Hi,
Wit your post I realize we are not the only one to have this issue and had hard time with Aruba support. I was thinking to be alone... Seriously I think the answer is really simple and I don't understand our TAC was so hard to resolve!
Despite all infos we gave about this issue we never really got the answer from Aruba. So I disabled this parameter in the statefull firewall. I always believe the "attack-rate" parameter was misunderstood or not apply as describe in the documentation.
In the meantime, I notice some more informations and changes in the new ArubaOS versions and documentation. I think someone in Aruba team discovered something was wrong.
In the changelog in 6.3.1.7 ArubaOS, under parameter "firewall attack-rate", I noticed this short note:
NOTE: <1-16384> denotes the number of arp or
grat-arp requests per 30 seconds.
And in the documentation for ArubaOS 6.4 , the exact same parameter "ping attack-rate" I always took to argue that something was wrong with the statefull firewall is now describe PER 30 seconds. Now is making sense... Before, the documentation clearly indique "Number of ICMP pings per second, which if exceeded...". So if before our value was 10 PER SECOND and suddenly the same value is apply PER 30 SECONDS, that is why suddenly we have so much clients black-listed.
In my first post, I mentionned that the problem of blacklisted clients suddenly happen just after an ArubaOS update. Despite I never got answer from Aruba I think the real answer is simple: the RATE changed from "PER SECOND" to "PER 30 seconds" suddenly and someone forgot to follow this change in the documentation... Maybe the Aruba support team wasn't aware too about this change. I just still don't understand why my request ended without resolution or answer with all the infos I gave to reproduce the trouble.