Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

New VLAN - Client is connected, gets IP from external DHCP, still no connection to Gateway

This thread has been viewed 0 times

  • 1.  New VLAN - Client is connected, gets IP from external DHCP, still no connection to Gateway

    Posted Mar 26, 2019 06:41 AM

    A previously configured WLAN (not configured by me) stopped (?) working and in the hopes of debugging it, I've created a new Virtual-AP without any security and a new VLAN. The client connects successfully to the WLAN, gets an IP from the external DHCP, but is still unable to connect with the gateway.

     

    Our aruba controller is directly connected to our central Core-Routers and the port-channel has the VLAN configured. There shouldn't be any ACLs or likewise messing with the connection (neither on the Controller nor on the rest of the network), everything is as open as I was able to configure it. Connection from a wired interface (no aruba switch though) with same MAC works.

     

    The controller does not have an IP configured in the VLANs subnet, it only knows about the VLAN id (which should be everything it needs?). The connected client also does not appear in the user-table.

     

    I am running out of ideas how to debug this. Any help?

     

    Controller: Aruba3600

    AOS: 6.4



  • 2.  RE: New VLAN - Client is connected, gets IP from external DHCP, still no connection to Gateway

    MVP EXPERT
    Posted Mar 26, 2019 07:11 AM
    What is the role of the connected client and what acl have that role?


  • 3.  RE: New VLAN - Client is connected, gets IP from external DHCP, still no connection to Gateway

    Posted Mar 26, 2019 07:44 AM

    The role is "authenticated" and like I said, there are minimal ACLs rules defined.

     

    I even switched to a default role, that has literally no ACLs defined. Also using another VLAN that was already defined (and works for another WLAN) also works.



  • 4.  RE: New VLAN - Client is connected, gets IP from external DHCP, still no connection to Gateway

    MVP EXPERT
    Posted Mar 26, 2019 08:23 AM

    Are you referring to the clients default gateway or the perimeter gateway to the Internet? If the client cannot reach the Internet, is all the return routing for the client VLAN in place? If you run the below you can see if there is any D (for denied traffic) or Y (no -syn packet) flags for the client traffic.

     

    show datapath session | include [CLIENTS IP ADDRESS]

    If there is no ACL's as mentioned in your default role, the client traffic will not pass.

     

    Are you able to provide the output of the user role assigned to the clients

     

    show rights [USER ROLE]


  • 5.  RE: New VLAN - Client is connected, gets IP from external DHCP, still no connection to Gateway

    Posted Mar 26, 2019 08:39 AM
      |   view attached 
    10.1.126.118 224.0.0.251     17   5353  5353   0/0     0    0   0   tunnel 350  d    0          0          FDYC

    Well color me stumped, I have both D and Y.

     

    See attached the ACL-list of the role "authenticated".

     

    Thanks for all your help.

     

    EDIT

    Yes, I do mean the client's default gateway.

    Attachment(s)

    txt
    authenticated.txt   9 KB 1 version


  • 6.  RE: New VLAN - Client is connected, gets IP from external DHCP, still no connection to Gateway

    MVP EXPERT
    Posted Mar 26, 2019 09:06 AM
    I guess in the first case, lets have a look at the ACLs in the User Role to
    see why the traffic is denied :)


  • 7.  RE: New VLAN - Client is connected, gets IP from external DHCP, still no connection to Gateway

    MVP EXPERT
    Posted Mar 26, 2019 10:03 AM

    What is the clients gateway? Your ACL list is quite extensive. Looking at the deny traffic that is multicast traffic so potentially is denied. Can you even ping the clients default gateway?



  • 8.  RE: New VLAN - Client is connected, gets IP from external DHCP, still no connection to Gateway

    Posted Mar 26, 2019 10:20 AM
      |   view attached

    Nope, from a client I cannot ping the client's default gateway.

     

    I changed the role to a default one that is basically allow-all. See "default-via-role.txt"

     

    Thanks for trying to help me.

     

    EDIT

    The client's gateway is10.1.126.126, the subnet for the VLAN is 10.1.126.64/26. 

    Attachment(s)

    txt
    default-via-role.txt   2 KB 1 version


  • 9.  RE: New VLAN - Client is connected, gets IP from external DHCP, still no connection to Gateway

    MVP EXPERT
    Posted Mar 26, 2019 10:42 AM
    Hey, what is the clients default gateway? We can compare this against the
    ACL's.


  • 10.  RE: New VLAN - Client is connected, gets IP from external DHCP, still no connection to Gateway

    Posted Mar 26, 2019 10:46 AM

    Sorry, clicked too soon on Post, edited into my previous post afterwards.

     

    The client's gateway is10.1.126.126



  • 11.  RE: New VLAN - Client is connected, gets IP from external DHCP, still no connection to Gateway

    MVP EXPERT
    Posted Mar 26, 2019 10:49 AM

    Can you reach this from a wired VLAN as well?



  • 12.  RE: New VLAN - Client is connected, gets IP from external DHCP, still no connection to Gateway

    Posted Mar 26, 2019 10:53 AM

    Yes.



  • 13.  RE: New VLAN - Client is connected, gets IP from external DHCP, still no connection to Gateway
    Best Answer

    MVP EXPERT
    Posted Mar 26, 2019 11:02 AM

    Might be worth raising a case with TAC to get a quicker resolution. With the limited information available and without seeing your entire environment it is difficult to say. 



  • 14.  RE: New VLAN - Client is connected, gets IP from external DHCP, still no connection to Gateway

    Posted Apr 03, 2019 03:20 AM

    Called my support partner, have yet to receive an answer. ;)

     

    I'll try to remember to post the resolution here.