ArubaOS and Controllers

Reply
New Contributor
Posts: 3
Registered: ‎05-17-2011

Issue with VPN through a 3400 controller

Hi,
I have a guest network setup in my building that has its own DSL connection to the public web. Today if a user connects to the guest access they are put into a vlan that does not exist on my network, and the traffic is shipped directly off of an interface on my 3400 to the DSL modem and onto the internet(never hits the corporate network other than the controller). I am running into an issue where if a user attempts to connect to there remote VPN server they dont get to the point where they are asked for authentication. Today I am primarily testing with a Cisco VPN client, and never get the authentication box. I have done some captures on an ASA i am testing with and i do see traffic between the devices, but for the most part it is not much. If i do a show isa sa the firewall state for the peer is "AM_WAIT_MSG3". This is the extent of what the capture looks like from the ASA:
1: 10:29:29.034910 Client.51730 > VPNServer.500: udp 871
2: 10:29:29.038114 VPNServer500 > Client.51730: udp 408
And that's all i get. From the client using wireshark you see a response from the VPN server on source port 500, dst port 51730 but still do not get an authentication prompt from the VPN client. I have also tried VPN from an IPAD as well as an Android based tablet and neither seem to ever connect with the remote server. On the 3400 I have enabled the VPN login service under firewall policies for the guest role which the user is placed in. If i take the same laptop i am testing from and take it home and connect to the same ASA, everything works with no issues. Any help/tips would be greatly appreciated. Thanks
Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: Issue with VPN through a 3400 controller

What role does the user end up in on the Aruba Controller when he is trying to initiate a VPN connection? Go to the commandline of the controller and type "show rights " and paste in the output.

Alot of Cisco VPN clients need port 10000 open... The "show rights" command will probably show if that is the case.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 3
Registered: ‎05-17-2011

Re: Issue with VPN through a 3400 controller

guest 3 Up: No Limit,Dn: No Limit Block_Guest_to_Internal/,vpnlogon/,http-acl/,https-acl/,dhcp-acl/,icmp-acl/,dns-acl/,v6-http-acl/,v6-https-acl/,v6-dhcp-acl/,v6-icmp-acl/,v6-dns-acl/ User

block guest to internal consist of this:
IPv4 user 192.168.0.0 255.255.0.0 any deny send-deny-response Yes Low
IPv4 user 172.16.0.0 255.255.0.0 any deny send-deny-response Yes Low

but everything else is left as the default configured services.
Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: Issue with VPN through a 3400 controller

Allright.

Since you are blocking everything that you need to early in the role, Why don't you add the "allowall" ACL to the guest role:

configuration> Security> Access Control. Edit your guest role. Under firewall policies, click on ADD and Choose from configured policies. Select the "allowall" policy from the dropdown and then click on the Done button all the way to the right. Go all the way down to the lower right hand corner, and then click on Apply.

Try the VPN client after that.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 3
Registered: ‎05-17-2011

Re: Issue with VPN through a 3400 controller

Adding the "allowall" does fix the issue. does this mean the "vpnlogon" policy does not cover all forms of client based vpn?
Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: Issue with VPN through a 3400 controller

True. It is merely a starting point.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: