Wireless Access

I've got a controller that has a guest network on it.  The controller has an rfc1918 range on it, is serving dhcp, and is providing nat/pat.  I'm trying to figure out a way to get source/destination flows from it.  On our non-guest range, I can issue a "show datapath session table x.x.x.x" and get both outbound and inbound flows. However, on the guest range, I only get outbound flows:

  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge Packets   Bytes      Flags
--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- --------- ---------  -----
192.168.93.61   23.61.194.96    6    49490 80     0/0     0 24  9   tunnel 930  a3   217       17093      STC
192.168.93.61   23.61.194.96    6    49491 80     0/0     0 24  9   tunnel 930  a3   76        6556       STC
192.168.93.61   23.61.194.112   6    49496 80     0/0     0 24  9   tunnel 930  a2   115       8226       STC
192.168.93.61   23.61.194.112   6    49497 80     0/0     0 24  9   tunnel 930  a2   21        1960       STC
192.168.93.61   23.61.194.96    6    49494 80     0/0     0 24  10  tunnel 930  a2   12        954        STC
192.168.93.61   23.61.194.96    6    49492 80     0/0     0 24  9   tunnel 930  a3   37        2912       STC
192.168.93.61   17.172.232.152  6    49308 443    0/0     0 24  23  tunnel 930  44b  0         0          STC
192.168.93.61   17.154.66.156   6    49501 443    0/0     0 24  10  tunnel 930  a0   20        2403       STC
192.168.93.61   23.61.194.104   6    49495 80     0/0     0 24  9   tunnel 930  a2   172       14243      STC
192.168.93.61   216.113.175.215 6    49383 443    0/0     0 24  24  tunnel 879  18f  0         0          STC

Any idea how to get a capture for inbound flows as well?  Thx

Although it might not be the complete answer you're looking for, I've one tip...

Say for instance you're looking for the inbound session of the first outbound one listed in your table. In that case, do a...

"show datapath session table | include 49490"

This will match anything with that source port, which actually shows what I think you're looking for more often that not.

For example, I just did the below on one of my controllers setup similarly to what you likely will have. In this case, matching port 59211, after I looked at client 172.16.10.84 sessions...

(WLCBSA001) #show datapath session table | include 59211
172.16.10.84    67.215.65.132   6    59211 1352   0/0     0 0   1   tunnel 43   17   0         0          SYC
67.215.65.132   194.x.x.x 6    1352  59211  0/0     0 0   1   tunnel 43   17   0         0          NY

194.x.x.x is my ouside interface.

How do I log NAT traffic including inside and NAT address? This is easy in firewalls as it shows the NAT translation tables and traffic. This is essential in doing investigations. How do I do this with the controller? What is logged is only showing the external NAT address. As I am doing PAT, this external addy is in used by everyone. I need to see and log real time the sessions that includes inside addy/port; translated addy/port; destination address/port. This is trivial for any firewall.

If I've understood your question correctly, you'd check the datapath session table for the S and N flags if the controller is performing the NAT.

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       u - Upstream Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       r - Route Nexthop, h - High Value
       A - Application Firewall Inspect
       J - SDWAN Default Probe stats used as fallback
       B - Permanent, O - Openflow
       L - Log, o - Openflow config revision mismatched

Under what context are you trying to view the traffic, what is your NAT configuration on the controller?

Scenario:

Law enforcement calls and says your Aruba wireless public IP was engaged in malicious activity.  They give you the source address (Controller public address); the destination IP (website/etc) and the date/time this happened. You have the controller configured to do PAT to one external address (this is the offending source address provided by Law-enforcement) and RFC1918 addresses for wireless clients.  The date/time of this offense was 3 months earlier.  You have configured the controller to send traffic logs to a remote syslog server.  When  reviewing the logs, they only show the one external IP to which "everything is NAT/PAT".  The logs don't include the actual RFC 1918 address from the client in the log entry.

The goal is to send all the traffic to a syslog server that contains:

date/time; inside addy/port; translated addy/port; destination addy/port.  They currently just show the one PAT address for all clients, which renders the logs in general quite useless.  Tracking down "who" went "where" becomes impossible using what is currently provided in the logs. How can this be done?

Hi,

I would suggest to use IPFIX and forward the flow records to your collector from Aruba controllers. There are two templates (300 and 301) that contain meaningful info to address your visibility concern. You will gather fields like the below ...

Thank you.  I will give it a shot.  I