Ok. Checked the datapath session and traffic is being denied, but I can't figure out why! Ideas?
CTL-ARUBA-2) #show datapath session ap-name ap2516
Datapath Session Table Entries
------------------------------
Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
u - Upstream Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal
r - Route Nexthop, h - High Value
A - Application Firewall Inspect
B - Permanent, O - Openflow
L - Log
AP Flags: 1 - Class 1, 2 - Class 2, 3 - Class 3, w - In hardware
Source IP or MAC Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags AP Flags CPU ID
----------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------- ---------- --------------- --------------- -------
(CTL-ARUBA-2) #show datapath session ap-name ap2516 | include .50
172.20.0.50 8.8.8.8 17 60655 53 0 0 0 0 dev19 2400 -- -- FDYCA 0
172.20.0.62 201.54.48.50 17 51757 4500 0 0 0 0 local 81f -- -- FC 0
172.20.0.50 8.8.8.8 17 52649 53 0 0 0 0 dev19 700 -- -- FDYCA 0
172.20.0.50 171.20.0.254 1 33 2048 0 0 0 0 dev19 1200 -- -- FDYCA 0
172.20.0.50 171.20.0.254 1 32 2048 0 0 0 0 dev19 1700 -- -- FDYCA 0
172.20.0.50 171.20.0.254 1 35 2048 0 0 0 0 dev19 800 -- -- FDYCA 0
172.20.0.50 171.20.0.254 1 34 2048 0 0 0 0 dev19 d00 -- -- FDYCA 0
172.20.0.50 171.20.0.254 1 36 2048 0 0 0 0 dev19 300 -- -- FDYCA 0
201.54.48.50 172.20.0.62 17 4500 51757 0 0 0 0 local 91f -- -- F 0
172.20.0.50 192.168.96.1 1 0 2048 0 0 0 0 dev19 4400 -- -- FDYCA 0
(CTL-ARUBA-2) #show user-table | include 97:05
fe80::1c22:ade1:f018:eb49 14:99:e2:bf:97:05 local-inicial 00:00:15 AP2516 Associated(Remote) SF-Local/9c:8c:d8:4d:0b:53/a-HT AAA-Local bridge WIRELESS
(CTL-ARUBA-2) #show rights local-inicial
Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'local-inicial'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 2
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 217/0
Openflow: Enabled
Max Sessions = 65535
Check CP Profile for Accounting = TRUE
Application Exception List
--------------------------
Name Type
---- ----
Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------
access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-local-inicial-sacl session
3 local-inicial session
global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
apprf-local-inicial-sacl
------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
local-inicial
-------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 any any svc-dhcp permit Low 4
2 172.20.0.0 255.255.255.0 172.20.0.0 255.255.255.0 any permit Low 4
3 user any any route src-nat Low 4