Accesspoint ddos my Network

  • 1
  • Question
  • Updated 8 months ago
It seems like my accespoints are DDossing my whole network. Internet-connections are overloaden because of Port 5555 traffic from my accesspoints to other accespoints (See screenshot).



10.176.32.10 is an Accesspoint! 

This problem exists on +/- 50 accesspoints since 21.50 yesterday evening.


The accesspoints are AP141 on the latest firmware (HiveOS 6.5r8b.179369) updated last week.


The only thing I can find about this problem (https://community.aerohive.com/aerohive/topics/we-have-a-hive-of-about-30-aps-on-saturday-the-server...) seems to be related to Bonjour, but we don't have any Bonjour in our configuration.

Does anyone have any Idea? 

Currently we're trying to disable the switchport for the accesspoint after we gave the AP a reboot. This is the only way to get the internet up again. 
Photo of Martijn

Martijn

  • 4 Posts
  • 0 Reply Likes

Posted 8 months ago

  • 1
Photo of Martijn

Martijn

  • 4 Posts
  • 0 Reply Likes
Strange thing: This started exactly a week after updating to HiveOS 6.5r8b.179369
Photo of Jimmy B

Jimmy B

  • 4 Posts
  • 0 Reply Likes

Martin,

I had a similar issue sometime ago.  We disabled Bonjour app in the GUI

Photo of Martijn

Martijn

  • 4 Posts
  • 0 Reply Likes
I saw something simular on this forum, but we haven't got bonjour gateway settings in our config:

Photo of MST

MST

  • 152 Posts
  • 3 Reply Likes
what about if you use Bonjur gateway and experiencing same issue - I don't want to disable that option. Is there any work around?
Photo of Jimmy B

Jimmy B

  • 4 Posts
  • 0 Reply Likes
That is something to engage Aerohive on.......I had no use for it, so it was disabled.
Photo of Joakim Bo Löfman Carli

Joakim Bo Löfman Carli

  • 5 Posts
  • 3 Reply Likes
Hi, 

I have seen this issue before when bonjour-gateway was enabled, I'll suggest that you create a case and work with support to resolve the issue if you have time to investigate it. 

I've had a few customers that has issues with 6.5r8x on AP121s because the bonjour-gateway is enabled automatically even though it's not in the network policy / configuration. 
You can either revert to an older version on HiveOS or use a supplemental CLI to disable the bonjour-gateway with the following command: 

no bonjour-gateway enable

You need to disable it on all APs though, otherwise the issue will just move to another AP that gets elected as BDD.

Hope it helps. 

Best Regards
Joakim 

 
Photo of Gary Smith

Gary Smith, Official Rep

  • 299 Posts
  • 61 Reply Likes
Hi Joakim,

I am interested in this one..

"I've had a few customers that has issues with 6.5r8x on AP121s because the bonjour-gateway is enabled automatically even though it's not in the network policy / configuration."

How are you verifying that it is enabled? On the AP CLI?
If you ran a configuration audit on the AP via the HM, did it show a mismatch? Did it show "no bonjour-gateway enable"?

"You can either revert to an older version on HiveOS"
Does reverting disable the command on the AP? Do you still have to disable bonjour with the CLI command?

" or use a supplemental CLI to disable the bonjour-gateway with the following command: 

no bonjour-gateway enable"
This should not be required if bonjour is not enabled in the network policy? A configuration update should suffice. 

Do you have any examples of this issue right now?

Thanks,
Gary Smith
Photo of Bill W.

Bill W.

  • 222 Posts
  • 35 Reply Likes
Hi Gary,

I'd like to add what I've experienced. If you remove bonjour-gateway from a network policy, it does not disable bonjour-gateway on the APs. In order to disable bonjour-gateway once it has been enabled, you need to use the supplemental CLI or manual CLI.

What I have done after I discovered this was to clone my network polices. In the newly cloned network policies I added a supplemental CLI to disable bonjour gateway. Then I deployed the new network policies.

I discovered this a while ago. When we first deployed Aerohive years ago, all our network polices had bonjour-gateway enabled in the policies. Then earlier this year or last year, we slowly began disabling bonjour-gateway (or so we thought) by removing the config from the network policies. Until relatively recently, we never checked the APs to actually verify that bonjour-gateway wasn't running. We assumed, like I think most people would, that if we removed it from the network policy that it would disable it on the APs. Well, it doesn't. You need to actually enter the "no" command to disable it.

On a side note, why aren't the realms listed alphabetically? I've always hated this. When you have a lot of realms, it's such a pain to find the one you're looking for because the sort order is what appears to be random.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Bill,

The default in HiveOS 7.0r4 and later is to disable the Bonjour Gateway by default. Additional CLI therefore has to be present in the configuration to enable it: 

bonjour gateway enable 

In HiveOS 7.0r3 and prior, the default is to enable the Bonjour Gateway by default. 
default. Additional CLI therefore has to be present in the configuration to disable it: 

no bonjour gateway enable

The expected HM behaviour is to generate CLI appropriately based on HiveOS version and if the feature is enabled or disabled in the Network Policy.

With HM 8.1r2, are you saying that it will not generate this CLI as expected for you based on the above?

If you switch between across the change, you need to push a configuration.

Thanks,

Nick
(Edited)
Photo of Martijn

Martijn

  • 4 Posts
  • 0 Reply Likes
How we resolved this:
First of all: Disable all the network ports to the Accesspoints. We had to get rid of the 'DDOS action'. As our connections are 2 to 4 mbit, the accesspoints used all the network capacity. 

A day later we re-enabled the ports on the switches (one by one) and did  a full update (OS & Configuration) on the accesspoint. I've checked a few of them and they had "no bonjour gateway enable" now.

What caused this?
I think it's because of the following procedure: I've updated the accesspoints a week before, but ONLY with the new HiveOS, not a full config. I think the HiveOS (HiveOS 6.5r8b.179369) had overwritten the Bonjour gateway setting. 

Conclusion: 
Always Push HiveOS AND a full configuration when you update. 
(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Martijn,

Thanks for the update.

To keep this thread updated, we have not yet been able to reproduce an issue other than the expected side effect when switching between HiveOS 7.0r4 and later to HiveOS versions prior, and vice versa, and the need there to perform a configuration update.

Thanks,

Nick