RE: [WIRELESS-LAN] Odd issue with Aruba wireless...
We had to get a little more granular in ours because we had user table entries with our gateway addresses get populated in the user table that caused outages in those network segments. Yes, that's right, there was a client MAC address with an gateway IP address that brought down that network segment. Uggh. Be careful and inclusive when setting this up! Colleen Szymanik Sr. Network Engineer ISC Networking & Telecommunications University of Pennsylvania From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ryan Holland Sent: Friday, December 09, 2011 11:32 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Odd issue with Aruba wireless... If I may stem off Stan's post, please plan well if you also have remote APs. The remote AP is a VPN user first and requires specific policies in the 'validuser' ACL as well. In addition to DHCP, Secure PAPI, NAT-T, and L2TP could also be required. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edu<mailto:holland@osu.edu> Submit a Kudos to an OCIO employee!<http://www.surveygizmo.com/s/514095/giveociokudos> On Dec 9, 2011, at 11:09 AM, Brooks, Stan wrote: For all the Aruba users out there, I thought that a config example and explanation fo the validuser ACL might be helpful. Here is the snippet of our config (somewhat sanitized) for those that are interested: netdestination validwirelessnetworks !# List your wireless client subnets here network 10.16.0.0 255.255.0.0 network 10.18.0.0 255.255.0.0 ! netdestination arubacontrollers !# List your wireless controller mgmt addresses or networks here network ! ip access-list session validuser any any svc-dhcp permit !# Needed for passing initial DHCP requests alias validwirelessnetworks any any permit ! Note there is an implied deny all after the last entry in the validuser ACL, so anything not listed is denied. If you are using Mesh APs, you may need additional statements to allow their traffic - talk with your Aruba Support staff for details. -> Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.com<mailto:wlans...@hotmail.com> GoogleTalk: wlans...@gmail.com<mailto:wlans...@gmail.com> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] on behalf of Osborne, Bruce W [bosbo...@liberty.edu<mailto:bosbo...@liberty.edu>] Sent: Friday, December 09, 2011 8:04 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Odd issue with Aruba wireless... You really need to setup your validuser ACL. The default configuration is not meant for a production environment. We recently had an issue because our deny based validuser ACL had not been updated when the network topology changed, adding additional subnets. some user had our webmail server's address, so webmail did not work for user on that wireless controller. For the short term, we have added additional denies, but we will move to a permit based validuser over Christmas break. A permit based validuser ACL is Aruba's current recommendation. Bruce Osborne Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY 40 Years of Training Champions for Christ: 1971-2011 -Original Message- From: Jeff Kell [mailto:jeff-k...@utc.edu]<mailto:[mailto:jeff-k...@utc.edu]> Sent: Thursday, December 08, 2011 3:06 PM Subject: Re: Odd issue with Aruba wireless... Our "validuser" isn't customized (other than denying 169.254). We do not do a lot of filtering, but were setup to suppress broadcast/multicast between wireless clients (as you can probably tell, I'm not the Aruba detail configuration wizard). The final packet captures that helped identify the real issue were only seeing broadcasts from the router, or broadcasts from the local client (ARPing the router gateway address). It appears that the broadcast traffic that should have been echoed out to the wired side simply stopped. Jeff On 12/8/2011 2:57 PM, Colleen Szymanik wrote: We saw similar issues. User table entries had usernames associated with our DNS servers. We did a great deal of debugging with traces, Aruba TAC and other customer discussions. We have validuser ACL entries setup to prevent all this. It seems that occasionally devices can echo packets and inject into the user table. Without protections such as validuser, it could cause connectivity issues depending on the role these entries receive. The cleanest thing we've seen done is to define variabl
RE: [WIRELESS-LAN] Odd issue with Aruba wireless...
