Wireless Access

 View Only

  • 1.  Show datapath session table D flag

    Posted Nov 27, 2020 08:13 AM
    Hi All,

    what would set the D flag (deny) in show datapath session table?

    Let me explain a bit more.

    I have 2 devices connected to switches using User Based Tunneling. Both tunnels terminate on the same Aruba Controller. Both devices are in the same network/vlan.

    #show user-table | include 10.10.1
    10.10.1.15 00:e0:4c:68:00:27 00e04c680027 DRW_AOSW_DUR_VoIP_Phones-3124-10 00:01:24 Tunneled-User-MAC 10.0.99.11 Tunneled tunnel 282/10:4f:58:de:68:4b/1/48 default-tunneled-user tunnel TUNNELED USER
    10.10.1.14 80:5e:c0:8c:4b:fe 805ec08c4bfe DRW_AOSW_DUR_VoIP_Phones-3124-10 00:01:24 Tunneled-User-MAC 10.0.99.10 Tunneled tunnel 98/10:4f:58:de:59:4a/1/48 default-tunneled-user tunnel TUNNELED USER


    Both devices have the same role. The role does not block intravlan traffic. 
    netservice svc-dhcp udp list 67,68 ALG dhcp
    !
    netservice svc-icmp 1
    !
    ip access-list session DRW-VOIP-QOS
    user any any permit tos 46
    !
    ip access-list session DRW-DHCP
    user any svc-icmp permit log
    any any svc-dhcp permit log
    !
    ip access-list session DRW-VoIP-Isolation
    user network 10.10.1.0 255.255.255.0 any deny log
    !
    ip access-list session DRW-AllowAll
    user any any permit log
    !
    user-role cppmrole
    vlan DRW-VoIPPhones
    reauthentication-interval 1440
    access-list session DRW-VOIP-QOS
    access-list session DRW-DHCP
    access-list session DRW-AllowAll

    I copied the Clearpass Downloadable User Role for readability but I checked the show rights output for the role which is the same.

    I removed the client isolation in the role, added log to all the acl's

    Pimg from 10.10.1.15 (Windows Client) to 10.10.1.14 (VoIP Phone) is not getting through. Ping to Gateway is working, so is ping to a IP address of the controller in the same vlan.

    Ping from the controller to both 10.10.1.14 and 10.10.1.15 is not working. I can make a call from the VoIP Phone to another which is not in the same network and I can make a call from a phone in another network to this phone.

    Source IP or MAC Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags CPU ID
    ----------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------- ---------- --------------- -------
    192.168.10.3 10.10.1.15 17 53 53762 0/0 0 46 1 tunnel 282 6 0 0 FYTIA 14

    10.10.1.1 10.10.1.15 1 2209 0 0/0 0 46 0 tunnel 282 0 1 60 FTI 14
    10.10.1.15 10.10.1.1 1 2194 2048 0/0 0 46 1 tunnel 282 d 1 60 FTCI 14
    10.10.1.15 10.10.1.1 1 2200 2048 0/0 0 46 1 tunnel 282 7 1 60 FTCI 14
    10.10.1.15 10.10.1.1 1 2195 2048 0/0 0 46 1 tunnel 282 c 1 60 FTCI 14

    10.10.1.15 10.10.1.1 1 2201 2048 0/0 0 46 1 tunnel 282 7 1 60 FTCI 14
    192.168.10.55 10.10.1.15 1 1043 2048 0/0 0 0 0 pc0 0 0 0 FDYCA 11
    10.10.1.15 10.10.1.1 1 2192 2048 0/0 0 46 1 tunnel 282 10 1 60 FTCI 14
    10.10.1.15 192.168.10.30 17 53762 53 0/0 0 46 1 tunnel 282 6 6 414 FTCIA 14

    10.10.1.15 10.10.1.1 1 2203 2048 0/0 0 46 1 tunnel 282 6 1 60 FTCI 14
    10.10.1.15 10.10.1.1 1 2193 2048 0/0 0 46 1 tunnel 282 f 1 60 FTCI 14
    10.10.1.15 10.10.1.1 1 2190 2048 0/0 0 46 1 tunnel 282 11 1 60 FTCI 14
    10.10.1.1 10.10.1.15 1 2210 0 0/0 0 46 0 tunnel 282 0 1 60 FTI 14

    10.10.1.15 10.10.1.1 1 2199 2048 0/0 0 46 1 tunnel 282 a 1 60 FTCI 14
    10.10.1.15 10.10.1.1 1 2205 2048 0/0 0 46 1 tunnel 282 4 1 60 FTCI 14
    10.10.1.15 10.10.1.1 1 2198 2048 0/0 0 46 1 tunnel 282 b 1 60 FTCI 14
    10.10.1.15 10.10.1.1 1 2204 2048 0/0 0 46 1 tunnel 282 5 1 60 FTCI 14

    10.10.1.15 10.10.1.1 1 2207 2048 0/0 0 46 1 tunnel 282 3 1 60 FTCI 14
    10.10.1.15 10.10.1.1 1 2206 2048 0/0 0 46 1 tunnel 282 4 1 60 FTCI 14
    10.10.1.15 10.10.1.1 1 2196 2048 0/0 0 46 1 tunnel 282 d 1 60 FTCI 14
    10.10.1.1 10.10.1.15 1 2207 0 0/0 0 46 1 tunnel 282 3 1 60 FTI 14

    10.10.1.1 10.10.1.15 1 2206 0 0/0 0 46 1 tunnel 282 4 1 60 FTI 14
    10.10.1.1 10.10.1.15 1 2196 0 0/0 0 46 1 tunnel 282 d 1 60 FTI 14
    10.10.1.1 10.10.1.15 1 2199 0 0/0 0 46 1 tunnel 282 b 1 60 FTI 14
    10.10.1.1 10.10.1.15 1 2205 0 0/0 0 46 1 tunnel 282 5 1 60 FTI 14

    10.10.1.1 10.10.1.15 1 2198 0 0/0 0 46 1 tunnel 282 c 1 60 FTI 14
    10.10.1.1 10.10.1.15 1 2204 0 0/0 0 46 1 tunnel 282 6 1 60 FTI 14
    10.10.1.1 10.10.1.15 1 2192 0 0/0 0 46 1 tunnel 282 11 1 60 FTI 14
    10.10.1.15 10.10.1.1 1 2211 2048 0/0 0 46 0 tunnel 282 0 1 60 FTCI 14

    10.10.1.1 10.10.1.15 1 2203 0 0/0 0 46 1 tunnel 282 8 1 60 FTI 14
    10.10.1.15 10.10.1.1 1 2210 2048 0/0 0 46 1 tunnel 282 2 1 60 FTCI 14
    10.10.1.1 10.10.1.15 1 2193 0 0/0 0 46 1 tunnel 282 11 1 60 FTI 14
    10.10.1.1 10.10.1.15 1 2194 0 0/0 0 46 1 tunnel 282 10 1 60 FTI 14

    10.10.1.15 10.10.1.1 1 2209 2048 0/0 0 46 1 tunnel 282 3 1 60 FTCI 14
    10.10.1.1 10.10.1.15 1 2200 0 0/0 0 46 1 tunnel 282 a 1 60 FTI 14
    10.10.1.1 10.10.1.15 1 2195 0 0/0 0 46 1 tunnel 282 f 1 60 FTI 14
    10.10.1.1 10.10.1.15 1 2201 0 0/0 0 46 1 tunnel 282 9 1 60 FTI 14

    192.168.10.30 10.10.1.15 17 53 53762 0/0 0 46 0 tunnel 282 8 0 0 FYTI 14
    10.10.1.15 192.168.10.3 17 53762 53 0/0 0 46 0 tunnel 282 9 6 414 FTCIA 14
    10.10.1.15 10.10.1.14 1 2208 2048 0/0 0 46 0 tunnel 282 3 0 0 FDYTCA 14
    10.10.1.15 10.10.1.14 1 2202 2048 0/0 0 46 0 tunnel 282 8 0 0 FDYTCA 14

    Notice the D flag in the last 2 lines. What would set this deny? Firewall Deny Inter user traffic is unchecked.

    All of this is for troubleshooting because all tests show that I can't send traffic from a device outside the controller to any device tunneled to the controller. 

    thanks,

    ------------------------------
    Erik Eckhardt
    ------------------------------


  • 2.  RE: Show datapath session table D flag

    Posted Nov 28, 2020 03:44 AM
    I would change your allowall acl to be 'any any any permit'.  I suspect what is happening here is that arp is not working.  You could confirm this with a capture on the windows machine.


    Another useful command is 'show acl hits'


    ------------------------------
    Michael Clarke (Aruba)
    ------------------------------

    Original Message


  • 3.  RE: Show datapath session table D flag

    Posted Nov 30, 2020 04:16 AM
    Thanks Michael,

    Kudos to you, changing user into any worked like a charm.

    I had to make something ugly for client isolation to get that working. I had to change the isolation rule to network network any deny because offcourse any network any deny is also blocking traffic from outside and user network any deny is not hit.

    There might be something wrong with ARP. It's probably caused by IP Client-tracker on the switches which is needed to get the tunneled client IP in RADIUS Accounting for firewall integration. Show ARP on the switch shows the MAC of the client with the IP address on the switch. I don't see any of the wireless clients on the WLC ARP table either so I'm not sure how this user based tunneling works on layer 2.

    rgds, 



    ------------------------------
    Erik Eckhardt
    ------------------------------

    Original Message


  • 4.  RE: Show datapath session table D flag

    Posted Nov 30, 2020 06:52 AM
    well, almost fixed. Ping is getting through but I cannot open the internal webpage of an UBT device . Printer in this case. I can open the internal webpage of non-ubt printers in the same network so it's not a firewall issue (zero trust environment)

    show datapath session table shows the traffic. External firewall shows traffic being allowed. show acl hits for the role only sees hits on the allow all rule. Jumbo flag is enabled on the switch mgmt vlan. tunnel is up. 

    When I disable IP client-tracker on the switch, I can access the printers internal webpage. Without IP client-tracker, I can't get the IP address of the UBT device in RADIUS Accounting which is mandatory to get the firewall integration working. 










    ------------------------------
    Erik Eckhardt
    ------------------------------

    Original Message


Related Content