Wireless Access

 View Only
Back to discussions
Expand all | Collapse all

User to MM VIP strange Behavior

This thread has been viewed 41 times

  • 1.  User to MM VIP strange Behavior

    Posted Oct 06, 2022 08:28 AM
    Hi,

    I have strange behavior when a user (Wireless or UBT) try to communicate with the VRRP IP of our Mobility Conductor. the VRRP IP doesn't respond to ping or any application. When we check in the firewall, we don't see the SYN or ICMP request packets, only a response from the IP of the MC1 (VRRP Master).

    Users are in tunnel mode, in our example, user are in the vlan 38, role : authenticated. Controllers and MM are in the same vlan : 50 :  

    The firewall never see the request or SYN packets, so the reply are drop.

    When i check in the "show datapath session table" of our user, i see this : 

    No problem to connect directly on the MM : 

    Role authenticated : 

    "show rights authenticated" :

    I don't understand why the "N" flag appear on the communications with the MM VRRP. From what we see in the firewall, it's like the packets are directly forward to the MM without go to the vlan 38...

    Anyone already seen this behavior ?

    Thanks


  • 2.  RE: User to MM VIP strange Behavior

    Posted Oct 08, 2022 12:17 PM
    I think the controller will route the ping to the MM through its IPsec connection to the MM. When you look at the routing table on the MD you can see that the IPsec injects itself with a /32 route to the MM IP addresses. 
    But the MM of cause will send the answer packet back according to its routing table, which is to the firewall.

    Since MDs are not capable of VRFs, you need to build policy based routing to change this bahaviour. 
    You can create a PBR rule where you say that the client source network should be routed to the firewall as nexthop, instead of using the routing table.

    ------------------------------
    Thanks,
    Bjarne
    ------------------------------

    Original Message


  • 3.  RE: User to MM VIP strange Behavior

    Posted Oct 08, 2022 12:57 PM
    Hi,

    Thanks for your reply,

    I think about it but the route in the MD routing table point to the MM1 IP, not the VIP MM.

    For me the controller is not suppose to route the traffic intended to a vlan, i'm wrong about this ?

    Thanks again for your help,



    Original Message


  • 4.  RE: User to MM VIP strange Behavior

    Posted Oct 12, 2022 05:22 AM
    Up
    Original Message


  • 5.  RE: User to MM VIP strange Behavior

    Posted Oct 12, 2022 05:44 AM
    The "N" is for NAT.  Are you source-natting any traffic?

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------

    Original Message


  • 6.  RE: User to MM VIP strange Behavior

    Posted Oct 12, 2022 05:50 AM
    Hi,

    No, this happens with the authenticated role, with only an allow all rule.

    Thanks,
    Original Message


  • 7.  RE: User to MM VIP strange Behavior

    Posted Oct 12, 2022 05:55 AM
    Does any other traffic have an "N"?  do you have "ip nat inside" on any of your interfaces?

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------

    Original Message


  • 8.  RE: User to MM VIP strange Behavior

    Posted Oct 12, 2022 06:03 AM
    Hi,

    No, this is the only traffic with this flag. We don't have this flag with the traffic to the MM1 IP.


    No ip nat inside on the configuration :

    Thanks,
    Original Message


  • 9.  RE: User to MM VIP strange Behavior

    Posted Oct 12, 2022 06:06 AM
    Please look for "nat"

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------

    Original Message


  • 10.  RE: User to MM VIP strange Behavior

    Posted Oct 12, 2022 07:09 AM

    Hi,

    (CW-ADM-RG-1) #show running-config | include nat
    Building Configuration...
    ip NAT pool dynamic-srcnat 0.0.0.0 0.0.0.0
    netservice svc-natt udp 4500
    netdestination6 ipv6-reserved-range
    netdestination wificalling-block
    any any svc-natt permit
    ip access-list session srcnat
    user any any src-nat
    any any sys-svc-natt permit
    user alias controller svc-https dst-nat 8081
    ipv6 any any svc-natt permit
    any any any src-nat pool dynamic-srcnat
    user alias controller svc-https dst-nat 8081
    user any svc-http dst-nat 8080
    user any svc-https dst-nat 8081
    user any svc-http-proxy1 dst-nat 8088
    user any svc-http-proxy2 dst-nat 8088
    user any svc-http-proxy3 dst-nat 8088
    any any svc-icmp src-nat
    any any svc-dns src-nat
    user alias localip svc-https dual-nat pool localip 8081
    user any svc-http dual-nat pool localip 8080
    user any svc-https dual-nat pool localip 8081
    user any svc-http-proxy1 dual-nat pool localip 8088
    user any svc-http-proxy2 dual-nat pool localip 8088
    user any svc-http-proxy3 dual-nat pool localip 8088
    any any svc-natt permit
    ids signature-profile "AirJack"
    ids signature-profile "ASLEAP"
    ids signature-profile "Deauth-Broadcast-From-Valid-AP"
    ids signature-profile "default"
    ids signature-profile "Disassoc-Broadcast"
    ids signature-profile "Disassoc-Broadcast-From-Valid-AP"
    ids signature-profile "Netstumbler Generic"
    ids signature-profile "Netstumbler Version 3.3.0x"
    ids signature-profile "Null-Probe-Response"
    ids signature-profile "Wellenreiter"
    ids impersonation-profile "default"
    ids signature-matching-profile "default"
    signature "Disassoc-Broadcast"
    snmp-server trap disable wlsxSignatureMatch

    Thanks,


    Original Message


  • 11.  RE: User to MM VIP strange Behavior

    Posted Oct 12, 2022 02:09 PM
    This output is pretty much useless, since it simply includes every line in the config that contains "nat" but it doesn't show the context. 

    You need to take a look at the specific roles and interfaces that take part in the communication. There is no single command for that.

    ------------------------------
    Thanks,
    Bjarne
    ------------------------------

    Original Message


  • 12.  RE: User to MM VIP strange Behavior

    Posted Oct 12, 2022 04:02 PM
    @MACAxians Please type show user to determine the role that your user is ending up in.
    Then type show rights <role> to see the ACLs associated with that user.
    Lastly, type show running-config | begin "interface g" so that we can see how your interfaces are configured.​

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------

    Original Message


  • 13.  RE: User to MM VIP strange Behavior

    Posted Oct 13, 2022 09:29 AM
    Hi,

    I attach the different results. No specific rules on theses two roles. The problems seems to happen from every role

    Thanks,

    Attachment(s)

    txt
    show run interface g.txt   1 KB 1 version
    txt
    role_rights.txt   5 KB 1 version
    Original Message


  • 14.  RE: User to MM VIP strange Behavior
    Best Answer

    Posted Oct 13, 2022 09:40 AM
    I don't see anything there.  You should open a technical support case and have someone troubleshoot that.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------

    Original Message


Related Content