Thanks for the follow up, Ryan! I sanitized those entries out of our validuser ACL for clarity on the list. We've been actively using the validuser ACL for 4 or 5 years now. While Aruba may say the "allow DHCP" isn't needed in a particular code version, we found it was when we first started using the validuser - and I'm not pulling it out for fear of breaking all of wireless with new code revisions that do need it. One point to remember is that the validuser ACL very powerful and can be difficult to troubleshoot. It applies to ALL wireless (and possibly wired) users. It's main purpose is to prevent mis-configured clients (static and self-assigned IP addresses) from being added to the user table. It's very easy to forget about it when adding new wireless subnets - until users get connected but can't pass traffic. It invariably bites my butt every year or so when adding addition subnet ranges. >>-> Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.com<mailto:wlans...@hotmail.com> GoogleTalk: wlans...@gmail.com<mailto:wlans...@gmail.com> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Ryan Holland [holland@osu.edu] Sent: Friday, December 09, 2011 11:31 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Odd issue with Aruba wireless... If I may stem off Stan's post, please plan well if you also have remote APs. The remote AP is a VPN user first and requires specific policies in the 'validuser' ACL as well. In addition to DHCP, Secure PAPI, NAT-T, and L2TP could also be required. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edu<mailto:holland@osu.edu> Submit a Kudos to an OCIO employee!<http://www.surveygizmo.com/s/514095/giveociokudos> On Dec 9, 2011, at 11:09 AM, Brooks, Stan wrote: For all the Aruba users out there, I thought that a config example and explanation fo the validuser ACL might be helpful. Here is the snippet of our config (somewhat sanitized) for those that are interested: netdestination validwirelessnetworks !# List your wireless client subnets here network 10.16.0.0 255.255.0.0 network 10.18.0.0 255.255.0.0 ! netdestination arubacontrollers !# List your wireless controller mgmt addresses or networks here network ! ip access-list session validuser any any svc-dhcp permit !# Needed for passing initial DHCP requests alias validwirelessnetworks any any permit ! Note there is an implied deny all after the last entry in the validuser ACL, so anything not listed is denied. If you are using Mesh APs, you may need additional statements to allow their traffic - talk with your Aruba Support staff for details. -> Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.com<mailto:wlans...@hotmail.com> GoogleTalk: wlans...@gmail.com<mailto:wlans...@gmail.com> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] on behalf of Osborne, Bruce W [bosbo...@liberty.edu<mailto:bosbo...@liberty.edu>] Sent: Friday, December 09, 2011 8:04 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Odd issue with Aruba wireless... You really need to setup your validuser ACL. The default configuration is not meant for a production environment. We recently had an issue because our deny based validuser ACL had not been updated when the network topology changed, adding additional subnets. some user had our webmail server's address, so webmail did not work for user on that wireless controller. For the short term, we have added additional denies, but we will move to a permit based validuser over Christmas break. A permit based validuser ACL is Aruba's current recommendation. Bruce Osborne Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY 40 Years of Training Champions for Christ: 1971-2011 -Original Message- From: Jeff Kell [mailto:jeff-k...@utc.edu] Sent: Thursday, December 08, 2011 3:06 PM Subject: Re: Odd issue with Aruba wireless... Our "validuser" isn't customized (other than denying 169.254). We do not do a lot of filtering, but were setup to suppress broadcast/multicast between wireless clients (as you can probably tell, I'm not the Aruba detail configuration wizard). The final packet captures that helped identify the real issue were only seeing broadca
Re: [WIRELESS-LAN] Odd issue with Aruba wireless...
If I may stem off Stan's post, please plan well if you also have remote APs. The remote AP is a VPN user first and requires specific policies in the 'validuser' ACL as well. In addition to DHCP, Secure PAPI, NAT-T, and L2TP could also be required. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edu Submit a Kudos to an OCIO employee! On Dec 9, 2011, at 11:09 AM, Brooks, Stan wrote: > For all the Aruba users out there, I thought that a config example and > explanation fo the validuser ACL might be helpful. Here is the snippet of > our config (somewhat sanitized) for those that are interested: > > netdestination validwirelessnetworks !# List your wireless client subnets here > network 10.16.0.0 255.255.0.0 > network 10.18.0.0 255.255.0.0 > ! > netdestination arubacontrollers !# List your wireless controller mgmt > addresses or networks here > network > ! > > ip access-list session validuser > any any svc-dhcp permit !