ArubaOS and Controllers

Reply
Occasional Contributor I
Posts: 8
Registered: ‎04-13-2011

Routing problem when exists RAP on other side

Hi,

We are experiencing a problem related to routing with RAP.
Attached is the diagram.

When we tried to access the http/https on Firewall with IP 20.20.20.1 from local wifi network, the Aruba controller tries to route the communication through the RAP tunnel control IPSEC VPN instead of just route it through the Internet gateway.

Anyone know how we can work around this problem?

Thanks in advance.
Guru Elite
Posts: 19,997
Registered: ‎03-29-2007

Re: Routing problem when exists RAP on other side

You need to create a new Virtual AP where the forwarding mode is bridged, rather than tunneled, for the RAPs
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor I
Posts: 8
Registered: ‎04-13-2011

Re: Routing problem when exists RAP on other side




The RAP has different AP Group then Local AP. And it is also configured as bridge in forward mode. The RAP connect to controller using the NATed 20.20.20.1 IP for control only.

Guru Elite
Posts: 19,997
Registered: ‎03-29-2007

Re: Routing problem when exists RAP on other side

What ip does the wireless client get, and what is the client's default gateway?
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor I
Posts: 8
Registered: ‎04-13-2011

Re: Routing problem when exists RAP on other side

Joseph,

From Controller side the client get ip 10.85.102.30, the default gw is 10.85.102.1 (Firewall). The controller has a RAP connected using NATed IP 20.20.20.1. We can connect to https on 20.20.20.1 when using wired network, with the same configuration of IP and gateway address, but when connected from wifi, the communication goes throught Local AP -> Aruba controller, and the controller tries to connect direct throught ipsec tunnel rather then route this connection throught FW 10.85.102.1
Guru Elite
Posts: 19,997
Registered: ‎03-29-2007

Re: Routing problem when exists RAP on other side

Allright,

If the wireless clients at the remote site need to access resources at the main office AND the rest of the traffic needs to go directly out to the internet, the forwarding mode needs to be split tunnel on that separate Virtual AP. in addition, the initial role of the AAA profile, or the default 802.1x role of the profile, needs to define what gets tunneled back and what gets routed out.


Attached is part of the split-tunneling section of the user guide that shows how to configure it.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor I
Posts: 8
Registered: ‎04-13-2011

Re: Routing problem when exists RAP on other side

Joseph,

The clients in remote side doesn´t need to access main office. Remote side is completely independent from main side, except for RAP that need to connect to Aruba Controller. The client remote side was configured as bridge and all access are made direct thought his internet gateway. My problem is I can not administrate remote firewall when I was connected throught main side local aruba network. When I was wired connected I can Administrate the remote Firewall (20.20.20.1), but when I was in WiFi network I can not.
Guru Elite
Posts: 19,997
Registered: ‎03-29-2007

Re: Routing problem when exists RAP on other side

Please

- Check the forwarding mode on the Virtual AP for the WLAN to make sure it is bridged
- Make sure that the role that the WLAN bridged user gets is not blocking traffic to the firewall
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor I
Posts: 8
Registered: ‎04-13-2011

Re: Routing problem when exists RAP on other side

My local AP are tunneled and goes throught Controller, the Remote AP is configured as bridge.

We have a NOC that administrate a lot of firewalls. Some of our clients has RAPs that we also administrate. We can connect normally to firewalls of our clients that not have RAPs on their networks. For clients with RAPs in their networks, we can´t connect for administrate their firewalls when are in our local wifi network.
Guru Elite
Posts: 19,997
Registered: ‎03-29-2007

Re: Routing problem when exists RAP on other side

You might have to open a TAC case to get this resolved. If the traffic from the wifi at the customer's site is bridged, NO traffic should be tunneled back to the headend. A wifi user should get an ip address locally, have a default gateway locally and it should in theory allow you to administer the firewall.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Search Airheads
Showing results for 
Search instead for 
Did you mean: