Sid, We know from personal experience of running into this issue several years ago. Like David, we’ve instituted a few validuserACLs – (I actually use aliases for those subnets – so that I can re-use them in other places and to give a description of those valid ip addresses).
After finding the offending device, was 99% positive it was malicious – but as I dived into the Rabbit Hole – discovered it was just a stupid malfunctioning device…a Roku Stick. I’ve also seen this behavior on other devices that make use of a “Router/IP Sharing” SSID such as “Roku’s Dorm Mode” or “Internet Sharing” with Windows. The Roku generates it’s own SSID “AP Mode” while connecting to our infrastructure SSID – it’s not bridged – but routed based on the fact that when you connect your phone or computer to the Roku’s SSID – your assigned a 192.168.X private IP Address. What I suspect happened in our scenario (I’ll use your 23.185.0.1 address for example). 1. Student Connected Roku to Guest SSID 2. Roku Prompted Student to use “Dorm Mode” 3. Student Connected to Roku with iPhone or Computer with a “home page” of our institution’s website. 4. The Roku “mis-routed” a single packet -- Source: 23.185.0.1 – Destination: 192.168.X.X – instead of sending it to the “private network” wifi interface to the user’s iPhone or computer – it sent it out the “infrastructure network” interface – which based on how a “User” gets into the table --> https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=95f4108f-5927-4700-891c-89fd218d0d4e – and was assigned the guest unauthenticated policy – denying all traffic – cept icmps. I first started suspecting things weren’t as “simple” as they may be when I noticed Roku’s were “claiming” the IP Addresses of Google – what was funny was seeing the Controller prevent one Roku from entering the User-Table with a Google IP Address – ONLY because another Roku had already sourced a packet with Google’s IP Address. If you add a “any any any deny” with “LOG” option enabled – you can see ALL the invalid sessions that would have entered the user-table – including their destinations. I was only able to “partially replicate the behavior” – but it’s still a strong case. A few links down below: How the user gets into the user-table of the controller? - https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=95f4108f-5927-4700-891c-89fd218d0d4e IP Address Leaking - https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=39207#bm69bbf671-9e9b-4302-b11c-0965445bff7e Some info from the ArubaOS Hardening Guide https://community.arubanetworks.com/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=d9518fcc-d8f1-440b-8f5d-68522d3be364 - Page 26 and 27 goes into detail about “validuser” and “local-valid-users” – “local-valid-users” requires the controller to have an IP Address on that VLAN interface. There’s also the “Enforce DHCP” option in each AAA Aruba Profile – essentially a per SSID setting. https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=de2277df-ff0e-41c1-9efb-643c0a04cf5c https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=99300862-622e-4dd5-9af4-f2d745b49db4 http://www.commsolutions.com/2011/10/eliminate-duplicate-client-entries-in-your-aruba-controller-for-clients-with-more-than-one-ip-address-or-network-interface/ ---> (BROKEN LINK Now ☹) Unfortunately the video link I had from commsolutions – they had presentation demonstrating this issue but it’s a broken link now –one of their customers for whatever reason had their guests manually enter the ip addresses onto their ipads – and someone flip-flopped the “IP Address” and the “Default Gateway”….started denying traffic for the default gateway….whoops! From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Mike Fitzgerald Sent: Tuesday, September 07, 2021 12:16 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] [EXTERNAL] Re: [WIRELESS-LAN] Websites inaccessible from wireless network - Aruba Some people who received this message don't often get email from fi...@brandeis.edu. Learn why this is important<http://aka.ms/LearnAboutSenderIdentification> [This message came from an external source. If suspicious, report to ab...@ilstu.edu<mailto:ab...@ilstu.edu>] Check your valid user table config to make sure you only allow the IP ranges your DHCP server would give a wireless client. Otherwise, you can end up with user table entries for destination IP's and then those IP's get policed by the controller as you were seeing. Aruba default for that config used to allow any any, which is bad... Mike On Tue, Sep 7, 2021 at 12:04 PM Sidharth Nandury <nandu...@denison.edu<mailto:nandu...@denison.edu>> wrote: So..... sigh! It seems like an end client either statically or for some unknown reason got assigned the IP address for these websites. The role that the client was assigned had a policy to "deny" traffic to the internet (as per design). The part that we did not know was that when a client is going to a particular destination, the controllers look at the user table to see if there is an IP and a route available before even going to the role-based ACLs. Once we blacklisted the client or deleted the client from the user-table, the websites were accessible again. Sid On Tue, Sep 7, 2021 at 11:29 AM Norman Mourtada <nmourt...@suffolk.edu<mailto:nmourt...@suffolk.edu>> wrote: With 8.6.0.9, no issues. (Aruba7220-MC-05) *#show datapath session | include 35.186.224.25 35.186.224.25 172.16.122.193 6 443 58612 0/0 0 24 3 tunnel 2306 a5 69 11747 17 172.16.126.143 35.186.224.25 6 65364 443 0/0 0 24 0 tunnel 1718 1a 29 3592 TC 26 172.18.91.115 35.186.224.25 6 56982 443 0/0 0 0 0 tunnel 1102 505 145 24120 C 29 172.16.174.33 35.186.224.25 6 54373 443 0/0 0 24 0 tunnel 2773 6da 9576 1018764 TC 21 35.186.224.25 172.16.166.198 6 443 60052 0/0 0 24 1 tunnel 133 de 371 269692 31 172.16.172.51 35.186.224.25 6 63940 443 0/0 0 24 3 tunnel 862 5c 17 2849 TC 30 172.19.90.133 35.186.224.25 6 54371 443 0/0 0 24 0 tunnel 1509 890 161 33426 TC 18 172.19.91.45 35.186.224.25 6 62292 443 0/0 0 24 2 tunnel 1630 4d 14 2502 TC 27 35.186.224.25 172.16.166.198 6 443 60050 0/0 0 24 14 tunnel 133 de 24 8727 31 172.16.176.74 35.186.224.25 6 58973 443 0/0 0 24 2 tunnel 1964 236 35 5322 TC 16 172.16.176.193 35.186.224.25 6 61015 443 0/0 0 24 1 tunnel 2160 10 44 15853 FTC 20 From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Dan Oachs Sent: Tuesday, September 7, 2021 10:59 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [EXTERNAL] Re: [WIRELESS-LAN] Websites inaccessible from wireless network - Aruba CAUTION: This email originated from outside of the University. Do not click links or open attachments unless you recognize the sender and know the content is safe. Not seeing that issue here. We are on 8.7.1.4 (aruba-controller-1) #show datapath session | include 35.186.224.25 35.186.224.25 138.236.104.67 6 443 64918 0/0 0 1 1 tunnel 6347 3cc 307 50335 15 138.236.82.47 35.186.224.25 6 57491 443 0/0 0 0 4 tunnel 5540 382 179 117595 C 30 35.186.224.25 138.236.248.10 6 443 54342 0/0 0 1 1 tunnel 972 e 209 16359 23 35.186.224.25 138.236.82.47 6 443 57491 0/0 0 1 4 tunnel 5540 382 189 45940 30 138.236.104.67 35.186.224.25 6 64918 443 0/0 0 0 1 tunnel 6347 3cd 345 38357 C 29 35.186.224.25 138.236.232.120 6 443 61505 0/0 0 1 0 tunnel 7052 c 151 49165 22 138.236.250.85 35.186.224.25 6 54833 443 0/0 0 0 1 tunnel 2686 1a 57 16206 C 27 35.186.224.25 138.236.251.120 6 443 51735 0/0 0 1 1 tunnel 7060 8 29 3140 F 13 138.236.250.85 35.186.224.25 6 54834 443 0/0 0 0 2 tunnel 2686 18 152 179792 C 27 --Dan On Tue, Sep 7, 2021 at 9:40 AM Sidharth Nandury <nandu...@denison.edu<mailto:nandu...@denison.edu>> wrote: Hi All, Since last Monday we have seen a couple of different websites being blocked on our Aruba wireless controllers. Spotify has been one of the sites, as well as all websites hosted on IP 23.185.0.1 (which is our main institution website - denison.edu<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdenison.edu%2F&data=04%7C01%7C%7Cd8e44e59bd014c7cb55308d9722327eb%7C085f983a0b694270b71d10695076bafe%7C1%7C0%7C637666318342331848%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=LmZ%2FtGJJaQwm6qR56qncTHu8vTgs2UBvbmvUqEKzjAQ%3D&reserved=0>). We can confirm that this is being blocked as we see the "D" (Deny) Flag on the wireless controller. Below is an example of traffic being blocked to Spotify. Is anyone suing Aruba AOS 8 controllers seeing this? (wlc-Thor) #show datapath session | include 35.186.224.25 Source IP or MAC Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags CPU ID ----------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------- ---------- --------------- ------- 10.143.203.26 35.186.224.25 6 52082 443 0/0 0 0 0 tunnel 640 1 0 0 FDYCA 21 10.143.195.85 35.186.224.25 6 59767 443 0/0 0 0 0 tunnel 5357 0 0 0 FDYCA 27 10.143.225.178 35.186.224.25 6 52292 443 0/0 0 0 0 tunnel 6753 1 0 0 FDYCA 19 10.143.195.85 35.186.224.25 6 59766 443 0/0 0 0 0 tunnel 5357 1 0 0 FDYCA 27 (wlc-Thor) #show datapath session | include 23.185.0.1 10.143.228.16 23.185.0.1 6 59500 443 0/0 0 0 0 tunnel 16789 a 0 0 FDYCA 18 10.143.244.151 23.185.0.1 6 58758 443 0/0 0 0 0 tunnel 553 1 0 0 FDYCA 23 10.143.228.247 23.185.0.1 6 59063 443 0/0 0 0 0 tunnel 13188 a 6 384 FDYCA 27 10.143.228.247 23.185.0.1 6 59062 443 0/0 0 0 0 tunnel 13188 a 6 384 FDYCA 27 10.143.196.26 23.185.0.1 6 50851 443 0/0 0 0 0 tunnel 5631 1 0 0 FDYCA 17 10.143.196.26 23.185.0.1 6 50852 443 0/0 0 0 0 tunnel 5631 1 0 0 FDYCA 17 10.143.196.26 23.185.0.1 6 50853 443 0/0 0 0 0 tunnel 5631 1 0 0 FDYCA 17 We have two 7240xm controllers running AOS v8.6.9 in a cluster with a Mobility Conductor as a VM. We have a ticket open with TAC and have escalated it up to ERT, but wanted to also reach out to others. Thank you. Sid -- Sidharth S. Nandury (He, Him, His) Infrastructure and Operations Manager Information Technology Services <https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdenison.edu%2F&data=04%7C01%7C%7Cd8e44e59bd014c7cb55308d9722327eb%7C085f983a0b694270b71d10695076bafe%7C1%7C0%7C637666318342351839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=wy2J0Rf7jgWgLuVEWz0Yf8bvqgg6uS1%2FG%2BG%2FhFSmQJ8%3D&reserved=0> 100 West College Street, Granville, OH 43023 | Burton Hall Office: 740-587-5533 | Mobile: 516-314-4413 nand...@denison.edu https://denison.edu/campus/technology/service-desk<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdenison.edu%2F&data=04%7C01%7C%7Cd8e44e59bd014c7cb55308d9722327eb%7C085f983a0b694270b71d10695076bafe%7C1%7C0%7C637666318342351839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=wy2J0Rf7jgWgLuVEWz0Yf8bvqgg6uS1%2FG%2BG%2FhFSmQJ8%3D&reserved=0> NOTICE: This email message and all attachments transmitted with it may contain legally privileged and confidential information intended solely for the use of the addressee. If the reader of this message is not the intended recipient, you are hereby notified that any reading, dissemination, distribution, copying, or other use of this message or its attachments is strictly prohibited. If you have received this message in error, please notify the sender immediately by phone or by email, and delete this message and all copies and backups thereof. <https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdenison.edu%2F&data=04%7C01%7C%7Cd8e44e59bd014c7cb55308d9722327eb%7C085f983a0b694270b71d10695076bafe%7C1%7C0%7C637666318342361835%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=N6hvDRLvBnGpIF2SHFDNa2caV972Ps5b5T%2BpiOxWIG0%3D&reserved=0> Please consider the environment before printing this email.