Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Stateful firewall issues after 6.2.1.4 upgrade: blacklist clients increase dramatically

This thread has been viewed 1 times

  • 1.  Stateful firewall issues after 6.2.1.4 upgrade: blacklist clients increase dramatically

    Posted Nov 14, 2013 05:17 AM

    The behavior of stateful firewall changed after 6.2.1.4 upgrade. We have got a lot of blacklisted clients after upgrading and after few tests it come from the stateful firewall.

     

    We have these settings (Aruba 3600):

    firewall attack-rate ping 5

    firewall attack-rate tcp-syn 128

    firewall attack-rate session 128

    firewall attack-rate cp 512

     

    It works fine before the upgrade but with 6.2.1.4, instead of blocking clients when the "rate" is reach, the clients are block when the "total" is reach. Example, with 6.2.1.4, if the client does a simple ping, 1 per second, it gets blacklisted after 5 ping. Not good... Before it was base on the "rate" value. So the client gets blacklisted ONLY if more than 5 ping PER SECOND is issuing.

     

    We opened a ticket to Aruba support and we were told that is the normal behavior. Aruba reproduced the behavior in their test lab, but I can't believe this is normal.  I really don't understand that since the settings are base on "attack-rate", not "attack-total". Furthermore, on the admin guide, is written that these settings are based on values PER SECOND. Are we alone to see that? Since the upgrade, we disabled these settings in the stateful firewall to avoid getting blacklisted clients but we loose the meaning of stateful firewall.

     

    Thanks!

     


    #3600


  • 2.  RE: Stateful firewall issues after 6.2.1.4 upgrade: blacklist clients increase dramatically

    EMPLOYEE
    Posted Nov 14, 2013 05:35 AM

    Please login to the support site at support.arubanetworks.com and register your complaint in the ideas portal so your opinion can get the attention of the people in product management.

     



  • 3.  RE: Stateful firewall issues after 6.2.1.4 upgrade: blacklist clients increase dramatically

    Posted Nov 22, 2013 11:41 AM

    Hi serinf, 

     

    were the clients that were getting blacklisted, windows7 and windows vista? i mean the ones, which had ipv6 enabled?



  • 4.  RE: Stateful firewall issues after 6.2.1.4 upgrade: blacklist clients increase dramatically

    Posted Nov 22, 2013 01:51 PM

    Hi,

    All clients get blacklisted, no matter OS. We do not filter by ipv6, only ipv4 is enabled.

     

    The test to get blacklisted is really simple. Put this setting on the controller :

    firewall attack-rate ping 5

     

    And just do that under DOS from any client:

    ping any_machine -t

    Pinging any_machine [192.X.X.2] with 32 bytes of data:
    Reply from 192.X.X.2: bytes=32 time<1ms TTL=127
    Reply from 192.X.X.2: bytes=32 time<1ms TTL=127
    Reply from 192.X.X.2: bytes=32 time<1ms TTL=127
    Reply from 192.X.X.2: bytes=32 time<1ms TTL=127
    Reply from 192.X.X.2: bytes=32 time<1ms TTL=127
    Request timed out.

    Request timed out.

    Request timed out.

    ...

     

    After exactly 5 pings, the client get blacklisted. We are not talking about 5 pings in one second but 1 ping per second, that is an attack-rate of "1", not "5". This is what I can't get it...



  • 5.  RE: Stateful firewall issues after 6.2.1.4 upgrade: blacklist clients increase dramatically

    EMPLOYEE
    Posted Nov 22, 2013 02:09 PM
    @serinf wrote:

    Hi,

    All clients get blacklisted, no matter OS. We do not filter by ipv6, only ipv4 is enabled.

     

    The test to get blacklisted is really simple. Put this setting on the controller :

    firewall attack-rate ping 5

     

    And just do that under DOS from any client:

    ping any_machine -t

    Pinging any_machine [192.X.X.2] with 32 bytes of data&colon;
    Reply from 192.X.X.2: bytes=32 time<1ms TTL=127
    Reply from 192.X.X.2: bytes=32 time<1ms TTL=127
    Reply from 192.X.X.2: bytes=32 time<1ms TTL=127
    Reply from 192.X.X.2: bytes=32 time<1ms TTL=127
    Reply from 192.X.X.2: bytes=32 time<1ms TTL=127
    Request timed out.

    Request timed out.

    Request timed out.

    ...

     

    After exactly 5 pings, the client get blacklisted. We are not talking about 5 pings in one second but 1 ping per second, that is an attack-rate of "1", not "5". This is what I can't get it...

    serinf,

     

    Please open up a case so that TAC can take a look.



  • 6.  RE: Stateful firewall issues after 6.2.1.4 upgrade: blacklist clients increase dramatically

    Posted Nov 22, 2013 02:54 PM

    Hi,

     

    Ok, I have already place my question on ideas portal but maybe isn't the best place. So I reopen a TAC.

     

    Thanks!



  • 7.  RE: Stateful firewall issues after 6.2.1.4 upgrade: blacklist clients increase dramatically

    Posted Feb 18, 2014 01:52 AM

    Hi 

     

    any latest update?

     

    I observed the same issue in lab, testing on 6.2.1.5 code. with the ping attack rate set at 25. 

     

    A normal rate ping initiated from a windows XP PC. The client got blacklist by ping-flood, after some more than 25+pings, from the command prompt. The SSID was a simple WPA2-PSK-AES ssid, with the ip being given by the dhcp server on the controller. Ping initiated from the wifi user to the PC in wired network in same vlan. 

     

    i did a traceroute from the PC command prompt, the PC got blacklist by session-flood. 

     

     

    with the attack-rates being configured to the recommended numbers. how can i check that the client that got blacklist is for valid reason? how can i debug it? 

     

     



  • 8.  RE: Stateful firewall issues after 6.2.1.4 upgrade: blacklist clients increase dramatically

    Posted Feb 18, 2014 04:00 PM

    Hi, We have this issue after upgrading to version 6.2.1.4 and 6.2.1.5. We did not get help on this with Aruba Support TAC. We were told this is the "normal behavior". I really can't get it and I did not get any useful explanation.

     

    We did some tests as you and it's fairly simple to get client blacklisted. If we set "attack rate ping" to 10 for example, the client is blacklisted exactly after 10 normal pings and the OS doesn't matter. I don't know what is hard to understand but this is NOT an attack since a normal ping is 1 per second.

     

    So, with this broken features, we decided to disable this protection and wait for the next version. The version 6.3.1.3 is available now and I will test it soon and hope Aruba fix this but I'm not optimist since the release notes has no mention about it.

     

     



  • 9.  RE: Stateful firewall issues after 6.2.1.4 upgrade: blacklist clients increase dramatically

    Posted Aug 15, 2014 01:30 PM

    I had the same experience of clients being blacklisted regardless of threshold values.  After working with TAC for over 3 months we have been told by our SE that these features no longer work and are now disabled by default.  I have not been informed yet as to whether the features will be depricated, or eventually fixed.



  • 10.  RE: Stateful firewall issues after 6.2.1.4 upgrade: blacklist clients increase dramatically

    Posted Aug 16, 2014 06:10 AM

    Hi,

     

    Wit your post I realize we are not the only one to have this issue and had hard time with Aruba support. I was thinking to be alone... Seriously I think the answer is really simple and I don't understand our TAC was so hard to resolve!

     

    Despite all infos we gave about this issue we never really got the answer from Aruba. So I disabled this parameter in the statefull firewall. I always believe the "attack-rate" parameter was misunderstood or not apply as describe in the documentation.

     

    In the meantime, I notice some more informations and changes in the new ArubaOS versions and documentation. I think someone in Aruba team discovered something was wrong.

     

    In the changelog in 6.3.1.7 ArubaOS, under parameter "firewall attack-rate", I noticed this short note:

    NOTE: <1-16384> denotes the number of arp or

    grat-arp requests per 30 seconds.

     

    And in the documentation for ArubaOS 6.4 , the exact same parameter "ping attack-rate" I always took to argue that something was wrong with the statefull firewall  is now describe PER 30 seconds. Now is making sense... Before, the documentation clearly indique "Number of ICMP pings per second, which if exceeded...". So if before our value was 10 PER SECOND and suddenly the same value is apply PER 30 SECONDS, that is why suddenly we have so much clients black-listed.

     

    In my first post, I mentionned that the problem of blacklisted clients suddenly happen just after an ArubaOS update. Despite I never got answer from Aruba I think the real answer is simple: the RATE changed from "PER SECOND" to "PER 30 seconds" suddenly and someone forgot to follow this change in the documentation... Maybe the Aruba support team wasn't aware too about this change. I just still don't understand why my request ended without resolution or answer with all the infos I gave to reproduce the trouble.