Aruba Apps

Is your Guest WiFi Aruba based? Instant? Controller? What firmware versions?
What Aruba role are your guests in? How does that role look like?
Do you have other networks on the same environment? Do you see the same issue there?

The description 'need to wait a few minutes' suggests that client traffic is dropped (somewhere), and after a timeout Whatsapp tries another method that works. You may need to open up more than just port 80 & 443.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Apr 11, 2023 08:49 AM
From: saint_pikha
Subject: Whatsapp problem on enterprise network

Hello,

We are using controller based wifi-guest, and the firmware is 6.5.4.23.



Yes, we have the issue with two SSIDs using the same subnet.

Original Message:
Sent: Apr 12, 2023 04:25 AM
From: Herman Robers
Subject: Whatsapp problem on enterprise network

Is your Guest WiFi Aruba based? Instant? Controller? What firmware versions?
What Aruba role are your guests in? How does that role look like?
Do you have other networks on the same environment? Do you see the same issue there?

The description 'need to wait a few minutes' suggests that client traffic is dropped (somewhere), and after a timeout Whatsapp tries another method that works. You may need to open up more than just port 80 & 443.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Apr 11, 2023 08:49 AM
From: saint_pikha
Subject: Whatsapp problem on enterprise network

And the role guest is what is actually assigned to the user? Have you verified?
With 'show datapath session table <ip address>' you can see what traffic is passed/blocked. There may be more needed than just port 80/443 for Whatsapp to work happily. I also see that you should disable SSL inspection on your firewall as well for that traffic, in case you have that enabled.
If on the other SSID there is an authenticated role, or other role with allow any traffic, there may be something else.
It may be good to open a TAC case or work with your Aruba partner to do some further testing.

Hello,

We are using controller based wifi-guest, and the firmware is 6.5.4.23.



Yes, we have the issue with two SSIDs using the same subnet.

Original Message:
Sent: Apr 12, 2023 04:25 AM
From: Herman Robers
Subject: Whatsapp problem on enterprise network

Is your Guest WiFi Aruba based? Instant? Controller? What firmware versions?
What Aruba role are your guests in? How does that role look like?
Do you have other networks on the same environment? Do you see the same issue there?

The description 'need to wait a few minutes' suggests that client traffic is dropped (somewhere), and after a timeout Whatsapp tries another method that works. You may need to open up more than just port 80 & 443.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Apr 11, 2023 08:49 AM
From: saint_pikha
Subject: Whatsapp problem on enterprise network

The user-role "guest" is a default role uses in the controller and only allow basic ports like http,https,dns,dhcp. Whatsapp use more than this basic ports.

Whatsapp uses TCP 443 (HTTPS) to pass the majority of the connection traffic but it also uses TCP 80 (HTTP). If voice is used, then ports 4244, 5222, 5223, 5228,50318, 59234 & 5242 are used.

UDP Ports: 34784, 45395, 50318, 59234.

To figure out if the issue is in the wlan controller firewall our your external firewall you can do the following:
- go to the wlan controller where the wifi client is active
- show user-table, look for the client, client-ip, client-mac and assigned role (guest).
- show datapath session table | incl "client-ip" and look for denied traffic (D flags).

Other approach can be to create a test SSID with same vlan but with the default role "authenticated", the authenticated role have a "any any permit ACL".

I willn't advise to use a "permit any any" ACL, but can help you to figure out if the issue is the client role/acl in the wlan controller our your external firewall.

Based on my experience your guest role (which is default) have to less access for the watchapp application.

I will recommend to not change the default role "guest", but create a new role with a customized ACL policy and bound that you your SSID configution. If the user-role is derived from your radius server you must keep in mind you probably have to setup that to.

Hope this help.

And the role guest is what is actually assigned to the user? Have you verified?
With 'show datapath session table <ip address>' you can see what traffic is passed/blocked. There may be more needed than just port 80/443 for Whatsapp to work happily. I also see that you should disable SSL inspection on your firewall as well for that traffic, in case you have that enabled.
If on the other SSID there is an authenticated role, or other role with allow any traffic, there may be something else.
It may be good to open a TAC case or work with your Aruba partner to do some further testing.

Hello,

We are using controller based wifi-guest, and the firmware is 6.5.4.23.



Yes, we have the issue with two SSIDs using the same subnet.

Original Message:
Sent: Apr 12, 2023 04:25 AM
From: Herman Robers
Subject: Whatsapp problem on enterprise network

Is your Guest WiFi Aruba based? Instant? Controller? What firmware versions?
What Aruba role are your guests in? How does that role look like?
Do you have other networks on the same environment? Do you see the same issue there?

The description 'need to wait a few minutes' suggests that client traffic is dropped (somewhere), and after a timeout Whatsapp tries another method that works. You may need to open up more than just port 80 & 443.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Apr 11, 2023 08:49 AM
From: saint_pikha
Subject: Whatsapp problem on enterprise network

Hello Marcel,

I created an ACL that includes all TCP and UDP ports that you have mentioned, applied it to the guest user role and we could connect to Whatsapp without any delays.

Thank you very much for your help. Thanks to you, I resolved a persisting problem for years before my arrival at the company.

Best regards,

Yassir LAMDERHRI

The user-role "guest" is a default role uses in the controller and only allow basic ports like http,https,dns,dhcp. Whatsapp use more than this basic ports.

Whatsapp uses TCP 443 (HTTPS) to pass the majority of the connection traffic but it also uses TCP 80 (HTTP). If voice is used, then ports 4244, 5222, 5223, 5228,50318, 59234 & 5242 are used.

UDP Ports: 34784, 45395, 50318, 59234.

To figure out if the issue is in the wlan controller firewall our your external firewall you can do the following:
- go to the wlan controller where the wifi client is active
- show user-table, look for the client, client-ip, client-mac and assigned role (guest).
- show datapath session table | incl "client-ip" and look for denied traffic (D flags).

Other approach can be to create a test SSID with same vlan but with the default role "authenticated", the authenticated role have a "any any permit ACL".

I willn't advise to use a "permit any any" ACL, but can help you to figure out if the issue is the client role/acl in the wlan controller our your external firewall.

Based on my experience your guest role (which is default) have to less access for the watchapp application.

I will recommend to not change the default role "guest", but create a new role with a customized ACL policy and bound that you your SSID configution. If the user-role is derived from your radius server you must keep in mind you probably have to setup that to.

Hope this help.

And the role guest is what is actually assigned to the user? Have you verified?
With 'show datapath session table <ip address>' you can see what traffic is passed/blocked. There may be more needed than just port 80/443 for Whatsapp to work happily. I also see that you should disable SSL inspection on your firewall as well for that traffic, in case you have that enabled.
If on the other SSID there is an authenticated role, or other role with allow any traffic, there may be something else.
It may be good to open a TAC case or work with your Aruba partner to do some further testing.

Hello,

We are using controller based wifi-guest, and the firmware is 6.5.4.23.



Yes, we have the issue with two SSIDs using the same subnet.

Original Message:
Sent: Apr 12, 2023 04:25 AM
From: Herman Robers
Subject: Whatsapp problem on enterprise network

Is your Guest WiFi Aruba based? Instant? Controller? What firmware versions?
What Aruba role are your guests in? How does that role look like?
Do you have other networks on the same environment? Do you see the same issue there?

The description 'need to wait a few minutes' suggests that client traffic is dropped (somewhere), and after a timeout Whatsapp tries another method that works. You may need to open up more than just port 80 & 443.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Apr 11, 2023 08:49 AM
From: saint_pikha
Subject: Whatsapp problem on enterprise network