Wireless Access

Reply
Occasional Contributor I

Communication with Google Cloud Print

Hello,

I'm hoping someone can point me in the right direction with my problem. I'm trying to create a simple password protected wireless network to connect some wi-fi enabled HP printers and Chromebooks to for a special program. We have 4 VLANs on the controller, VLAN 1 (not used), VLAN 30 (our internal employee network), VLAN 50 (the wireless management network), and VLAN 99 (our existing guest network). I decided to use VLAN 99 when I ran through the VLAN wizard and it works for just about everythingm but the printer cannot communicate with Google to print the Cloud Print claim form. I deleted this test network and created a new one using VLAN 30 and the printer CAN print the claim form. If I simply set the VLAN back to 99, the printer CAN'T print the claim form. I'm having trouble trying to figure out what would allow a device on this guest network to browse the web, yet not allow it to communicate with whatever servers host Google's Cloud Print services.

This controller is an old Mobility 3200 running ArubaOS 6.3.1.8.

Any thoughts/suggestions?

Thanks!
Mark

Guru Elite

Re: Communication with Google Cloud Print

Do you have "ip nat inside" enabled on VLAN 99"?

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor I

Re: Communication with Google Cloud Print

Yes I do:

 

interface vlan 99
ip address 192.168.99.1 255.255.255.0
no ip routing
ip nat inside

 

This is the original guest vlan that was configured many moons ago for use with our guest network using captive portal. 

 

Thanks!

Mark

Guru Elite

Re: Communication with Google Cloud Print

Is your guest role blocking any traffic?

 

EDIT:

While you are trying to print to the printer, I would type "show datapath session table <ip address of printer>" to see if anything is being blocked.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor I

Re: Communication with Google Cloud Print

My AAA profile has the following roles on this WLAN:

Initial: authenticated
Mac Auth Default: guest
802.1X Auth Default: guest

Each of those roles are defined as:

user-role authenticated
access-list session ra-guard
access-list session allowall

user-role guest
access-list session ra-guard
access-list session cplogout

and these policies have these rules:

ip access-list session ra-guard
ipv6 user any icmpv6 rtr-adv deny

ip access-list session v6-allowall
ipv6 any any any permit

ip access-list session cplogout
user alias mswitch svc-https dst-nat 8081

The output of show datapath session is:

(EC-3200) #show datapath session table 192.168.99.144


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- --------- --------- -----
192.168.99.144 8.8.8.8 17 36109 53 0/0 0 0 0 tunnel 22 0 1 61 FSCI
192.168.99.144 74.125.142.125 6 34503 5222 0/0 0 0 0 tunnel 22 0 1 64 SYC
192.168.99.144 8.8.8.8 17 53464 53 0/0 0 0 0 tunnel 22 0 1 61 FSCI

(EC-3200) #show datapath session table 192.168.99.144


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- --------- --------- -----
192.168.99.144 216.239.38.120 6 63000 443 0/0 0 0 0 tunnel 22 2 0 0 FSC
192.168.99.144 8.8.8.8 17 36109 53 0/0 0 0 0 tunnel 22 3 0 0 FSCI
192.168.99.144 216.239.38.120 6 51120 443 0/0 0 0 0 tunnel 22 2 0 0 SC
192.168.99.144 74.125.142.125 6 34503 5222 0/0 0 0 0 tunnel 22 3 0 0 SC
192.168.99.144 8.8.8.8 17 48518 53 0/0 0 0 0 tunnel 22 2 0 0 FSCI
192.168.99.144 8.8.8.8 17 53464 53 0/0 0 0 0 tunnel 22 3 0 0 FSCI
192.168.99.144 8.8.8.8 17 55542 53 0/0 0 0 0 tunnel 22 2 0 0 FSCI

(EC-3200) #show datapath session table 192.168.99.144


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- --------- --------- -----
192.168.99.144 216.239.38.120 6 51120 443 0/0 0 0 1 tunnel 22 15 0 0 SC
192.168.99.144 74.125.142.125 6 34503 5222 0/0 0 0 0 tunnel 22 16 1 52 SC
192.168.99.144 8.8.8.8 17 53464 53 0/0 0 0 1 tunnel 22 16 0 0 FSCI
192.168.99.144 8.8.8.8 17 55542 53 0/0 0 0 1 tunnel 22 15 0 0 FSCI

(EC-3200) #

That was three executions of the command while the printer tried to print the claim form. The whole process errors out on the printer within 2 seconds, so the timimg of my command spam might have been lacking.

Thanks for your time,
Mark

Guru Elite

Re: Communication with Google Cloud Print

All I see is no return traffic from 8.8.8.8, so I hope DNS is working correctly on the subnet. EDIT:  I see the DNS return traffic.

 

When you say it fails, does it fail on the client printing, or does the printer have an error?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor I

Re: Communication with Google Cloud Print

The printer has an display panel with a sub menu item for printing out a claim form for Google Cloud Print. When I press the button to submit the details about the printer to Google, it fails with an error that it (the printer) failed to register with Google Cloud Print and to try again later, so it's form the printer itself.

 

If I switch the VLAN to 30, th registration occurs normally as expected. It's puzzling because I have connected clients, namely a Chromebook and a Windows 10 PC, to the same network on VLAN 99 and can browse the web, hit several of Google's services like Drive without any trouble. 

 

Thanks,

Mark

 

 

 

 

Guru Elite

Re: Communication with Google Cloud Print

I think you should probably think about anything within your network that you are doing different.  I can't say from here what is different.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor I

Re: Communication with Google Cloud Print

Thank you. It's good to hear that it doesn't seem to be caused by something in the wireless configuration. I was speaking with our web filter admin about it and he thinks that there may be some config differences between how this guest network is handled vs our employee network, so we'll be shifting focus there. Thanks again for your time.

 

Mark

Guru Elite

Re: Communication with Google Cloud Print

Let us know what it is if you resolve it, thanks.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: