Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BSHcow
New Contributor

Created on ‎09-29-2023 07:17 AM

Aruba SSL Issue

Fortigate 81F v7.4.1

 

I have some Aruba APs at a new site.  7 of the 12 connect to Aruba Central without a problem, but 5 of them give a certificate error.  All APs connect through the same switch, VLAN and DHCP scope.  All can ping externally using DNS and by IP

 

The APs are trying to connect to device-uswest4.central.arubanetworks.com.  I found that the working ones resolve that to 44.226.202.64 and the non-working ones resolve to 208.91.112.55, which seems to be fortinet-block-page-55.fortinet.com.

 

I have tried all the default SSL inspection security profiles and have removed all other security profiles.

 

Why would some APs be resolving to this Fortinet block page?

 

Screenshot 2023-09-29 101212.png

Labels:
787
0 Kudos
4 REPLIES 4
xshkurti
Staff
Staff

Created on ‎09-29-2023 08:01 AM

@BSHcow 
What are DNS settings of your 5 non-working Aruba APs? Do they have the same DNS configuration?
If you check from Fortigate
# exe ping device-uswest4.central.arubanetworks.com
what ip is resolved?

772
ytech
New Contributor

Created on ‎11-14-2023 04:24 AM

Did you find the solution? Having the same problem with FG80F v7.2.6.
Tried different DNS servers/settings on Fortigate, with UTP enabled and disabled.
All Aruba access points are connections directly to Fortinet block page 55 IP address.

ap01# ping device-eucentral2.central.arubanetworks.com
Press 'q' to abort.
PING 208.91.112.55 (208.91.112.55): 56 data bytes
64 bytes from 208.91.112.55: icmp_seq=0 ttl=56 time=36.8 ms
64 bytes from 208.91.112.55: icmp_seq=1 ttl=56 time=36.7 ms
64 bytes from 208.91.112.55: icmp_seq=2 ttl=56 time=36.5 ms
64 bytes from 208.91.112.55: icmp_seq=3 ttl=56 time=36.6 ms
64 bytes from 208.91.112.55: icmp_seq=4 ttl=56 time=36.6 ms

--- 208.91.112.55 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 36.5/36.6/36.8 ms

 

601
0 Kudos
pminarik
Staff
Staff
In response to ytech

Created on ‎11-14-2023 08:15 AM

208.91.112.55 is the default IP address used for blocking domains by DNS filter.

 

Carefully review the policies used by your APs, especially for DNS traffic. Make sure they either don't have DNS profiles enabled, or review those profiles and check if they have any configuration that could lead to blocking those domain names.

 

If the APs are using some internal server for DNS, check relevant policies for that server's own upstream DNS traffic as well.

 

If everything looks fine, consider restarting the APs, maybe they've just cached a previously-blocked result that isn't being blocked anymore.

[ corrections always welcome ]
577
Sheikh
Staff
Staff

Created on ‎11-14-2023 05:46 AM

Hi, are these problematic and working APs have same DNS settings ? If yes and still getting same errors on some of the APs, you can try creating a static DNS entry pointing towards 44.226.202.64.

 

regards,

 

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
589
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.