Wireless Access

Reply
Guru Elite

Re: Android phones can't get IP on reconnect...

yes


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Frequent Contributor I

Re: Android phones can't get IP on reconnect...

(controller) #show rights guest            

Derived Role = 'guest'
 Up BW:No Limit   Down BW:No Limit  
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Web Content Classification: Enabled
 ACL Number = 4/94
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------                                  
Position  Name                           Type     Location
--------  ----                           ----     --------
1         global-sacl                    session  
2         apprf-guest-sacl               session  
3         validuserethacl                eth      
4         acme-block-1918              session  
5         ra-guard                       session  
6         acme-block-dhcp              session  
7         acme-block-linklocal         session  
8         acme-block-management        session  
9         acme-block-local-debug-page  session  
10        acme-guest-dns-nat           session  
11        acme-guest-http-nat          session  
12        acme-guest-icmp-nat          session  
13        acme-guest-ios-gmail-nat     session  
14        acme-guest-gplay-nat         session  
15        acme-guest-ipsec-nat         session  
16        acme-guest-gaming-nat        session  
17        cplogout                       session  
18        acme-drop-any                session  
19        acme-drop-log                session  

global-sacl
-----------                                       
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
apprf-guest-sacl
----------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

ip access-list eth validuserethacl
  permit any

acme-block-1918
-----------------
Priority  Source  Destination                 Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------                 -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     10.0.0.0 10.255.255.255     any                   deny                             Low                                                           4        
2         any     172.16.0.0 255.248.0.0      any                   deny                             Low                                                           4        
3         any     192.168.0.0 192.168.255.25  any                   deny                             Low                                                           4        
ra-guard
--------
Priority  Source  Destination  Service           Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------           -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any          icmpv6 rtr-adv                 deny                             Low                                                           6        
acme-block-dhcp
-----------------                                 
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any          udp 68                deny               Yes           Low                                                           4        
acme-block-linklocal
----------------------
Priority  Source  Destination              Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------              -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     169.254.0.0 255.255.0.0  any                   deny                             Low                                                           4        
acme-block-management
-----------------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     controller   any                   deny               Yes           Low                                                           4        
acme-block-local-debug-page
-----------------------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    localip      any                   deny                             Low                                                           4        
acme-guest-dns-nat
--------------------
Priority  Source  Destination  Service  Application  Action                            TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------                            ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    74.82.42.42  svc-dns               src-nat pool acme-av1-nat-pool                           Low                                                           4        
2         user    8.8.8.8      svc-dns               src-nat pool acme-av1-nat-pool                           Low                                                           4        
3         user    8.8.4.4      svc-dns               src-nat pool acme-av1-nat-pool                           Low                                                           4        
acme-guest-http-nat
---------------------
Priority  Source  Destination  Service    Application  Action                            TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------    -----------  ------                            ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any          svc-https               src-nat pool acme-av1-nat-pool                           Low                                                           4        
2         user    any          svc-http                src-nat pool acme-av1-nat-pool                           Low                                                           4        
acme-guest-icmp-nat
---------------------
Priority  Source  Destination  Service   Application  Action                            TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------   -----------  ------                            ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any          svc-icmp               src-nat pool acme-av1-nat-pool                           Low                                                           4        
acme-guest-ios-gmail-nat
--------------------------
Priority  Source  Destination  Service  Application  Action                            TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------                            ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any          tcp 993               src-nat pool acme-av1-nat-pool                           Low                                                           4        
2         user    any          tcp 465               src-nat pool acme-av1-nat-pool                           Low                                                           4        
acme-guest-gplay-nat
----------------------
Priority  Source  Destination  Service   Application  Action                            TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------   -----------  ------                            ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any          tcp 5228               src-nat pool acme-av1-nat-pool                           Low                                                           4        
acme-guest-ipsec-nat
----------------------
Priority  Source  Destination  Service   Application  Action                            TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------   -----------  ------                            ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any          udp 4500               src-nat pool acme-av1-nat-pool                           Low                                                           4        
2         user    any          udp 500                src-nat pool acme-av1-nat-pool                           Low                                                           4        
3         user    any          tcp 4500               src-nat pool acme-av1-nat-pool                           Low                                                           4        
4         user    any          tcp 500                src-nat pool acme-av1-nat-pool                           Low                                                           4        
acme-guest-gaming-nat
-----------------------
Priority  Source  Destination  Service    Application  Action                            TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------    -----------  ------                            ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any          udp 2053                src-nat pool acme-av1-nat-pool                           Low                                                           4        
2         any     any          tcp 10050               src-nat pool acme-av1-nat-pool                           Low                                                           4        
3         any     any          tcp 9293                src-nat pool acme-av1-nat-pool                           Low                                                           4        
4         any     any          udp 50000               src-nat pool acme-av1-nat-pool                           Low                                                           4        
5         any     any          tcp 1119                src-nat pool acme-av1-nat-pool                           Low                                                           4        
6         any     any          tcp 3724                src-nat pool acme-av1-nat-pool                           Low                                                           4        
cplogout
--------
Priority  Source  Destination  Service    Application  Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------    -----------  ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    controller   svc-https               dst-nat 8081                           Low                                                           4        
acme-drop-any
---------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any          any                   deny                             Low                                                           4        
acme-drop-log
---------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any          any                   deny               Yes           Low                                                           4        

Expired Policies (due to time constraints) = 0

(controller) #  

Guru Elite

Re: Android phones can't get IP on reconnect...

Mike mclarke says, "any any svc-dhcp permit" needs to be at the top of that, otherwise you will have DHCP problems like you have been having.  None of your rules explicity allow DHCP when a user re-associates later.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Frequent Contributor I

Re: Android phones can't get IP on reconnect...

Ohh - so they are getting DHCP in the guest-logon role, but it's being blocked when they reassociate before their session times out?

 

Makes sense.

 

The guy before me has the deny udp 68 rule so guests can't give out DHCP.  Is that even effective though?  I don't believe I allow guest to guest communication.  Can I just delete that rule and allow DHCP at the top of the ruleset?

Guru Elite

Re: Android phones can't get IP on reconnect...

You can put the udp 68 deny rule first, then the any any svc-dhope permit rule next.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Frequent Contributor I

Re: Android phones can't get IP on reconnect...

Done.  I'm guessing that's going to resolve the issue.  Thanks for the blazing fast replies once again!

Re: Android phones can't get IP on reconnect...

Yeah, what happens is that when the devices wake up they remember their ip details and then do a unicast RENEW to the dhcp server, which you have blocked.

 

 


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Frequent Contributor I

Re: Android phones can't get IP on reconnect...

Okay, that makes a lot of sense.

 

Thanks for your help!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: