here https://community.arubanetworks.com/t5/Wireless-Access/firewall-dns-names-and-netdestinations/td-p/489306

Executing "show firewall dns-name" we get the output Module Authentication is busy.

I am monitoring manually this output and the last time I got it, I found some DNS names that are not in the netdestination list of the walled garden. Why the system is recording this DNS names? what other service is populating this firewall list? Regards!