All, So after various good experiences reported here and other places, we upgraded our Aruba infrastructure (master-backup pair plus local pair) from 6.5.1.1 to 6.5.3.2. The main problem we were seeing was APs that would stop forwarding client traffic, although would otherwise look fine.
As far as we can tell, that problem has been fixed (no reports in over a week). However we now have two new problems: 1. in a single-vlan NATted (to a named pool) 802.1X environment, most things work fine. However connections to Apple AppStore, iTunes, and maybe also Wifi Calling keep failing from time to time. This becomes apparent as you click around the AppStore interface on a Mac or an iPhone, it will periodically say that it could not connect. How long it can't connect for seems quiet variable. We have observed that definitely when the problem is there, show datapath session table shows lines with flags FSDYC, specifically 'D' for deny, always to an akamai host. We're allowing most traffic through, it makes no sense to us why this akamai https traffic gets blocked. 2. in a captive portal environment, non-authenticating (it's an onboarding SSID with a helpful webpage and links to whitelisted destinations), which worked previously, DHCP works fine, but DNS does not. Queries do not get an answer, even though there is an ACL permitting DNS traffic to our resolvers. Because of this, when you visit a random website, because there's no DNS resolution, the captive portal page doesn't appear. You can trigger the captive portal to appear by entering a destination by IP address in the browser, so that part does seem to work (but of course can't get to any of the whitelist destinations). It seems very specifically related to that fact that DNS no longer works. There may be some inter-relationship between these problems: it appears to us that not all the policies, or their ACLs, are being matched all the time for a given role. Has anyone observed anything like this? We've been through the release notes and not found anything to suggest a change in the way we've done our config, so we're rather flummoxed. (Yes, I know 6.5.3.2 has just been superceded by 6.5.3.3, sigh). Thanks for any thoughts, J. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