# Needed for passing initial DHCP requests > alias validwirelessnetworks any any permit > ! > > Note there is an implied deny all after the last entry in the validuser ACL, > so anything not listed is denied. If you are using Mesh APs, you may need > additional statements to allow their traffic - talk with your Aruba Support > staff for details. > >>> -> Stan Brooks - CWNA/CWSP > Emory University > University Technology Services > 404.727.0226 > AIM/Y!/Twitter: WLANstan > MSN: wlans...@hotmail.com >GoogleTalk: wlans...@gmail.com > > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Osborne, Bruce W > [bosbo...@liberty.edu] > Sent: Friday, December 09, 2011 8:04 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Odd issue with Aruba wireless... > > You really need to setup your validuser ACL. The default configuration is not > meant for a production environment. > > We recently had an issue because our deny based validuser ACL had not been > updated when the network topology changed, adding additional subnets. some > user had our webmail server's address, so webmail did not work for user on > that wireless controller. > > For the short term, we have added additional denies, but we will move to a > permit based validuser over Christmas break. > > A permit based validuser ACL is Aruba's current recommendation. > > Bruce Osborne > Network Engineer > IT Network Services > > (434) 592-4229 > > LIBERTY UNIVERSITY > 40 Years of Training Champions for Christ: 1971-2011 > > -Original Message- > From: Jeff Kell [mailto:jeff-k...@utc.edu] > Sent: Thursday, December 08, 2011 3:06 PM > Subject: Re: Odd issue with Aruba wireless... > > Our "validuser" isn't customized (other than denying 169.254). We do not do > a lot of filtering, but were setup to suppress broadcast/multicast between > wireless clients (as you can probably tell, I'm not the Aruba detail > configuration wizard). > > The final packet captures that helped identify the real issue were only > seeing broadcasts from the router, or broadcasts from the local client > (ARPing the router gateway address). It appears that the broadcast traffic > that should have been echoed out to the wired side simply stopped. > > Jeff > > On 12/8/2011 2:57 PM, Colleen Szymanik wrote: >> We saw similar issues. User table entries had usernames associated with our >> DNS servers. We did a great deal of debugging with traces, Aruba TAC and >> other customer discussions. We have validuser ACL entries setup to prevent >> all this. It seems that occasionally devices can echo packets and inject >> into the user table. Without protections such as validuser, it could cause >> connectivity issues depending on the role these entries receive. The >> cleanest thing we've seen done is to define variables with all your >> validuser entries as a white list and everything else should be denied. >> >> Colleen Szymanik >> Sr. Network Engineer >> ISC Networking & Telecommunications >> University of Pennsylvania >> >> -Original Message- >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brooks, Stan >> Sent: Wednesday, December 07, 2011 3:45 PM >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> Subject: Re: [WIRELESS-LAN] Odd issue with Aruba wireless... >> >&
Re: [WIRELESS-LAN] Odd issue with Aruba wireless...
Our "validuser" isn't customized (other than denying 169.254). We do not do a lot of filtering, but were setup to suppress broadcast/multicast between wireless clients (as you can probably tell, I'm not the Aruba detail configuration wizard). The final packet captures that helped identify the real issue were only seeing broadcasts from the router, or broadcasts from the local client (ARPing the router gateway address). It appears that the broadcast traffic that should have been echoed out to the wired side simply stopped. Jeff On 12/8/2011 2:57 PM, Colleen Szymanik wrote: > We saw similar issues. User table entries had usernames associated with our > DNS servers. We did a great deal of debugging with traces, Aruba TAC and > other customer discussions. We have validuser ACL entries setup to prevent > all this. It seems that occasionally devices can echo packets and inject > into the user table. Without protections such as validuser, it could cause > connectivity issues depending on the role these entries receive. The > cleanest thing we've seen done is to define variables with all your validuser > entries as a white list and everything else should be denied. > > Colleen Szymanik > Sr. Network Engineer > ISC Networking & Telecommunications > University of Pennsylvania > > -Original Message- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brooks, Stan > Sent: Wednesday, December 07, 2011 3:45 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Odd issue with Aruba wireless... > > Jeff - > > Besides the "only affects Win7" comment, this sounds like it could be an > Aruba "validuser" ACL issue. If you've modified that ACL from the default of > allow all IP addresses, it would block all but the specific allowed > addresses. The symptoms are user gets a valid IP address from DHCP, then all > their traffic it blocked because their IP is not in the validuser ACL. I get > bit by that problem every time I add a subnet can forget to add it to the > list of valid networks in our validuser ACL. Just a thought... > >>> -> Stan Brooks - CWNA/CWSP > Emory University > University Technology Services > 404.727.0226 > AIM/Y!/Twitter: WLANstan >MSN: wlans...@hotmail.com > GoogleTalk: wlans...@gmail.com > > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Jeff Kell > [jeff-k...@utc.edu] > Sent: Wednesday, December 07, 2011 2:36 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Odd issue with Aruba wireless... > > Having a strange issue with our wireless today... wondered if it rings any > bells... > seems to just be affecting Win7... > > Clients associate with access points fine, but shows "limited internet > connectivity". > > Mouse-over wireless icon and it shows "unidentified network" (same in network > and sharing center); although list of SSIDs shows the same expected SSID as > Connected. > > Client RADIUS works fine (verified controller and radius server), dropped on > production role. > > DHCP transaction is normal, request received and ACKed. > > Wireless router shows MAC address in expected vlan, and ARP entry shows > expected IP address with the MAC. > > "ipconfig /all" shows correct IP, mask, gateway, DNS, and DHCP servers. No > stray IPv6 or tunnel adapters. > > "route print" shows all expected correct entries for wireless. No stray IPv6 > (other than loopback and link-local). Default points to default gateway IP. > > "arp -a" does *NOT* show an entry for the default gateway, and client is > unable to "ping" the default gateway. > > I'm baffled :) > > Jeff > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > > > This e-mail message (including any attachments) is for the sole use of the > intended recipient(s) and may contain confidential and privileged > information. If the reader of this message is not the intended recipient, you > are hereby notified that any dissemination, distribution or copying of this > message (including any attachments) is strictly prohibited. > > If you have received this message in error, please contact the sender by > reply e-mail message and destroy all copies of the original message > (including attachments). > >
RE: [WIRELESS-LAN] Odd issue with Aruba wireless...
We saw similar issues. User table entries had usernames associated with our DNS servers. We did a great deal of debugging with traces, Aruba TAC and other customer discussions. We have validuser ACL entries setup to prevent all this. It seems that occasionally devices can echo packets and inject into the user table. Without protections such as validuser, it could cause connectivity issues depending on the role these entries receive. The cleanest thing we've seen done is to define variables with all your validuser entries as a white list and everything else should be denied. Colleen Szymanik Sr. Network Engineer ISC Networking & Telecommunications University of Pennsylvania -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brooks, Stan Sent: Wednesday, December 07, 2011 3:45 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Odd issue with Aruba wireless... Jeff - Besides the "only affects Win7" comment, this sounds like it could be an Aruba "validuser" ACL issue. If you've modified that ACL from the default of allow all IP addresses, it would block all but the specific allowed addresses. The symptoms are user gets a valid IP address from DHCP, then all their traffic it blocked because their IP is not in the validuser ACL. I get bit by that problem every time I add a subnet can forget to add it to the list of valid networks in our validuser ACL. Just a thought... >>-> Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.com GoogleTalk: wlans...@gmail.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Jeff Kell [jeff-k...@utc.edu] Sent: Wednesday, December 07, 2011 2:36 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Odd issue with Aruba wireless... Having a strange issue with our wireless today... wondered if it rings any bells... seems to just be affecting Win7... Clients associate with access points fine, but shows "limited internet connectivity". Mouse-over wireless icon and it shows "unidentified network" (same in network and sharing center); although list of SSIDs shows the same expected SSID as Connected. Client RADIUS works fine (verified controller and radius server), dropped on production role. DHCP transaction is normal, request received and ACKed. Wireless router shows MAC address in expected vlan, and ARP entry shows expected IP address with the MAC. "ipconfig /all" shows correct IP, mask, gateway, DNS, and DHCP servers. No stray IPv6 or tunnel adapters. "route print" shows all expected correct entries for wireless. No stray IPv6 (other than loopback and link-local). Default points to default gateway IP. "arp -a" does *NOT* show an entry for the default gateway, and client is unable to "ping" the default gateway. I'm baffled :) Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Odd issue with Aruba wireless...
