Wireless Access

This community is currently in a read-only state due to a maintenance window. For more info click here
Reply
Highlighted
Contributor II

Master and Local controllers handle firewall traffic differently

We have a par of 7210s running 6.3.1.10, set as master and local.  We have user VLAN pools trunked to both controllers with no differences in switch port configuration.  There are no firewall policies applied to the interfaces, and we make use of role-based firewall policies.  The config is synced nicely between controllers. 

 

However, a user associated with an AP on our local controller hits a phantom firewall deny rule that doesn't appear on the master controller, and doesn't show up in the config.  When we view the client status, the User Firewall State lists the denied access, but doesn't indicate what rule it's using.

 

So strange!


Accepted Solutions
Highlighted
Moderator

Re: Master and Local controllers handle firewall traffic differently

Can you please do a forced configuration push?

 

From the master:

(config) #cfgm set sync-type complete
(config) #write mem

 Wait about a minute or so and then change the cfgm setting back:

(config) #cfgm set sync-type snapshot

 



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post

Contributor II

Re: Master and Local controllers handle firewall traffic differently

OK, for the benefit of anyone reading this, I have discovered that the problem was misidentified.  The solution appeared to work after a delay, but it was just happenstance.   The problem cropped up again yesterday, and we were able to figure it out with the help of Aruba support.

 

What really happened was a client joined our guest network with a static IP that was the same as the IP of our server.  There appears to be an implicit rule that denies traffic to an invalid wireless client IP.  The problem is, as long as the client exists in the controller, that IP is blocked.  If you kick the client off, the server is suddenly accessible again. 

 

Anyone else experience something like this?  Any thoughts about how to fix this other than kicking that client off (or blacklisting it)? 

View solution in original post

Highlighted
Guru Elite

Re: Master and Local controllers handle firewall traffic differently

Did TAC tell you about the validuser acl?

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide

View solution in original post


All Replies
Highlighted
Aruba

Re: Master and Local controllers handle firewall traffic differently

Check under monitoring/firewall hits to see if you can decipher what role and policy is denying the action.  

It may help if you explain what the user is trying to do when denied.

 

You can click the "refresh now" button when you see the deny to see what "deny" actions have new hits.

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

Highlighted
Moderator

Re: Master and Local controllers handle firewall traffic differently

Can you please do a forced configuration push?

 

From the master:

(config) #cfgm set sync-type complete
(config) #write mem

 Wait about a minute or so and then change the cfgm setting back:

(config) #cfgm set sync-type snapshot

 



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post

Highlighted
Contributor II

Re: Master and Local controllers handle firewall traffic differently

The firewall hit does not appear in the Monitoring/firewall hits page.

 

The user is trying to access an internal web service.

Highlighted
Contributor II

Re: Master and Local controllers handle firewall traffic differently

I changed the config push setting as you suggested, and it didn't change the behaviour.

Highlighted
Contributor II

Re: Master and Local controllers handle firewall traffic differently

Here's what I see in the User Status:

 

Source IP Source Port Destination IP Destination Port Protocol Status

[client IP]45650[server IP]80TCPdeny
Highlighted
Aruba

Re: Master and Local controllers handle firewall traffic differently

Can you please verify whether the destination server IP shows up in the user table on the controller?

 

show user

show user | include <ip-of-destination>

 

If it does, it it a wireless client?

If it does, what role is it in?

If it does, run:

 

show rights <name-of-role>

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

Highlighted
Contributor II

Re: Master and Local controllers handle firewall traffic differently

The destination server IP is not in the user table.  It's not a wireless client.

Highlighted
Contributor II

Re: Master and Local controllers handle firewall traffic differently

OK, today, after no further interventions, the phenomenon has disppeared.  Perhaps it just took a while for the config to sync?  Thanks to those who offered suggestions!

Contributor II

Re: Master and Local controllers handle firewall traffic differently

OK, for the benefit of anyone reading this, I have discovered that the problem was misidentified.  The solution appeared to work after a delay, but it was just happenstance.   The problem cropped up again yesterday, and we were able to figure it out with the help of Aruba support.

 

What really happened was a client joined our guest network with a static IP that was the same as the IP of our server.  There appears to be an implicit rule that denies traffic to an invalid wireless client IP.  The problem is, as long as the client exists in the controller, that IP is blocked.  If you kick the client off, the server is suddenly accessible again. 

 

Anyone else experience something like this?  Any thoughts about how to fix this other than kicking that client off (or blacklisting it)? 

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: