Our "validuser" isn't customized (other than denying 169.254). We do not do a lot of filtering, but were setup to suppress broadcast/multicast between wireless clients (as you can probably tell, I'm not the Aruba detail configuration wizard).
The final packet captures that helped identify the real issue were only seeing broadcasts from the router, or broadcasts from the local client (ARPing the router gateway address). It appears that the broadcast traffic that should have been echoed out to the wired side simply stopped. Jeff On 12/8/2011 2:57 PM, Colleen Szymanik wrote: > We saw similar issues. User table entries had usernames associated with our > DNS servers. We did a great deal of debugging with traces, Aruba TAC and > other customer discussions. We have validuser ACL entries setup to prevent > all this. It seems that occasionally devices can echo packets and inject > into the user table. Without protections such as validuser, it could cause > connectivity issues depending on the role these entries receive. The > cleanest thing we've seen done is to define variables with all your validuser > entries as a white list and everything else should be denied. > > Colleen Szymanik > Sr. Network Engineer > ISC Networking & Telecommunications > University of Pennsylvania > > -----Original Message----- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brooks, Stan > Sent: Wednesday, December 07, 2011 3:45 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Odd issue with Aruba wireless... > > Jeff - > > Besides the "only affects Win7" comment, this sounds like it could be an > Aruba "validuser" ACL issue. If you've modified that ACL from the default of > allow all IP addresses, it would block all but the specific allowed > addresses. The symptoms are user gets a valid IP address from DHCP, then all > their traffic it blocked because their IP is not in the validuser ACL. I get > bit by that problem every time I add a subnet can forget to add it to the > list of valid networks in our validuser ACL. Just a thought... > >>> -> Stan Brooks - CWNA/CWSP > Emory University > University Technology Services > 404.727.0226 > AIM/Y!/Twitter: WLANstan > MSN: wlans...@hotmail.com > GoogleTalk: wlans...@gmail.com > > ________________________________________ > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Jeff Kell > [jeff-k...@utc.edu] > Sent: Wednesday, December 07, 2011 2:36 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Odd issue with Aruba wireless... > > Having a strange issue with our wireless today... wondered if it rings any > bells... > seems to just be affecting Win7... > > Clients associate with access points fine, but shows "limited internet > connectivity". > > Mouse-over wireless icon and it shows "unidentified network" (same in network > and sharing center); although list of SSIDs shows the same expected SSID as > Connected. > > Client RADIUS works fine (verified controller and radius server), dropped on > production role. > > DHCP transaction is normal, request received and ACKed. > > Wireless router shows MAC address in expected vlan, and ARP entry shows > expected IP address with the MAC. > > "ipconfig /all" shows correct IP, mask, gateway, DNS, and DHCP servers. No > stray IPv6 or tunnel adapters. > > "route print" shows all expected correct entries for wireless. No stray IPv6 > (other than loopback and link-local). Default points to default gateway IP. > > "arp -a" does *NOT* show an entry for the default gateway, and client is > unable to "ping" the default gateway. > > I'm baffled :) > > Jeff > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ________________________________ > > This e-mail message (including any attachments) is for the sole use of the > intended recipient(s) and may contain confidential and privileged > information. If the reader of this message is not the intended recipient, you > are hereby notified that any dissemination, distribution or copying of this > message (including any attachments) is strictly prohibited. > > If you have received this message in error, please contact the sender by > reply e-mail message and destroy all copies of the original message > (including attachments). > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