Jeff - Besides the "only affects Win7" comment, this sounds like it could be an Aruba "validuser" ACL issue. If you've modified that ACL from the default of allow all IP addresses, it would block all but the specific allowed addresses. The symptoms are user gets a valid IP address from DHCP, then all their traffic it blocked because their IP is not in the validuser ACL. I get bit by that problem every time I add a subnet can forget to add it to the list of valid networks in our validuser ACL. Just a thought... >>-> Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.com GoogleTalk: wlans...@gmail.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Jeff Kell [jeff-k...@utc.edu] Sent: Wednesday, December 07, 2011 2:36 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Odd issue with Aruba wireless... Having a strange issue with our wireless today... wondered if it rings any bells... seems to just be affecting Win7... Clients associate with access points fine, but shows "limited internet connectivity". Mouse-over wireless icon and it shows "unidentified network" (same in network and sharing center); although list of SSIDs shows the same expected SSID as Connected. Client RADIUS works fine (verified controller and radius server), dropped on production role. DHCP transaction is normal, request received and ACKed. Wireless router shows MAC address in expected vlan, and ARP entry shows expected IP address with the MAC. "ipconfig /all" shows correct IP, mask, gateway, DNS, and DHCP servers. No stray IPv6 or tunnel adapters. "route print" shows all expected correct entries for wireless. No stray IPv6 (other than loopback and link-local). Default points to default gateway IP. "arp -a" does *NOT* show an entry for the default gateway, and client is unable to "ping" the default gateway. I'm baffled :) Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Odd issue with Aruba wireless...
That sounds like a firewall issue. Have you checked what role your users are being put into and what access it allows? We had problems early in our roll-out with users being dropped into a "logon" role, which is designed to give access only to the web portal service. -- Bruce A. Hudson | bruce.hud...@dal.ca ITS, Networks and Systems | Dalhousie University| Halifax, Nova Scotia, Canada| (902) 494-3405 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Odd issue with Aruba wireless...
I just ran into a very similar problem and debugged it with Aruba support. Please check your user-table for the IP address of your server. (Aruba) #show user-table | include ip-address If you see an entry in the user-table check to see what role it is assigned. My SMTP server kept showing up and was being put into a role that would now allow SMTP communication. DOH! The fix is to add the ip address of the server to the validuser acl. configure terminal ip access-list session validuser host ip_address_of_server any any deny position 1 write memory This will modify the validuser acl and tell it not to add the IP address of your server to the user-table. Let me know if this fixes your problem also. Kade On 7 Dec 2011, at 2:18 PM, Ryan Holland wrote: > Client's ARP request obviously reaches its default-gateway, but the ARP > response from the default-gateway is seemingly not reaching your client. Do a > packet-capture on the client to confirm continuous ARP requests for default > gateway with no responses. Then, mirror the port on the Aruba controller and > see if the ARP response from the default gateway at least makes it that far. > > With those two data points, you should be able to continue tracing the path > to determine where it is dropped. > > == > Ryan Holland > Network Engineer, Wireless > Office of the Chief Information Officer > The Ohio State University > 614-292-9906 holland@osu.edu > > Submit a Kudos to an OCIO employee! > > On Dec 7, 2011, at 2:36 PM, Jeff Kell wrote: > >> Having a strange issue with our wireless today... wondered if it rings any >> bells... >> seems to just be affecting Win7... >> >> Clients associate with access points fine, but shows "limited internet >> connectivity". >> >> Mouse-over wireless icon and it shows "unidentified network" (same in >> network and >> sharing center); although list of SSIDs shows the same expected SSID as >> Connected. >> >> Client RADIUS works fine (verified controller and radius server), dropped on >> production >> role. >> >> DHCP transaction is normal, request received and ACKed. >> >> Wireless router shows MAC address in expected vlan, and ARP entry shows >> expected IP >> address with the MAC. >> >> "ipconfig /all" shows correct IP, mask, gateway, DNS, and DHCP servers. No >> stray IPv6 >> or tunnel adapters. >> >> "route print" shows all expected correct entries for wireless. No stray >> IPv6 (other >> than loopback and link-local). Default points to default gateway IP. >> >> "arp -a" does *NOT* show an entry for the default gateway, and client is >> unable to >> "ping" the default gateway. >> >> I'm baffled :) >> >> Jeff >> >> ** >> Participation and subscription information for this EDUCAUSE Constituent >> Group discussion list can be found at http://www.educause.edu/groups/. >> >> >> -- >> BEGIN-ANTISPAM-VOTING-LINKS >> -- >> >> Teach CanIt if this mail (ID 1303129320) is spam: >> Spam:https://antispam.osu.edu/b.php?i=1303129320&m=00a414f6e771&c=s >> Not spam:https://antispam.osu.edu/b.php?i=1303129320&m=00a414f6e771&c=n >> Forget vote: https://antispam.osu.edu/b.php?i=1303129320&m=00a414f6e771&c=f >> -- >> END-ANTISPAM-VOTING-LINKS >> > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > Kade P. Cole - kc...@siue.edu - (618) 650-3377 Southern Illinois University Edwardsville - ITS Network and Infrastructure - Network Engineer III ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Odd issue with Aruba wireless...
