Controller Based WLANs

How can I troubleshoot split tunnel problems?

Aruba Employee

Product and Software: This article applies to all Aruba controllers and ArubaOS 3.x. 

Problem 1 
When any user associates with a split tunnel mode SSID, the client will not show up in the "show user" table of the controller because it is a remote user that will terminate at the AP itself. 

To find out which role the user is put is, issue the following command: 

 

 

(Aruba2400) #show datapath user ap-name ap70-sriram

 

Datapath User Table Entries
---------------------------

 

Flags: P - Permanent, W - WEP, T- TKIP, V - ProxyArp for User, A - ProxyARP to User, N - VPN

 

       IP              MAC           ACLs    Contract   Location  Age  Sessions   Flags
---------------  -----------------  -------  ---------  --------  ---  ---------  -----
0.0.0.0          00:04:23:4A:F9:6E    32/0      0/0     2         0      0/65535  P
10.168.8.221     00:04:23:4A:F9:6E    32/0      0/0     2         0     29/65535    ==========>10.168.8.221 is the user's ip address
10.100.101.74    00:0B:86:C5:A2:12  2700/0      0/0     0         0      1/65535  P

 

(Aruba2400) #show datapath acl 32

 

Datapath ACL 32 Entries
----------------------------------------------------------------
1:  any  any  17 0-65535 67-68  P
2:  user  10.168.8.0 255.255.248.0  any  P
3:  any  any  any  PSR

 


(Aruba2400) #show acl acl-table | include 32
15   session  32         2          https-acl          0
30   session  74         3          h323-acl           0
32   role     296        4          rap-user           0

 


(Aruba2400) #show acl acl-table              

 

AclTable
--------
ACL  Type     ACE Index  Ace Count  Name               Applied
---  ----     ---------  ---------  ----               -------
30   session  74         3          h323-acl           0
31   role     94         2          default-vpn-role   0
32   role     296        4          rap-user           0
33   role     100        14         voice              0
34   role     120        2          authenticated      0
35   role     122        10         stateful           0

 


(Aruba2400) #show rights rap-user
---------
Priority  Source  Destination  Service   Action         TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan
--------  ------  -----------  -------   ------         ---------  ---  -------  -----  ---  -----  ---------  ------  -------
1         any     any          svc-dhcp  permit                                  Low                                    
2         user    corp         any       permit                                  Low                                    
3         any     any          any       route src-nat                           Low  

 

 

Problem 2 
When the user does not do 802.1x or MAC authentication, that is, the user is doing static WEP, WPA PSK, you must configure the "initial role" in the aaa profile as the split-tunnel role. User derivation rule will not work for remote user. 

(Aruba2400) #show aaa profile sriram-aaa-profile 

AAA Profile "sriram-aaa-profile " 
-------------------------------- 
Parameter                           Value 
---------                           ----- 
Initial role                        rap-user    (rap-user is the split tunnel role) 
MAC Authentication Profile          N/A 
MAC Authentication Default Role     guest 
MAC Authentication Server Group     default 
802.1X Authentication Profile       sriram-dot1x-profile 
802.1X Authentication Default Role  default 
802.1X Authentication Server Group  sriram-server-group 
RADIUS Accounting Server Group      N/A 
User derivation rules               N/A  =====> derivation rule wont work for split tunnelling user 
Wired to Wireless Roaming           Enabled 

Problem 3 
To verify if split tunnel is working, you can send traffic to the "corp" network and the traffic should show up in the "show datapath session table". When you send traffic to any other network, no sessions should appear in the session table. 

Problem 4 
Split tunnel users will still get IP address through the tunnel from the controller side, not from the RAP local network. You can tell this from the first rule of split tunnel role "any any svc-dhcp permit".

 

Version history
Revision #:
2 of 2
Last update:
‎07-09-2014 01:30 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.