Wireless Access

We have a par of 7210s running 6.3.1.10, set as master and local.  We have user VLAN pools trunked to both controllers with no differences in switch port configuration.  There are no firewall policies applied to the interfaces, and we make use of role-based firewall policies.  The config is synced nicely between controllers. 

However, a user associated with an AP on our local controller hits a phantom firewall deny rule that doesn't appear on the master controller, and doesn't show up in the config.  When we view the client status, the User Firewall State lists the denied access, but doesn't indicate what rule it's using.

So strange!

Check under monitoring/firewall hits to see if you can decipher what role and policy is denying the action.  

It may help if you explain what the user is trying to do when denied.

You can click the "refresh now" button when you see the deny to see what "deny" actions have new hits.

The firewall hit does not appear in the Monitoring/firewall hits page.

The user is trying to access an internal web service.

Can you please do a forced configuration push?

From the master:

(config) #cfgm set sync-type complete
(config) #write mem

 Wait about a minute or so and then change the cfgm setting back:

(config) #cfgm set sync-type snapshot

I changed the config push setting as you suggested, and it didn't change the behaviour.

Here's what I see in the User Status:

Source IP Source Port Destination IP Destination Port Protocol Status

Can you please verify whether the destination server IP shows up in the user table on the controller?

show user

show user | include <ip-of-destination>

If it does, it it a wireless client?

If it does, what role is it in?

If it does, run:

show rights <name-of-role>

The destination server IP is not in the user table.  It's not a wireless client.

OK, today, after no further interventions, the phenomenon has disppeared.  Perhaps it just took a while for the config to sync?  Thanks to those who offered suggestions!

OK, for the benefit of anyone reading this, I have discovered that the problem was misidentified.  The solution appeared to work after a delay, but it was just happenstance.   The problem cropped up again yesterday, and we were able to figure it out with the help of Aruba support.

What really happened was a client joined our guest network with a static IP that was the same as the IP of our server.  There appears to be an implicit rule that denies traffic to an invalid wireless client IP.  The problem is, as long as the client exists in the controller, that IP is blocked.  If you kick the client off, the server is suddenly accessible again. 

Anyone else experience something like this?  Any thoughts about how to fix this other than kicking that client off (or blacklisting it)? 

No, they didn't.

I'm just reviewing the configuration for this (good youtube video: https://www.youtube.com/watch?v=HMIQwok5r1o)

Thanks for reminding me about that!  I think this is the real solution.