Controllerless Networks

Our IAPs are logging the dropped traffic of clients using wrong IPv4 addresses and even more wrong IPv6 addresses. I'd like to figure out the client's MAC address and learn which device is sending this traffic, but that Layer2 information is not included in the syslog message:

cb-a1-ap# sh log security

Sep 20 16:46:42 stm[5258]: <124006> <WARN> |AP cb-a1-ap@10.201.4.121 stm| proto = 32 srcip=32.192.1.132 dstip=65.152.37.92, dpi-dst=App Unknown, action=deny

Sep 20 16:49:47 stm[5258]: <124006> <WARN> |AP cb-a1-ap@10.201.4.121 stm| proto = 0 srcip=4006:f56:a04:33f:1139:cf3:fa5a:1bb dstip=15f9:35a1:abd2:5781:8011:401:be39:0, action=deny

Sep 20 16:49:47 stm[5258]: <124006> <WARN> |AP cb-a1-ap@10.201.4.121 stm| proto = 0 srcip=4006:8a4f:a04:33f:4815:5b1d:fa5c:50 dstip=1427:10e5:ac6a:f6e2:8010:401:3d03:0, action=deny

Is there a place to look to see which client sent this traffic?

Thank you for your thoughts!

------------------------------
--Scot
------------------------------

"show clients" command will show the connected clients with the mac addr and both their IPv4 and v6 addrs



------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Sep 20, 2022 07:35 PM
From: Scot Colburn
Subject: How can I see the MAC address of the client sending this dropped "action=deny" traffic?

Our IAPs are logging the dropped traffic of clients using wrong IPv4 addresses and even more wrong IPv6 addresses. I'd like to figure out the client's MAC address and learn which device is sending this traffic, but that Layer2 information is not included in the syslog message:

cb-a1-ap# sh log security

Sep 20 16:46:42 stm[5258]: <124006> <WARN> |AP cb-a1-ap@10.201.4.121 stm| proto = 32 srcip=32.192.1.132 dstip=65.152.37.92, dpi-dst=App Unknown, action=deny

Sep 20 16:49:47 stm[5258]: <124006> <WARN> |AP cb-a1-ap@10.201.4.121 stm| proto = 0 srcip=4006:f56:a04:33f:1139:cf3:fa5a:1bb dstip=15f9:35a1:abd2:5781:8011:401:be39:0, action=deny

Sep 20 16:49:47 stm[5258]: <124006> <WARN> |AP cb-a1-ap@10.201.4.121 stm| proto = 0 srcip=4006:8a4f:a04:33f:4815:5b1d:fa5c:50 dstip=1427:10e5:ac6a:f6e2:8010:401:3d03:0, action=deny

Is there a place to look to see which client sent this traffic?

Thank you for your thoughts!

------------------------------
--Scot
------------------------------

Hey ariyap,

Thank you for your reply.

Normally "show clients" would indeed show the mac addr and and IP addresses, but in this case the packet has an incorrect and *wrong* source IP address. The IP address shown in the logs is not found in the "show clients" output. The routable source IP address is not being used, so a response to these packets would never be received. Nonetheless, the packet is being received by the AP with the wrong source IP address and I'd like to determinate which client sent it.

Maybe I can turn on "debug" level logging for "security" and that will show me the client MAC address?

--Scot
Original Message:
Sent: Sep 22, 2022 11:53 PM
From: Ariya Parsamanesh
Subject: How can I see the MAC address of the client sending this dropped "action=deny" traffic?

"show clients" command will show the connected clients with the mac addr and both their IPv4 and v6 addrs



------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Sep 20, 2022 07:35 PM
From: Scot Colburn
Subject: How can I see the MAC address of the client sending this dropped "action=deny" traffic?

Our IAPs are logging the dropped traffic of clients using wrong IPv4 addresses and even more wrong IPv6 addresses. I'd like to figure out the client's MAC address and learn which device is sending this traffic, but that Layer2 information is not included in the syslog message:

cb-a1-ap# sh log security

Sep 20 16:46:42 stm[5258]: <124006> <WARN> |AP cb-a1-ap@10.201.4.121 stm| proto = 32 srcip=32.192.1.132 dstip=65.152.37.92, dpi-dst=App Unknown, action=deny

Sep 20 16:49:47 stm[5258]: <124006> <WARN> |AP cb-a1-ap@10.201.4.121 stm| proto = 0 srcip=4006:f56:a04:33f:1139:cf3:fa5a:1bb dstip=15f9:35a1:abd2:5781:8011:401:be39:0, action=deny

Sep 20 16:49:47 stm[5258]: <124006> <WARN> |AP cb-a1-ap@10.201.4.121 stm| proto = 0 srcip=4006:8a4f:a04:33f:4815:5b1d:fa5c:50 dstip=1427:10e5:ac6a:f6e2:8010:401:3d03:0, action=deny

Is there a place to look to see which client sent this traffic?

Thank you for your thoughts!

------------------------------
--Scot
------------------------------