<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdenison.edu%2F&data=04%7C01%7C%7Cd8e44e59bd014c7cb55308d9722327eb%7C085f983a0b694270b71d10695076bafe%7C1%7C0%7C637666318342361835%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=N6hvDRLvBnGpIF2SHFDNa2caV972Ps5b5T%2BpiOxWIG0%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community <https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdenison.edu%2F&data=04%7C01%7C%7Cd8e44e59bd014c7cb55308d9722327eb%7C085f983a0b694270b71d10695076bafe%7C1%7C0%7C637666318342371833%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=u0PbxfGRjm%2BFCUQDCLFJlR%2B3xXEfxahFcHAndhG1%2FrY%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community <https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdenison.edu%2F&data=04%7C01%7C%7Cd8e44e59bd014c7cb55308d9722327eb%7C085f983a0b694270b71d10695076bafe%7C1%7C0%7C637666318342371833%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=u0PbxfGRjm%2BFCUQDCLFJlR%2B3xXEfxahFcHAndhG1%2FrY%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7C%7Cd8e44e59bd014c7cb55308d9722327eb%7C085f983a0b694270b71d10695076bafe%7C1%7C0%7C637666318342381828%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=hqAxJjPdmkQN4DkMfjJM%2BxEtAYgT%2FbWkPdtp9Vw64ow%3D&reserved=0> -- Error! Filename not specified.<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdenison.edu%2F&data=04%7C01%7C%7Cd8e44e59bd014c7cb55308d9722327eb%7C085f983a0b694270b71d10695076bafe%7C1%7C0%7C637666318342381828%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=00dQS8E3Ay16co4iirX26Jh0uhJClOF4MAk172WWe2I%3D&reserved=0> Sidharth S. Nandury (He, Him, His) Infrastructure and Operations Manager Information Technology Services 100 West College Street, Granville, OH 43023<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdeniso.nu%2F2qF6h7M&data=04%7C01%7C%7Cd8e44e59bd014c7cb55308d9722327eb%7C085f983a0b694270b71d10695076bafe%7C1%7C0%7C637666318342391816%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sLv7L2ntK4tFfekeY98wTG6pwI5CDY11M5wi8crQhyU%3D&reserved=0> | Burton Hall<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdenison.edu%2Fmap&data=04%7C01%7C%7Cd8e44e59bd014c7cb55308d9722327eb%7C085f983a0b694270b71d10695076bafe%7C1%7C0%7C637666318342391816%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Au%2B3mXssy3Z%2BfztYrW6l9O3NDcArav7CXSoOXmi1CRg%3D&reserved=0> Office: 740-587-5533<tel:1-740-587-5533> | Mobile: 516-314-4413<tel:1-516-314-4413> nand...@denison.edu<mailto:nand...@denison.edu> https://denison.edu/campus/technology/service-desk<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdenison.edu%2Fcampus%2Ftechnology%2Fservice-desk&data=04%7C01%7C%7Cd8e44e59bd014c7cb55308d9722327eb%7C085f983a0b694270b71d10695076bafe%7C1%7C0%7C637666318342401809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=vmXGte%2Bue0mQ513pFPeYE6CV9tETxVjGK9hg21LaPGs%3D&reserved=0> NOTICE: This email message and all attachments transmitted with it may contain legally privileged and confidential information intended solely for the use of the addressee. If the reader of this message is not the intended recipient, you are hereby notified that any reading, dissemination, distribution, copying, or other use of this message or its attachments is strictly prohibited. If you have received this message in error, please notify the sender immediately by phone or by email, and delete this message and all copies and backups thereof. Please consider the environment before printing this email. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7C%7Cd8e44e59bd014c7cb55308d9722327eb%7C085f983a0b694270b71d10695076bafe%7C1%7C0%7C637666318342401809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=oARUUDHYfvDlck%2FpbyQxTL8Vh%2Bm2%2FcAEIULcvlBTQt4%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7C%7Cd8e44e59bd014c7cb55308d9722327eb%7C085f983a0b694270b71d10695076bafe%7C1%7C0%7C637666318342411808%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Wkl6kzLk2j1NZpgI5%2FFu35%2Fsk6zjL4I7PRgAFbgNLxs%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community