I have some Aruba APs at a new site. 7 of the 12 connect to Aruba Central without a problem, but 5 of them give a certificate error. All APs connect through the same switch, VLAN and DHCP scope. All can ping externally using DNS and by IP
The APs are trying to connect to device-uswest4.central.arubanetworks.com. I found that the working ones resolve that to 18.104.22.168 and the non-working ones resolve to 22.214.171.124, which seems to be fortinet-block-page-55.fortinet.com.
I have tried all the default SSL inspection security profiles and have removed all other security profiles.
Why would some APs be resolving to this Fortinet block page?
@BSHcow What are DNS settings of your 5 non-working Aruba APs? Do they have the same DNS configuration? If you check from Fortigate # exe ping device-uswest4.central.arubanetworks.com what ip is resolved?
Did you find the solution? Having the same problem with FG80F v7.2.6. Tried different DNS servers/settings on Fortigate, with UTP enabled and disabled. All Aruba access points are connections directly to Fortinet block page 55 IP address.
ap01# ping device-eucentral2.central.arubanetworks.com Press 'q' to abort. PING 126.96.36.199 (188.8.131.52): 56 data bytes 64 bytes from 184.108.40.206: icmp_seq=0 ttl=56 time=36.8 ms 64 bytes from 220.127.116.11: icmp_seq=1 ttl=56 time=36.7 ms 64 bytes from 18.104.22.168: icmp_seq=2 ttl=56 time=36.5 ms 64 bytes from 22.214.171.124: icmp_seq=3 ttl=56 time=36.6 ms 64 bytes from 126.96.36.199: icmp_seq=4 ttl=56 time=36.6 ms
--- 188.8.131.52 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 36.5/36.6/36.8 ms
184.108.40.206 is the default IP address used for blocking domains by DNS filter.
Carefully review the policies used by your APs, especially for DNS traffic. Make sure they either don't have DNS profiles enabled, or review those profiles and check if they have any configuration that could lead to blocking those domain names.
If the APs are using some internal server for DNS, check relevant policies for that server's own upstream DNS traffic as well.
If everything looks fine, consider restarting the APs, maybe they've just cached a previously-blocked result that isn't being blocked anymore.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.