On 12/7/2011 3:17 PM, Kellogg, Brian D. wrote: > We saw issues very similar to this last year and we run a Cisco WLAN. > Updating the client drivers fixed the issue in our case sometimes. Other > times it was a problem with a firewall network driver shim and removing it > fixed the issue. Packet capture from an affected client was only showing broadcast traffic (from the client, and ARP broadcasts from the router). Nothing else. There were *no* replies seen (even to our own ARPs). It appears the controller "broadcast suppression" had extended itself to the wired/router side of the controller. Rebooting the controller seems to have resolved the issue. (Our dorm controller was unaffected) Was on an M3 controller running 6.1.2.4 for anyone keeping score :) Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Odd issue with Aruba wireless...
Client's ARP request obviously reaches its default-gateway, but the ARP response from the default-gateway is seemingly not reaching your client. Do a packet-capture on the client to confirm continuous ARP requests for default gateway with no responses. Then, mirror the port on the Aruba controller and see if the ARP response from the default gateway at least makes it that far. With those two data points, you should be able to continue tracing the path to determine where it is dropped. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edu Submit a Kudos to an OCIO employee! On Dec 7, 2011, at 2:36 PM, Jeff Kell wrote: > Having a strange issue with our wireless today... wondered if it rings any > bells... > seems to just be affecting Win7... > > Clients associate with access points fine, but shows "limited internet > connectivity". > > Mouse-over wireless icon and it shows "unidentified network" (same in network > and > sharing center); although list of SSIDs shows the same expected SSID as > Connected. > > Client RADIUS works fine (verified controller and radius server), dropped on > production > role. > > DHCP transaction is normal, request received and ACKed. > > Wireless router shows MAC address in expected vlan, and ARP entry shows > expected IP > address with the MAC. > > "ipconfig /all" shows correct IP, mask, gateway, DNS, and DHCP servers. No > stray IPv6 > or tunnel adapters. > > "route print" shows all expected correct entries for wireless. No stray IPv6 > (other > than loopback and link-local). Default points to default gateway IP. > > "arp -a" does *NOT* show an entry for the default gateway, and client is > unable to > "ping" the default gateway. > > I'm baffled :) > > Jeff > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > > -- > BEGIN-ANTISPAM-VOTING-LINKS > -- > > Teach CanIt if this mail (ID 1303129320) is spam: > Spam:https://antispam.osu.edu/b.php?i=1303129320&m=00a414f6e771&c=s > Not spam:https://antispam.osu.edu/b.php?i=1303129320&m=00a414f6e771&c=n > Forget vote: https://antispam.osu.edu/b.php?i=1303129320&m=00a414f6e771&c=f > -- > END-ANTISPAM-VOTING-LINKS > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Odd issue with Aruba wireless...
We have seen this issue lately as well, but we use Extreme wireless, Cisco Home wireless in the repair lab, and Ruckus. We went through the ideas of viruses, bots, worms, etc. This has occurred on two of our student's laptops. Exact same indications that you describe. We came to the conclusion that the ethernet controller had failed since the hardline indicated the same thing. We could put a USB wireless adapter on and successfully connect. Weird. This has only shown up on Win7 laptops. Harry Rauch Sr. Network Analyst Eckerd College 4200 - 54th Ave S St. Petersburg, FL 33711 On 12/7/11 2:36 PM, Jeff Kell wrote: Having a strange issue with our wireless today... wondered if it rings any bells... seems to just be affecting Win7... Clients associate with access points fine, but shows "limited internet connectivity". Mouse-over wireless icon and it shows "unidentified network" (same in network and sharing center); although list of SSIDs shows the same expected SSID as Connected. Client RADIUS works fine (verified controller and radius server), dropped on production role. DHCP transaction is normal, request received and ACKed. Wireless router shows MAC address in expected vlan, and ARP entry shows expected IP address with the MAC. "ipconfig /all" shows correct IP, mask, gateway, DNS, and DHCP servers. No stray IPv6 or tunnel adapters. "route print" shows all expected correct entries for wireless. No stray IPv6 (other than loopback and link-local). Default points to default gateway IP. "arp -a" does *NOT* show an entry for the default gateway, and client is unable to "ping" the default gateway. I'm baffled :) Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.