SSH into the controller that you are having the problem.
Find the client ip and do a "show datapath session table <client's ip address>" to see what port 80 traffic is being denied. This is my output here:
(host) #show datapath session table 192.168.1.192
Datapath Session Table Entries
------------------------------
Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- -----
192.168.1.192 8.8.8.8 17 54242 53 0/0 0 96 1 tunnel 24 2 FSCI
192.168.1.192 10.2.1.226 6 49195 443 0/0 0 96 1 tunnel 24 18 FNCI
192.168.1.192 10.2.1.226 6 49196 443 0/0 0 96 0 tunnel 24 e FNCI
192.168.1.192 10.2.1.226 6 49197 443 0/0 0 96 0 tunnel 24 4 FNCI
192.168.1.192 199.66.201.169 6 49199 80 0/0 0 96 0 tunnel 24 2 FDY <---------------------
192.168.1.3 192.168.1.192 6 8081 49196 0/0 0 96 1 tunnel 24 e FSI
192.168.1.3 192.168.1.192 6 8081 49197 0/0 0 96 0 tunnel 24 4 FSI
192.168.1.3 192.168.1.192 6 8081 49198 0/0 0 96 0 tunnel 24 2 SI
192.168.1.3 192.168.1.192 6 8080 49199 0/0 0 96 0 tunnel 24 2 FS
192.168.1.3 192.168.1.192 6 8081 49195 0/0 0 96 1 tunnel 24 18 FSI
As you can see, my client's port 80 traffic is being denied to 199.66.201.169.
Do an "nslookup" on the commandline for that ip address to see if it is an ocsp or crl URL:
Host:~ colinjoseph$ nslookup
> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53
> 199.66.201.169
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
169.201.66.199.in-addr.arpa name = ocsp.usertrust.com.
Since it is an OCSP URL, I would add the 199.66.201.169 address to your netdestination, and that should fix it for now.
If this is ArubaOS 6.x and above, I would add the name ocsp.usertrust.com to the netdestination you are using:
netdestination usertrust
name ocsp.usertrust.com
Please make sure that ip domain-lookup is on and you have a dns server defined, if this is 6.x and you are using the named netdestination:
config t
ip domain lookup
ip domain-name test.com
ip name-server 8.8.8.8
ip name-server 4.2.2.2
If you are configuring the ip domain-lookup above, you can ignore the message that you need to reboot.
Test to make sure your domain lookup is working by pinging a url (once again, ONLY if you are using ArubaOS 6.x and above):
(3600 controller) # ping www.zdnet.com
Press 'q' to abort.
Sending 5, 100-byte ICMP Echos to 216.239.116.55, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 61.783/63.033/63.654 ms